From f23fdc048eced597af6ac48893c98e1972ec5b05 Mon Sep 17 00:00:00 2001 From: Cole Faust Date: Fri, 23 Aug 2024 15:21:13 -0700 Subject: [PATCH] Move aidl_camera_build_version to build number allowlist This allows us to get most of the benefits of genrule sandboxing, and defer deciding what to do about the build number until later. Bug: 307824623 Test: m aidl_camera_build_version Change-Id: Ib3f4dd6d270ac56d068593c95ee40db44962b845 --- genrule/allowlists.go | 1 - genrule/genrule.go | 22 ++++++++++++++++++---- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/genrule/allowlists.go b/genrule/allowlists.go index 7c71b77ef..4f1b320f8 100644 --- a/genrule/allowlists.go +++ b/genrule/allowlists.go @@ -17,7 +17,6 @@ package genrule var ( SandboxingDenyModuleList = []string{ // go/keep-sorted start - "aidl_camera_build_version", "com.google.pixel.camera.hal.manifest", // go/keep-sorted end } diff --git a/genrule/genrule.go b/genrule/genrule.go index b8b996820..40434204e 100644 --- a/genrule/genrule.go +++ b/genrule/genrule.go @@ -243,13 +243,27 @@ func toolDepsMutator(ctx android.BottomUpMutatorContext) { } } +var buildNumberAllowlistKey = android.NewOnceKey("genruleBuildNumberAllowlistKey") + // This allowlist should be kept to the bare minimum, it's // intended for things that existed before the build number // was tightly controlled. Prefer using libbuildversion // via the use_version_lib property of cc modules. -var genrule_build_number_allowlist = map[string]bool{ - "build/soong/tests:gen": true, - "tools/tradefederation/core:tradefed_zip": true, +// This is a function instead of a global map so that +// soong plugins cannot add entries to the allowlist +func isModuleInBuildNumberAllowlist(ctx android.ModuleContext) bool { + allowlist := ctx.Config().Once(buildNumberAllowlistKey, func() interface{} { + return map[string]bool{ + // go/keep-sorted start + "build/soong/tests:gen": true, + "hardware/google/camera/common/hal/aidl_service:aidl_camera_build_version": true, + "tools/tradefederation/core:tradefed_zip": true, + // go/keep-sorted end + } + }).(map[string]bool) + + _, ok := allowlist[ctx.ModuleDir()+":"+ctx.ModuleName()] + return ok } // generateCommonBuildActions contains build action generation logic @@ -547,7 +561,7 @@ func (g *Module) generateCommonBuildActions(ctx android.ModuleContext) { cmd.ImplicitTools(tools) cmd.ImplicitPackagedTools(packagedTools) if proptools.Bool(g.properties.Uses_order_only_build_number_file) { - if _, ok := genrule_build_number_allowlist[ctx.ModuleDir()+":"+ctx.ModuleName()]; !ok { + if !isModuleInBuildNumberAllowlist(ctx) { ctx.ModuleErrorf("Only allowlisted modules may use uses_order_only_build_number_file: true") } cmd.OrderOnly(ctx.Config().BuildNumberFile(ctx))