StrixOS/build_soong
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge changes Icb91de93,I5a2edaf4 am: 2430a04b2e am: 7638a61b2b

Browse Source 
Original change: https://android-review.googlesource.com/c/platform/build/soong/+/2054866

Change-Id: Icce58ef19cbb2960ec5769840a39ed5e937e831e
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Spandan Das
2022-04-05 04:58:58 +00:00
committed by Automerger Merge Worker
parent 1589993663 7638a61b2b
commit 58d90a42cb
3 changed files with 74 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
android/neverallow.go
View File

@@ -261,10 +261,6 @@ func neverallowMutator(ctx BottomUpMutatorContext) {
continue continue
} }
if !n.appliesToBootclasspathJar(ctx) {
continue
}
ctx.ModuleErrorf("violates " + n.String()) ctx.ModuleErrorf("violates " + n.String())
} }
} }
@@ -380,8 +376,6 @@ type Rule interface {
NotModuleType(types ...string) Rule NotModuleType(types ...string) Rule
BootclasspathJar() Rule
With(properties, value string) Rule With(properties, value string) Rule
WithMatcher(properties string, matcher ValueMatcher) Rule WithMatcher(properties string, matcher ValueMatcher) Rule
@@ -497,12 +491,6 @@ func (r *rule) Because(reason string) Rule {
return r return r
} }
// BootclasspathJar whether this rule only applies to Jars in the Bootclasspath
func (r *rule) BootclasspathJar() Rule {
r.onlyBootclasspathJar = true
return r
}
func (r *rule) String() string { func (r *rule) String() string {
s := []string{"neverallow requirements. Not allowed:"} s := []string{"neverallow requirements. Not allowed:"}
if len(r.paths) > 0 { if len(r.paths) > 0 {
@@ -520,9 +508,6 @@ func (r *rule) String() string {
if len(r.osClasses) > 0 { if len(r.osClasses) > 0 {
s = append(s, fmt.Sprintf("os class(es): %q", r.osClasses)) s = append(s, fmt.Sprintf("os class(es): %q", r.osClasses))
} }
if r.onlyBootclasspathJar {
s = append(s, "in bootclasspath jar")
}
if len(r.unlessPaths) > 0 { if len(r.unlessPaths) > 0 {
s = append(s, fmt.Sprintf("EXCEPT in dirs: %q", r.unlessPaths)) s = append(s, fmt.Sprintf("EXCEPT in dirs: %q", r.unlessPaths))
} }
@@ -563,14 +548,6 @@ func (r *rule) appliesToDirectDeps(ctx BottomUpMutatorContext) bool {
return matches return matches
} }
func (r *rule) appliesToBootclasspathJar(ctx BottomUpMutatorContext) bool {
if !r.onlyBootclasspathJar {
return true
}
return InList(ctx.ModuleName(), ctx.Config().BootJars())
}
func (r *rule) appliesToOsClass(osClass OsClass) bool { func (r *rule) appliesToOsClass(osClass OsClass) bool {
if len(r.osClasses) == 0 { if len(r.osClasses) == 0 {
return true return true

