Merge changes Icb91de93,I5a2edaf4
* changes:
Change permitted_packages check to be per-jar rather than per-apex
Revert "Relax apex package restriction for T+ jars"
diff --git a/android/neverallow.go b/android/neverallow.go
index 6f9ae58..f87cebb 100644
--- a/android/neverallow.go
+++ b/android/neverallow.go
@@ -249,7 +249,7 @@
continue
}
- if !n.appliesToProperties(ctx, properties) {
+ if !n.appliesToProperties(properties) {
continue
}
@@ -261,20 +261,12 @@
continue
}
- if !n.appliesToBootclasspathJar(ctx) {
- continue
- }
-
ctx.ModuleErrorf("violates " + n.String())
}
}
-type ValueMatcherContext interface {
- Config() Config
-}
-
type ValueMatcher interface {
- Test(ValueMatcherContext, string) bool
+ Test(string) bool
String() string
}
@@ -282,7 +274,7 @@
expected string
}
-func (m *equalMatcher) Test(ctx ValueMatcherContext, value string) bool {
+func (m *equalMatcher) Test(value string) bool {
return m.expected == value
}
@@ -293,7 +285,7 @@
type anyMatcher struct {
}
-func (m *anyMatcher) Test(ctx ValueMatcherContext, value string) bool {
+func (m *anyMatcher) Test(value string) bool {
return true
}
@@ -307,7 +299,7 @@
prefix string
}
-func (m *startsWithMatcher) Test(ctx ValueMatcherContext, value string) bool {
+func (m *startsWithMatcher) Test(value string) bool {
return strings.HasPrefix(value, m.prefix)
}
@@ -319,7 +311,7 @@
re *regexp.Regexp
}
-func (m *regexMatcher) Test(ctx ValueMatcherContext, value string) bool {
+func (m *regexMatcher) Test(value string) bool {
return m.re.MatchString(value)
}
@@ -331,7 +323,7 @@
allowed []string
}
-func (m *notInListMatcher) Test(ctx ValueMatcherContext, value string) bool {
+func (m *notInListMatcher) Test(value string) bool {
return !InList(value, m.allowed)
}
@@ -341,7 +333,7 @@
type isSetMatcher struct{}
-func (m *isSetMatcher) Test(ctx ValueMatcherContext, value string) bool {
+func (m *isSetMatcher) Test(value string) bool {
return value != ""
}
@@ -351,19 +343,6 @@
var isSetMatcherInstance = &isSetMatcher{}
-type sdkVersionMatcher struct {
- condition func(ctx ValueMatcherContext, spec SdkSpec) bool
- description string
-}
-
-func (m *sdkVersionMatcher) Test(ctx ValueMatcherContext, value string) bool {
- return m.condition(ctx, SdkSpecFromWithConfig(ctx.Config(), value))
-}
-
-func (m *sdkVersionMatcher) String() string {
- return ".sdk-version(" + m.description + ")"
-}
-
type ruleProperty struct {
fields []string // e.x.: Vndk.Enabled
matcher ValueMatcher
@@ -397,8 +376,6 @@
NotModuleType(types ...string) Rule
- BootclasspathJar() Rule
-
With(properties, value string) Rule
WithMatcher(properties string, matcher ValueMatcher) Rule
@@ -514,12 +491,6 @@
return r
}
-// BootclasspathJar whether this rule only applies to Jars in the Bootclasspath
-func (r *rule) BootclasspathJar() Rule {
- r.onlyBootclasspathJar = true
- return r
-}
-
func (r *rule) String() string {
s := []string{"neverallow requirements. Not allowed:"}
if len(r.paths) > 0 {
@@ -537,9 +508,6 @@
if len(r.osClasses) > 0 {
s = append(s, fmt.Sprintf("os class(es): %q", r.osClasses))
}
- if r.onlyBootclasspathJar {
- s = append(s, "in bootclasspath jar")
- }
if len(r.unlessPaths) > 0 {
s = append(s, fmt.Sprintf("EXCEPT in dirs: %q", r.unlessPaths))
}
@@ -580,14 +548,6 @@
return matches
}
-func (r *rule) appliesToBootclasspathJar(ctx BottomUpMutatorContext) bool {
- if !r.onlyBootclasspathJar {
- return true
- }
-
- return InList(ctx.ModuleName(), ctx.Config().BootJars())
-}
-
func (r *rule) appliesToOsClass(osClass OsClass) bool {
if len(r.osClasses) == 0 {
return true
@@ -606,10 +566,9 @@
return (len(r.moduleTypes) == 0 || InList(moduleType, r.moduleTypes)) && !InList(moduleType, r.unlessModuleTypes)
}
-func (r *rule) appliesToProperties(ctx ValueMatcherContext,
- properties []interface{}) bool {
- includeProps := hasAllProperties(ctx, properties, r.props)
- excludeProps := hasAnyProperty(ctx, properties, r.unlessProps)
+func (r *rule) appliesToProperties(properties []interface{}) bool {
+ includeProps := hasAllProperties(properties, r.props)
+ excludeProps := hasAnyProperty(properties, r.unlessProps)
return includeProps && !excludeProps
}
@@ -629,16 +588,6 @@
return ¬InListMatcher{allowed}
}
-func LessThanSdkVersion(sdk string) ValueMatcher {
- return &sdkVersionMatcher{
- condition: func(ctx ValueMatcherContext, spec SdkSpec) bool {
- return spec.ApiLevel.LessThan(
- SdkSpecFromWithConfig(ctx.Config(), sdk).ApiLevel)
- },
