Merge "Enable CFI by default but restrict CFI_INCLUDE_PATHS" into pi-dev
diff --git a/core/config_sanitizers.mk b/core/config_sanitizers.mk
index e0f8aca..d570ccd 100644
--- a/core/config_sanitizers.mk
+++ b/core/config_sanitizers.mk
@@ -96,15 +96,17 @@
my_sanitize_diag :=
endif
-# Enable CFI in included paths.
+# Enable CFI in included paths (for Arm64 only).
ifeq ($(filter cfi, $(my_sanitize)),)
- combined_include_paths := $(CFI_INCLUDE_PATHS) \
- $(PRODUCT_CFI_INCLUDE_PATHS)
+ ifneq ($(filter arm64,$(TARGET_$(LOCAL_2ND_ARCH_VAR_PREFIX)ARCH)),)
+ combined_include_paths := $(CFI_INCLUDE_PATHS) \
+ $(PRODUCT_CFI_INCLUDE_PATHS)
- ifneq ($(strip $(foreach dir,$(subst $(comma),$(space),$(combined_include_paths)),\
- $(filter $(dir)%,$(LOCAL_PATH)))),)
- my_sanitize := cfi $(my_sanitize)
- my_sanitize_diag := cfi $(my_sanitize_diag)
+ ifneq ($(strip $(foreach dir,$(subst $(comma),$(space),$(combined_include_paths)),\
+ $(filter $(dir)%,$(LOCAL_PATH)))),)
+ my_sanitize := cfi $(my_sanitize)
+ my_sanitize_diag := cfi $(my_sanitize_diag)
+ endif
endif
endif
diff --git a/target/product/core_64_bit.mk b/target/product/core_64_bit.mk
index 76e2a36..e6fd97c 100644
--- a/target/product/core_64_bit.mk
+++ b/target/product/core_64_bit.mk
@@ -31,3 +31,7 @@
TARGET_SUPPORTS_32_BIT_APPS := true
TARGET_SUPPORTS_64_BIT_APPS := true
+
+# Enable CFI for security-sensitive components
+$(call inherit-product, $(SRC_TARGET_DIR)/product/cfi-common.mk)
+$(call inherit-product-if-exists, vendor/google/products/cfi-vendor.mk)
diff --git a/target/product/core_64_bit_only.mk b/target/product/core_64_bit_only.mk
index 72d30f5..0690713 100644
--- a/target/product/core_64_bit_only.mk
+++ b/target/product/core_64_bit_only.mk
@@ -28,3 +28,7 @@
TARGET_SUPPORTS_32_BIT_APPS := false
TARGET_SUPPORTS_64_BIT_APPS := true
+
+# Enable CFI for security-sensitive components
+$(call inherit-product, $(SRC_TARGET_DIR)/product/cfi-common.mk)
+$(call inherit-product-if-exists, vendor/google/products/cfi-vendor.mk)