40
apex/apex.go
View File

@@ -3278,19 +3278,18 @@ func makeApexAvailableBaseline() map[string][]string {
} }
func init() { func init() {
android.AddNeverAllowRules(createApexPermittedPackagesRules(qModulesPackages())...) android.AddNeverAllowRules(createBcpPermittedPackagesRules(qBcpPackages())...)
android.AddNeverAllowRules(createApexPermittedPackagesRules(rModulesPackages())...) android.AddNeverAllowRules(createBcpPermittedPackagesRules(rBcpPackages())...)
} }
func createApexPermittedPackagesRules(modules_packages map[string][]string) []android.Rule { func createBcpPermittedPackagesRules(bcpPermittedPackages map[string][]string) []android.Rule {
rules := make([]android.Rule, 0, len(modules_packages)) rules := make([]android.Rule, 0, len(bcpPermittedPackages))
for module_name, module_packages := range modules_packages { for jar, permittedPackages := range bcpPermittedPackages {
permittedPackagesRule := android.NeverAllow(). permittedPackagesRule := android.NeverAllow().
BootclasspathJar(). With("name", jar).
With("apex_available", module_name). WithMatcher("permitted_packages", android.NotInList(permittedPackages)).
WithMatcher("permitted_packages", android.NotInList(module_packages)). Because(jar +
Because("jars that are part of the " + module_name + " bootjar may only use these package prefixes: " + strings.Join(permittedPackages, ",") +
" module may only use these package prefixes: " + strings.Join(module_packages, ",") +
". Please consider the following alternatives:\n" + ". Please consider the following alternatives:\n" +
" 1. If the offending code is from a statically linked library, consider " + " 1. If the offending code is from a statically linked library, consider " +
"removing that dependency and using an alternative already in the " + "removing that dependency and using an alternative already in the " +
@@ -3299,6 +3298,7 @@ func createApexPermittedPackagesRules(modules_packages map[string][]string) []an
" 3. Jarjar the offending code. Please be mindful of the potential system " + " 3. Jarjar the offending code. Please be mindful of the potential system " +
"health implications of bundling that code, particularly if the offending jar " + "health implications of bundling that code, particularly if the offending jar " +
"is part of the bootclasspath.") "is part of the bootclasspath.")
rules = append(rules, permittedPackagesRule) rules = append(rules, permittedPackagesRule)
} }
return rules return rules
@@ -3306,13 +3306,13 @@ func createApexPermittedPackagesRules(modules_packages map[string][]string) []an
// DO NOT EDIT! These are the package prefixes that are exempted from being AOT'ed by ART. // DO NOT EDIT! These are the package prefixes that are exempted from being AOT'ed by ART.
// Adding code to the bootclasspath in new packages will cause issues on module update. // Adding code to the bootclasspath in new packages will cause issues on module update.
func qModulesPackages() map[string][]string { func qBcpPackages() map[string][]string {
return map[string][]string{ return map[string][]string{
"com.android.conscrypt": []string{ "conscrypt": []string{
"android.net.ssl", "android.net.ssl",
"com.android.org.conscrypt", "com.android.org.conscrypt",
}, },
"com.android.media": []string{ "updatable-media": []string{
"android.media", "android.media",
}, },
} }
@@ -3320,34 +3320,34 @@ func qModulesPackages() map[string][]string {
// DO NOT EDIT! These are the package prefixes that are exempted from being AOT'ed by ART. // DO NOT EDIT! These are the package prefixes that are exempted from being AOT'ed by ART.
// Adding code to the bootclasspath in new packages will cause issues on module update. // Adding code to the bootclasspath in new packages will cause issues on module update.
func rModulesPackages() map[string][]string { func rBcpPackages() map[string][]string {
return map[string][]string{ return map[string][]string{
"com.android.mediaprovider": []string{ "framework-mediaprovider": []string{
"android.provider", "android.provider",
}, },
"com.android.permission": []string{ "framework-permission": []string{
"android.permission", "android.permission",
"android.app.role", "android.app.role",
"com.android.permission", "com.android.permission",
"com.android.role", "com.android.role",
}, },
"com.android.sdkext": []string{ "framework-sdkextensions": []string{
"android.os.ext", "android.os.ext",
}, },
"com.android.os.statsd": []string{ "framework-statsd": []string{
"android.app", "android.app",
"android.os", "android.os",
"android.util", "android.util",
"com.android.internal.statsd", "com.android.internal.statsd",
"com.android.server.stats", "com.android.server.stats",
}, },
"com.android.wifi": []string{ "framework-wifi": []string{
"com.android.server.wifi", "com.android.server.wifi",
"com.android.wifi.x", "com.android.wifi.x",
"android.hardware.wifi", "android.hardware.wifi",
"android.net.wifi", "android.net.wifi",
}, },
"com.android.tethering": []string{ "framework-tethering": []string{
"android.net", "android.net",
}, },
} }

