add privapp_allowlist property to android_app
This change allows override_android_app to use the same privapp_allowlist as the non-override module so that they will always remain in sync. Test: go test ./java -v -run TestPrivappAllowlist Test: go test ./apex -v -run TestApexWithApps Test: m com.android.permission com.google.android.permission and verify manually that apex_payload.img contains correct privapp_allowlist Test: m com.android.permission before and after change && `diffoscope apex_payload_reference.img apex_payload_with_change.img` && verify that there are no semantic changes Bug: 242509786 (cherry picked from https://android-review.googlesource.com/q/commit:580636bdd23171f31bfedd773c065e0861dd5c4a) Merged-In: Ifdcb28af40763aed7a4aac9a7f681153554bc256 Change-Id: Ifdcb28af40763aed7a4aac9a7f681153554bc256
This commit is contained in:
Andrei Onea
committed by
Cherrypicker Worker
Cherrypicker Worker
parent
d87d22372b
commit
c53cfd54d9
19
apex/apex.go
19
apex/apex.go
@@ -1823,6 +1823,7 @@ type androidApp interface {
|
||||
Certificate() java.Certificate
|
||||
BaseModuleName() string
|
||||
LintDepSets() java.LintDepSets
|
||||
PrivAppAllowlist() android.OptionalPath
|
||||
}
|
||||
|
||||
var _ androidApp = (*java.AndroidApp)(nil)
|
||||
@@ -1843,7 +1844,7 @@ func sanitizedBuildIdForPath(ctx android.BaseModuleContext) string {
|
||||
return buildId
|
||||
}
|
||||
|
||||
func apexFileForAndroidApp(ctx android.BaseModuleContext, aapp androidApp) apexFile {
|
||||
func apexFilesForAndroidApp(ctx android.BaseModuleContext, aapp androidApp) []apexFile {
|
||||
appDir := "app"
|
||||
if aapp.Privileged() {
|
||||
appDir = "priv-app"
|
||||
@@ -1865,7 +1866,15 @@ func apexFileForAndroidApp(ctx android.BaseModuleContext, aapp androidApp) apexF
|
||||
}); ok {
|
||||
af.overriddenPackageName = app.OverriddenManifestPackageName()
|
||||
}
|
||||
return af
|
||||
apexFiles := []apexFile{af}
|
||||
|
||||
if allowlist := aapp.PrivAppAllowlist(); allowlist.Valid() {
|
||||
dirInApex := filepath.Join("etc", "permissions")
|
||||
privAppAllowlist := newApexFile(ctx, allowlist.Path(), aapp.BaseModuleName()+"privapp", dirInApex, etc, aapp)
|
||||
apexFiles = append(apexFiles, privAppAllowlist)
|
||||
}
|
||||
|
||||
return apexFiles
|
||||
}
|
||||
|
||||
func apexFileForRuntimeResourceOverlay(ctx android.BaseModuleContext, rro java.RuntimeResourceOverlayModule) apexFile {
|
||||
@@ -2310,12 +2319,12 @@ func (a *apexBundle) depVisitor(vctx *visitorContext, ctx android.ModuleContext,
|
||||
case androidAppTag:
|
||||
switch ap := child.(type) {
|
||||
case *java.AndroidApp:
|
||||
vctx.filesInfo = append(vctx.filesInfo, apexFileForAndroidApp(ctx, ap))
|
||||
vctx.filesInfo = append(vctx.filesInfo, apexFilesForAndroidApp(ctx, ap)...)
|
||||
return true // track transitive dependencies
|
||||
case *java.AndroidAppImport:
|
||||
vctx.filesInfo = append(vctx.filesInfo, apexFileForAndroidApp(ctx, ap))
|
||||
vctx.filesInfo = append(vctx.filesInfo, apexFilesForAndroidApp(ctx, ap)...)
|
||||
case *java.AndroidTestHelperApp:
|
||||
vctx.filesInfo = append(vctx.filesInfo, apexFileForAndroidApp(ctx, ap))
|
||||
vctx.filesInfo = append(vctx.filesInfo, apexFilesForAndroidApp(ctx, ap)...)
