Merge "Enable CFI by default but restrict CFI_INCLUDE_PATHS" into pi-dev

core/config_sanitizers.mk

@@ -96,15 +96,17 @@ ifeq ($(LOCAL_SANITIZE),never)
   my_sanitize_diag :=
 endif
 
-# Enable CFI in included paths.
+# Enable CFI in included paths (for Arm64 only).
 ifeq ($(filter cfi, $(my_sanitize)),)
-  combined_include_paths := $(CFI_INCLUDE_PATHS) \
-                            $(PRODUCT_CFI_INCLUDE_PATHS)
+  ifneq ($(filter arm64,$(TARGET_$(LOCAL_2ND_ARCH_VAR_PREFIX)ARCH)),)
+    combined_include_paths := $(CFI_INCLUDE_PATHS) \
+                              $(PRODUCT_CFI_INCLUDE_PATHS)
 
-  ifneq ($(strip $(foreach dir,$(subst $(comma),$(space),$(combined_include_paths)),\
-         $(filter $(dir)%,$(LOCAL_PATH)))),)
-    my_sanitize := cfi $(my_sanitize)
-    my_sanitize_diag := cfi $(my_sanitize_diag)
+    ifneq ($(strip $(foreach dir,$(subst $(comma),$(space),$(combined_include_paths)),\
+           $(filter $(dir)%,$(LOCAL_PATH)))),)
+      my_sanitize := cfi $(my_sanitize)
+      my_sanitize_diag := cfi $(my_sanitize_diag)
+    endif
   endif
 endif
 

target/product/core_64_bit.mk

@@ -31,3 +31,7 @@ PRODUCT_DEFAULT_PROPERTY_OVERRIDES += ro.zygote=zygote64_32
 
 TARGET_SUPPORTS_32_BIT_APPS := true
 TARGET_SUPPORTS_64_BIT_APPS := true
+
+# Enable CFI for security-sensitive components
+$(call inherit-product, $(SRC_TARGET_DIR)/product/cfi-common.mk)
+$(call inherit-product-if-exists, vendor/google/products/cfi-vendor.mk)

target/product/core_64_bit_only.mk

@@ -28,3 +28,7 @@ PRODUCT_DEFAULT_PROPERTY_OVERRIDES += ro.zygote=zygote64
 
 TARGET_SUPPORTS_32_BIT_APPS := false
 TARGET_SUPPORTS_64_BIT_APPS := true
+
+# Enable CFI for security-sensitive components
+$(call inherit-product, $(SRC_TARGET_DIR)/product/cfi-common.mk)
+$(call inherit-product-if-exists, vendor/google/products/cfi-vendor.mk)