Adds a new StartsWith(string) ValueMatcher along with
With[Out]Matcher(...) methods to support new restrictions that prevent
any paths into runtime module repositories from being added to the
include_dirs.
Test: m nothing
Bug: 35624006
Change-Id: Ib954998e5fc190d8a11a8c6ac5f810cad927aac3
Make it easy to add additional ways of matching property values. Needed
to add support for a 'starts with' matcher that can be used to restrict
allowable values in include_dir.
Test: m nothing
Bug: 35624006
Change-Id: I82e7d95f08847bf294aac311968e1d9f3e4b385d
* Adds a Rule interface to hide the rule struct and expose the mutator
functions.
* Makes the neverallow() function public as NeverAllow().
* Adds AddNeverAllowRules func to add more rules.
* Moves the population of the builtin rules to init() function.
Bug: 136159343
Test: m droid
- changed a built in rule to cause build failure to ensure the
rules were still being applied, then reverted the change and
ran 'm droid' again.
Change-Id: Ie3a4456d1f6bc12c5b4931bf698333275347fdf0
Merged-In: Ie3a4456d1f6bc12c5b4931bf698333275347fdf0
(cherry picked from commit 18af090842)
(cherry picked from commit b1cacba022)
* Adds a Rule interface to hide the rule struct and expose the mutator
functions.
* Makes the neverallow() function public as NeverAllow().
* Adds AddNeverAllowRules func to add more rules.
* Moves the population of the builtin rules to init() function.
Bug: 136159343
Test: m droid
- changed a built in rule to cause build failure to ensure the
rules were still being applied, then reverted the change and
ran 'm droid' again.
Change-Id: Ie3a4456d1f6bc12c5b4931bf698333275347fdf0
Merged-In: Ie3a4456d1f6bc12c5b4931bf698333275347fdf0
Corrects an error message that refers to no_standard_libs.
Removes any tests that use no_standard_libs:true where possible as
there are duplicate tests for sdk_version:"none". Otherwise, switches
them over to use sdk_version:"none".
The androidmk mapping from LOCAL_NO_STANDARD_LIBRARIES to
no_standard_libs has also been removed. There was little point in
updating the tool to map it through to sdk_version:"none" as there are
only a couple of places where it is used, in art's test running mk
targets and in some unbundled packages to work around some limitation
in .mk based build.
Bug: 134566750
Test: m droid
Change-Id: I6413c9b1fe3e63b93753a6a017d2981e32b7e013
Where possible this duplicates any tests that use no_standard_libs:true
with ones that use sdk_version:"none". If not possible (e.g. in the
default targets included in java/testing.go) it switches some to use
sdk_version:"none" to ensure that there is no regression in the
behavior of no_standard_libs:true.
Follow up changes will switch all usages of no_standard_libs:true over
to use sdk_version:"none" at which point no_standard_libs will be
removed.
Bug: 134566750
Test: m droid
Change-Id: I5f0fd3daa980f6b223abe454cba7f25a97a39d7a
The rules that restricted access to core library targets are no longer
required as they have been replaced with visibility rules. The
visibility rules are safer because they check all dependencies whereas
the neverallow rules that have been removed only checked dependencies
in the libs property and so missed dependencies in static_libs and
java_libs properties.
Bug: 112158820
Test: m core-tests
Change-Id: Ibfef74db0769992266ebadf445836d2a183df3f7
Merged-In: Ibfef74db0769992266ebadf445836d2a183df3f7
(cherry picked from commit 8e8c01c382)
The rules that restricted access to core library targets are no longer
required as they have been replaced with visibility rules. The
visibility rules are safer because they check all dependencies whereas
the neverallow rules that have been removed only checked dependencies
in the libs property and so missed dependencies in static_libs and
java_libs properties.
(cherry picked from 8e8c01c382)
Bug: 112158820
Test: m core-tests
Change-Id: I3b50b705b7cd6fcdc55d26cd71b9149b3abd2b88
Merged-In: Ibfef74db0769992266ebadf445836d2a183df3f7
Guava can't compile against a device bootclasspath, it uses methods
that only exist in the host bootclasspath, and then avoids calling
them at runtime.