|
||||
case *java.AndroidAppSet:
|
||||
appDir := "app"
|
||||
if ap.Privileged() {
|
||||
|
||||
@@ -6165,6 +6165,8 @@ func TestApexWithApps(t *testing.T) {
|
||||
sdk_version: "current",
|
||||
system_modules: "none",
|
||||
privileged: true,
|
||||
privapp_allowlist: "perms.xml",
|
||||
package_name: "com.android.AppFooPriv",
|
||||
stl: "none",
|
||||
apex_available: [ "myapex" ],
|
||||
}
|
||||
@@ -6194,6 +6196,7 @@ func TestApexWithApps(t *testing.T) {
|
||||
|
||||
ensureContains(t, copyCmds, "image.apex/app/AppFoo@TEST.BUILD_ID/AppFoo.apk")
|
||||
ensureContains(t, copyCmds, "image.apex/priv-app/AppFooPriv@TEST.BUILD_ID/AppFooPriv.apk")
|
||||
ensureContains(t, copyCmds, "image.apex/etc/permissions/privapp_allowlist_com.android.AppFooPriv.xml")
|
||||
|
||||
appZipRule := ctx.ModuleForTests("AppFoo", "android_common_apex10000").Description("zip jni libs")
|
||||
// JNI libraries are uncompressed
|
||||
|
||||
58
java/app.go
58
java/app.go
@@ -33,8 +33,17 @@ import (
|
||||
|
||||
func init() {
|
||||
RegisterAppBuildComponents(android.InitRegistrationContext)
|
||||
pctx.HostBinToolVariable("ModifyAllowlistCmd", "modify_permissions_allowlist")
|
||||
}
|
||||
|
||||
var (
|
||||
modifyAllowlist = pctx.AndroidStaticRule("modifyAllowlist",
|
||||
blueprint.RuleParams{
|
||||
Command: "${ModifyAllowlistCmd} $in $packageName $out",
|
||||
CommandDeps: []string{"${ModifyAllowlistCmd}"},
|
||||
}, "packageName")
|
||||
)
|
||||
|
||||
func RegisterAppBuildComponents(ctx android.RegistrationContext) {
|
||||
ctx.RegisterModuleType("android_app", AndroidAppFactory)
|
||||
ctx.RegisterModuleType("android_test", AndroidTestFactory)
|
||||
@@ -115,6 +124,9 @@ type appProperties struct {
|
||||
// Prefer using other specific properties if build behaviour must be changed; avoid using this
|
||||
// flag for anything but neverallow rules (unless the behaviour change is invisible to owners).
|
||||
Updatable *bool
|
||||
|
||||
// Specifies the file that contains the allowlist for this app.
|
||||
Privapp_allowlist *string `android:"path"`
|
||||
}
|
||||
|
||||
// android_app properties that can be overridden by override_android_app
|
||||
@@ -179,6 +191,8 @@ type AndroidApp struct {
|
||||
android.ApexBundleDepsInfo
|
||||
|
||||
javaApiUsedByOutputFile android.ModuleOutPath
|
||||
|
||||
privAppAllowlist android.OptionalPath
|
||||
}
|
||||
|
||||
func (a *AndroidApp) IsInstallable() bool {
|
||||
@@ -205,6 +219,10 @@ func (a *AndroidApp) JniCoverageOutputs() android.Paths {
|
||||
return a.jniCoverageOutputs
|
||||
}
|
||||
|
||||
func (a *AndroidApp) PrivAppAllowlist() android.OptionalPath {
|
||||
return a.privAppAllowlist
|
||||
}
|
||||
|
||||
var _ AndroidLibraryDependency = (*AndroidApp)(nil)
|
||||
|
||||
type Certificate struct {
|
||||
@@ -269,6 +287,10 @@ func (a *AndroidApp) OverridablePropertiesDepsMutator(ctx android.BottomUpMutato
|
||||
ctx.AddDependency(ctx.Module(), certificateTag, cert)
|
||||
}
|
||||
|
||||
if a.appProperties.Privapp_allowlist != nil && !Bool(a.appProperties.Privileged) {
|
||||
ctx.PropertyErrorf("privapp_allowlist", "privileged must be set in order to use privapp_allowlist")
|
||||
}
|
||||
|
||||
for _, cert := range a.appProperties.Additional_certificates {
|
||||
cert = android.SrcIsModule(cert)
|
||||
if cert != "" {
|
||||
@@ -599,6 +621,27 @@ func (a *AndroidApp) InstallApkName() string {
|
||||
return a.installApkName
|
||||
}
|
||||
|
||||
func (a *AndroidApp) createPrivappAllowlist(ctx android.ModuleContext) *android.OutputPath {
|
||||
if a.appProperties.Privapp_allowlist == nil {
|
||||
return nil
|
||||
}
|
||||
if a.overridableAppProperties.Package_name == nil {
|
||||
ctx.PropertyErrorf("privapp_allowlist", "package_name must be set to use privapp_allowlist")
|
||||
}
|
||||
packageName := *a.overridableAppProperties.Package_name
|
||||
fileName := "privapp_allowlist_" + packageName + ".xml"
|
||||
outPath := android.PathForModuleOut(ctx, fileName).OutputPath
|
||||
ctx.Build(pctx, android.BuildParams{
|
||||
Rule: modifyAllowlist,
|
||||
Input: android.PathForModuleSrc(ctx, *a.appProperties.Privapp_allowlist),
|
||||
Output: outPath,
|
||||
Args: map[string]string{
|
||||
"packageName": packageName,
|
||||
},
|
||||
})
|
||||
return &outPath
|
||||
}
|
||||
|
||||
func (a *AndroidApp) generateAndroidBuildActions(ctx android.ModuleContext) {
|
||||
var apkDeps android.Paths
|
||||
|
||||
@@ -734,18 +777,27 @@ func (a *AndroidApp) generateAndroidBuildActions(ctx android.ModuleContext) {
|
||||
BuildBundleModule(ctx, bundleFile, a.exportPackage, jniJarFile, dexJarFile)
|
||||
a.bundleFile = bundleFile
|
||||
|
||||
allowlist := a.createPrivappAllowlist(ctx)
|
||||
if allowlist != nil {
|
||||
a.privAppAllowlist = android.OptionalPathForPath(allowlist)
|
||||
}
|
||||
|
||||
apexInfo := ctx.Provider(android.ApexInfoProvider).(android.ApexInfo)
|
||||
|
||||
// Install the app package.
