Enforce permitted_packages for Q+ and R+ modules
Q+ and R+ mainline modules may only add code in a restricted set of Java package prefixes, that may never be changed. If a mainline module owns the Java package prefix "foo.bar", it may have classes in "foo.bar", "foo.bar.baz", "foo.bar.baz.bat" etc. Test: m Bug: 156725734 Change-Id: I30bf510ed473309871469bf439d7c81575450931
This commit is contained in:
Andrei Onea
67
apex/apex.go
67
apex/apex.go
@@ -688,6 +688,55 @@ func makeApexAvailableBaseline() map[string][]string {
|
||||
return m
|
||||
}
|
||||
|
||||
// DO NOT EDIT! These are the package prefixes that are exempted from being AOT'ed by ART.
|
||||
// Adding code to the bootclasspath in new packages will cause issues on module update.
|
||||
func qModulesPackages() map[string][]string {
|
||||
return map[string][]string{
|
||||
"com.android.conscrypt": []string{
|
||||
"android.net.ssl",
|
||||
"com.android.org.conscrypt",
|
||||
},
|
||||
"com.android.media": []string{
|
||||
"android.media",
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
// DO NOT EDIT! These are the package prefixes that are exempted from being AOT'ed by ART.
|
||||
// Adding code to the bootclasspath in new packages will cause issues on module update.
|
||||
func rModulesPackages() map[string][]string {
|
||||
return map[string][]string{
|
||||
"com.android.mediaprovider": []string{
|
||||
"android.provider",
|
||||
},
|
||||
"com.android.permission": []string{
|
||||
"android.permission",
|
||||
"android.app.role",
|
||||
"com.android.permission",
|
||||
"com.android.role",
|
||||
},
|
||||
"com.android.sdkext": []string{
|
||||
"android.os.ext",
|
||||
},
|
||||
"com.android.os.statsd": []string{
|
||||
"android.app",
|
||||
"android.os",
|
||||
"android.util",
|
||||
"com.android.internal.statsd",
|
||||
"com.android.server.stats",
|
||||
},
|
||||
"com.android.wifi": []string{
|
||||
"com.android.server.wifi",
|
||||
"com.android.wifi.x",
|
||||
"android.hardware.wifi",
|
||||
"android.net.wifi",
|
||||
},
|
||||
"com.android.tethering": []string{
|
||||
"android.net",
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func init() {
|
||||
android.RegisterModuleType("apex", BundleFactory)
|
||||
android.RegisterModuleType("apex_test", testApexBundleFactory)
|
||||
@@ -705,6 +754,24 @@ func init() {
|
||||
sort.Strings(*apexFileContextsInfos)
|
||||
ctx.Strict("APEX_FILE_CONTEXTS_INFOS", strings.Join(*apexFileContextsInfos, " "))
|
||||
})
|
||||
|
||||
android.AddNeverAllowRules(createApexPermittedPackagesRules(qModulesPackages())...)
|
||||
android.AddNeverAllowRules(createApexPermittedPackagesRules(rModulesPackages())...)
|
||||
}
|
||||
|
||||
func createApexPermittedPackagesRules(modules_packages map[string][]string) []android.Rule {
|
||||
rules := make([]android.Rule, 0, len(modules_packages))
|
||||
for module_name, module_packages := range modules_packages {
|
||||
permitted_packages_rule := android.NeverAllow().
|
||||
BootclasspathJar().
|
||||
With("apex_available", module_name).
|
||||
WithMatcher("permitted_packages", android.NotInList(module_packages)).
|
||||
Because("jars that are part of the " + module_name +
|
||||
" module may only allow these packages: " + strings.Join(module_packages, ",") +
|
||||
". Please jarjar or move code around.")
|
||||
rules = append(rules, permitted_packages_rule)
|
||||
}
|
||||
return rules
|
||||
}
|
||||
|
||||
func RegisterPreDepsMutators(ctx android.RegisterMutatorsContext) {
|
||||
|
||||
Reference in New Issue
Block a user