Bug: 130306229
Test: m checkbuild
Change-Id: I012030cb701c01ea9ff554c1b6156d0242365a4c
Merged-In: I012030cb701c01ea9ff554c1b6156d0242365a4c
Exempt-From-Owner-Approval: cherry pick
(cherry picked from commit b5191a573d)
Guava can't compile against a device bootclasspath, it uses methods
that only exist in the host bootclasspath, and then avoids calling
them at runtime.
Bug: 130306229
Test: m checkbuild
Change-Id: I012030cb701c01ea9ff554c1b6156d0242365a4c
java_device_for_host and java_host_for_device should rarely be
used and could cause problems if used incorrectly, so restrict them
to only the necessary projects through a neverallow whitelist.
Bug: 117920228
Test: neverallow_test.go
Change-Id: I37dce489c2fb8bca71bd46dbabaaa514bf6f7eee
Merged-In: I37dce489c2fb8bca71bd46dbabaaa514bf6f7eee
java_device_for_host and java_host_for_device should rarely be
used and could cause problems if used incorrectly, so restrict them
to only the necessary projects through a neverallow whitelist.
Bug: 117920228
Test: neverallow_test.go
Change-Id: I37dce489c2fb8bca71bd46dbabaaa514bf6f7eee
Add soong build restrictions for libcore targets to stop
other targets depending on internals.
Test: cd build/soong/; ./build_test.bash --products aosp_arm
Bug: 113148576
Change-Id: I2c15924fbecaf0c2076d08de65814a6dcb790e73
There are a set of git projects that are part of or
closely related to "core libraries" and will need to
be allowed to compile against core library implementations
(and not stubs) after we've switched the default to use
stubs.
Bug: 113148576
Test: build
Change-Id: Id10b7dd83b173bdbfdb07b404d0e5f1ff621e543
To migrate the default compilation over to using
"core platform api" stubs we need to make the "before"
state as close to the "after" state as possible.
The stubs will include all "core libraries" so it
makes sense to include those that contribute to the
"core platform api": okhttp, bouncycastle and conscrypt.
(apache-xml is not included because it doesn't contribute
to the core platform API).
After this change all explicit dependencies to okhttp,
bouncycastle and conscrypt in situations where the
default boot classpath is used can be removed.
A knock-on of this change is that the conscrypt, bouncycastle
and okhttp targets need to be adjusted to explicitly
depend on core-oj / core-libart with no_standard_libs: true
to avoid a cycle.
Bug: 113148576
Test: treehugger
Change-Id: I1677af8d9d48fd026874ebce4c864f39ec1a5a3d
conscrypt is built against an API surface we define
in libcore as core.intra.stubs. Therefore we need
an exception to the libcore dependency rules.
Bug: 113148576
Bug: 110404540
Test: make conscrypt
Change-Id: If36e05b2d8339741393752bd864bdb5d6c0f503e
This commit allows VNDK extensions (vndk.enabled:true and vendor:true)
to reside under vendor/* or device/*. VNDK extensions will be installed
into /vendor/lib[64]/vndk[-sp]. It is reasonable for their source being
under vendor/* or device/*.
Bug: 74506774
Test: lunch aosp_walleye-userdebug && make # runs unit tests
Change-Id: I406c5bef10f5c549371dd978b8ecc16c65a7af4b
api-stubs, system-api-stubs and etc need generated sources and srcjars from "framework",
so add a property that tell module to fetch srcs and srcjars from its
dependency libraries. The libraries in that property has to be in the
module's classpath.
Also add doc_defaults targets.
Bug: b/70351683
Test: m -j
Change-Id: I05831fbcad488037710950e4f05dc8fb2a12f403
Straightforward way of expressing policy inspired by a similar
syntax in SELinux.
Bug: 70165717
Test: no neverallows hit
Test: manually checking neverallow rules by changing them/adding violations
Change-Id: I7e15a0094d1861391bfe21a2ea30797d7593c142