67
apex/apex_test.go
View File

@@ -7580,7 +7580,7 @@ func TestDexpreoptAccessDexFilesFromPrebuiltApex(t *testing.T) {
}) })
} }
func testApexPermittedPackagesRules(t *testing.T, errmsg, bp string, bootJars []string, rules []android.Rule) { func testBootJarPermittedPackagesRules(t *testing.T, errmsg, bp string, bootJars []string, rules []android.Rule) {
t.Helper() t.Helper()
bp += ` bp += `
apex_key { apex_key {
@@ -7619,11 +7619,11 @@ func testApexPermittedPackagesRules(t *testing.T, errmsg, bp string, bootJars []
func TestApexPermittedPackagesRules(t *testing.T) { func TestApexPermittedPackagesRules(t *testing.T) {
testcases := []struct { testcases := []struct {
name string name string
expectedError string expectedError string
bp string bp string
bootJars []string bootJars []string
modulesPackages map[string][]string bcpPermittedPackages map[string][]string
}{ }{
{ {
@@ -7653,15 +7653,15 @@ func TestApexPermittedPackagesRules(t *testing.T) {
updatable: false, updatable: false,
}`, }`,
bootJars: []string{"bcp_lib1"}, bootJars: []string{"bcp_lib1"},
modulesPackages: map[string][]string{ bcpPermittedPackages: map[string][]string{
"myapex": []string{ "bcp_lib1": []string{
"foo.bar", "foo.bar",
}, },
}, },
}, },
{ {
name: "Bootclasspath apex jar not satisfying allowed module packages.", name: "Bootclasspath apex jar not satisfying allowed module packages.",
expectedError: `(?s)module "bcp_lib2" .* which is restricted because jars that are part of the myapex module may only use these package prefixes: foo.bar. Please consider the following alternatives:\n 1. If the offending code is from a statically linked library, consider removing that dependency and using an alternative already in the bootclasspath, or perhaps a shared library. 2. Move the offending code into an allowed package.\n 3. Jarjar the offending code. Please be mindful of the potential system health implications of bundling that code, particularly if the offending jar is part of the bootclasspath.`, expectedError: `(?s)module "bcp_lib2" .* which is restricted because bcp_lib2 bootjar may only use these package prefixes: foo.bar. Please consider the following alternatives:\n 1. If the offending code is from a statically linked library, consider removing that dependency and using an alternative already in the bootclasspath, or perhaps a shared library. 2. Move the offending code into an allowed package.\n 3. Jarjar the offending code. Please be mindful of the potential system health implications of bundling that code, particularly if the offending jar is part of the bootclasspath.`,
bp: ` bp: `
java_library { java_library {
name: "bcp_lib1", name: "bcp_lib1",
@@ -7687,17 +7687,58 @@ func TestApexPermittedPackagesRules(t *testing.T) {
} }
`, `,
bootJars: []string{"bcp_lib1", "bcp_lib2"}, bootJars: []string{"bcp_lib1", "bcp_lib2"},
modulesPackages: map[string][]string{ bcpPermittedPackages: map[string][]string{
"myapex": []string{ "bcp_lib1": []string{
"foo.bar", "foo.bar",
}, },
"bcp_lib2": []string{
"foo.bar",
},
},
},
{
name: "Updateable Bootclasspath apex jar not satisfying allowed module packages.",
expectedError: "",
bp: `
java_library {
name: "bcp_lib_restricted",
srcs: ["lib1/src/*.java"],
apex_available: ["myapex"],
permitted_packages: ["foo.bar"],
sdk_version: "none",
min_sdk_version: "29",
system_modules: "none",
}
java_library {
name: "bcp_lib_unrestricted",
srcs: ["lib2/src/*.java"],
apex_available: ["myapex"],
permitted_packages: ["foo.bar", "bar.baz"],
sdk_version: "none",
min_sdk_version: "29",
system_modules: "none",
}
apex {
name: "myapex",
key: "myapex.key",
java_libs: ["bcp_lib_restricted", "bcp_lib_unrestricted"],
updatable: true,
min_sdk_version: "29",
}
`,
bootJars: []string{"bcp_lib1", "bcp_lib2"},
bcpPermittedPackages: map[string][]string{
"bcp_lib1_non_updateable": []string{
"foo.bar",
},
// bcp_lib2_updateable has no entry here since updateable bcp can contain new packages - tracking via an allowlist is not necessary
}, },
}, },
} }
for _, tc := range testcases { for _, tc := range testcases {
t.Run(tc.name, func(t *testing.T) { t.Run(tc.name, func(t *testing.T) {
rules := createApexPermittedPackagesRules(tc.modulesPackages) rules := createBcpPermittedPackagesRules(tc.bcpPermittedPackages)
testApexPermittedPackagesRules(t, tc.expectedError, tc.bp, tc.bootJars, rules) testBootJarPermittedPackagesRules(t, tc.expectedError, tc.bp, tc.bootJars, rules)
}) })
} }
} }