|
||||
if (Bool(a.Module.properties.Installable) || ctx.Host()) && apexInfo.IsForPlatform() &&
|
||||
!a.appProperties.PreventInstall {
|
||||
|
||||
shouldInstallAppPackage := (Bool(a.Module.properties.Installable) || ctx.Host()) && apexInfo.IsForPlatform() && !a.appProperties.PreventInstall
|
||||
if shouldInstallAppPackage {
|
||||
var extraInstalledPaths android.Paths
|
||||
for _, extra := range a.extraOutputFiles {
|
||||
installed := ctx.InstallFile(a.installDir, extra.Base(), extra)
|
||||
extraInstalledPaths = append(extraInstalledPaths, installed)
|
||||
}
|
||||
ctx.InstallFile(a.installDir, a.outputFile.Base(), a.outputFile, extraInstalledPaths...)
|
||||
|
||||
if a.privAppAllowlist.Valid() {
|
||||
installPath := android.PathForModuleInstall(ctx, "etc", "permissions")
|
||||
ctx.InstallFile(installPath, a.privAppAllowlist.Path().Base(), a.privAppAllowlist.Path())
|
||||
}
|
||||
}
|
||||
|
||||
a.buildAppDependencyInfo(ctx)
|
||||
|
||||
@@ -376,6 +376,10 @@ func (a *AndroidAppImport) ProvenanceMetaDataFile() android.OutputPath {
|
||||
return a.provenanceMetaDataFile
|
||||
}
|
||||
|
||||
func (a *AndroidAppImport) PrivAppAllowlist() android.OptionalPath {
|
||||
return android.OptionalPath{}
|
||||
}
|
||||
|
||||
var dpiVariantGroupType reflect.Type
|
||||
var archVariantGroupType reflect.Type
|
||||
var supportedDpis = []string{"ldpi", "mdpi", "hdpi", "xhdpi", "xxhdpi", "xxxhdpi"}
|
||||
|
||||
@@ -3547,3 +3547,51 @@ func TestTargetSdkVersionMtsTests(t *testing.T) {
|
||||
android.AssertStringDoesContain(t, testCase.desc, manifestFixerArgs, "--targetSdkVersion "+testCase.targetSdkVersionExpected)
|
||||
}
|
||||
}
|
||||
|
||||
func TestPrivappAllowlist(t *testing.T) {
|
||||
testJavaError(t, "privileged must be set in order to use privapp_allowlist", `
|
||||
android_app {
|
||||
name: "foo",
|
||||
srcs: ["a.java"],
|
||||
privapp_allowlist: "perms.xml",
|
||||
}
|
||||
`)
|
||||
|
||||
result := PrepareForTestWithJavaDefaultModules.RunTestWithBp(
|
||||
t,
|
||||
`
|
||||
android_app {
|
||||
name: "foo",
|
||||
srcs: ["a.java"],
|
||||
privapp_allowlist: "perms.xml",
|
||||
privileged: true,
|
||||
package_name: "com.android.foo",
|
||||
sdk_version: "current",
|
||||
}
|
||||
override_android_app {
|
||||
name: "bar",
|
||||
base: "foo",
|
||||
package_name: "com.google.android.foo",
|
||||
}
|
||||
`,
|
||||
)
|
||||
app := result.ModuleForTests("foo", "android_common")
|
||||
overrideApp := result.ModuleForTests("foo", "android_common_bar")
|
||||
|
||||
// verify that privapp allowlist is created
|
||||
app.Output("out/soong/.intermediates/foo/android_common/privapp_allowlist_com.android.foo.xml")
|
||||
overrideApp.Output("out/soong/.intermediates/foo/android_common_bar/privapp_allowlist_com.google.android.foo.xml")
|
||||
expectedAllowlist := "perms.xml"
|
||||
actualAllowlist := app.Rule("modifyAllowlist").Input.String()
|
||||
if expectedAllowlist != actualAllowlist {
|
||||
t.Errorf("expected allowlist to be %q; got %q", expectedAllowlist, actualAllowlist)
|
||||
}
|
||||
overrideActualAllowlist := overrideApp.Rule("modifyAllowlist").Input.String()
|
||||
if expectedAllowlist != overrideActualAllowlist {
|
||||
t.Errorf("expected override allowlist to be %q; got %q", expectedAllowlist, overrideActualAllowlist)
|
||||
}
|
||||
|
||||
// verify that permissions are copied to device
|
||||
app.Output("out/soong/target/product/test_device/system/etc/permissions/privapp_allowlist_com.android.foo.xml")
|
||||
overrideApp.Output("out/soong/target/product/test_device/system/etc/permissions/privapp_allowlist_com.google.android.foo.xml")
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user