- description: "lessThan=" + sdk,
- }
-}
-
// assorted utils
func cleanPaths(paths []string) []string {
@@ -657,28 +606,25 @@
return names
}
-func hasAnyProperty(ctx ValueMatcherContext, properties []interface{},
- props []ruleProperty) bool {
+func hasAnyProperty(properties []interface{}, props []ruleProperty) bool {
for _, v := range props {
- if hasProperty(ctx, properties, v) {
+ if hasProperty(properties, v) {
return true
}
}
return false
}
-func hasAllProperties(ctx ValueMatcherContext, properties []interface{},
- props []ruleProperty) bool {
+func hasAllProperties(properties []interface{}, props []ruleProperty) bool {
for _, v := range props {
- if !hasProperty(ctx, properties, v) {
+ if !hasProperty(properties, v) {
return false
}
}
return true
}
-func hasProperty(ctx ValueMatcherContext, properties []interface{},
- prop ruleProperty) bool {
+func hasProperty(properties []interface{}, prop ruleProperty) bool {
for _, propertyStruct := range properties {
propertiesValue := reflect.ValueOf(propertyStruct).Elem()
for _, v := range prop.fields {
@@ -692,7 +638,7 @@
}
check := func(value string) bool {
- return prop.matcher.Test(ctx, value)
+ return prop.matcher.Test(value)
}
if matchValue(propertiesValue, check) {
diff --git a/android/neverallow_test.go b/android/neverallow_test.go
index 59016d4..8afe9e0 100644
--- a/android/neverallow_test.go
+++ b/android/neverallow_test.go
@@ -327,48 +327,6 @@
"Only boot images may be imported as a makefile goal.",
},
},
- {
- name: "min_sdk too low",
- fs: map[string][]byte{
- "Android.bp": []byte(`
- java_library {
- name: "min_sdk_too_low",
- min_sdk_version: "30",
- }`),
- },
- rules: []Rule{
- NeverAllow().WithMatcher("min_sdk_version", LessThanSdkVersion("31")),
- },
- expectedErrors: []string{
- "module \"min_sdk_too_low\": violates neverallow",
- },
- },
- {
- name: "min_sdk high enough",
- fs: map[string][]byte{
- "Android.bp": []byte(`
- java_library {
- name: "min_sdk_high_enough",
- min_sdk_version: "31",
- }`),
- },
- rules: []Rule{
- NeverAllow().WithMatcher("min_sdk_version", LessThanSdkVersion("31")),
- },
- },
- {
- name: "current min_sdk high enough",
- fs: map[string][]byte{
- "Android.bp": []byte(`
- java_library {
- name: "current_min_sdk_high_enough",
- min_sdk_version: "current",
- }`),
- },
- rules: []Rule{
- NeverAllow().WithMatcher("min_sdk_version", LessThanSdkVersion("31")),
- },
- },
}
var prepareForNeverAllowTest = GroupFixturePreparers(
@@ -452,10 +410,9 @@
}
type mockJavaLibraryProperties struct {
- Libs []string
- Min_sdk_version *string
- Sdk_version *string
- Uncompress_dex *bool
+ Libs []string
+ Sdk_version *string
+ Uncompress_dex *bool
}
type mockJavaLibraryModule struct {
diff --git a/apex/apex.go b/apex/apex.go
index cb88f02..2fe17da 100644
--- a/apex/apex.go
+++ b/apex/apex.go
@@ -3278,21 +3278,19 @@
}
func init() {
- android.AddNeverAllowRules(createApexPermittedPackagesRules(qModulesPackages())...)
- android.AddNeverAllowRules(createApexPermittedPackagesRules(rModulesPackages())...)
+ android.AddNeverAllowRules(createBcpPermittedPackagesRules(qBcpPackages())...)
+ android.AddNeverAllowRules(createBcpPermittedPackagesRules(rBcpPackages())...)
}
-func createApexPermittedPackagesRules(modules_packages map[string][]string) []android.Rule {
- rules := make([]android.Rule, 0, len(modules_packages))
- for module_name, module_packages := range modules_packages {
+func createBcpPermittedPackagesRules(bcpPermittedPackages map[string][]string) []android.Rule {
+ rules := make([]android.Rule, 0, len(bcpPermittedPackages))
+ for jar, permittedPackages := range bcpPermittedPackages {
permittedPackagesRule := android.NeverAllow().
- BootclasspathJar().
- With("apex_available", module_name).
- WithMatcher("permitted_packages", android.NotInList(module_packages)).
- WithMatcher("min_sdk_version", android.LessThanSdkVersion("Tiramisu")).
- Because("jars that are part of the " + module_name +
- " module may only use these package prefixes: " + strings.Join(module_packages, ",") +
- " with min_sdk < T. Please consider the following alternatives:\n" +
+ With("name", jar).
+ WithMatcher("permitted_packages", android.NotInList(permittedPackages)).
+ Because(jar +
+ " bootjar may only use these package prefixes: " + strings.Join(permittedPackages, ",") +
+ ". Please consider the following alternatives:\n" +
" 1. If the offending code is from a statically linked library, consider " +
"removing that dependency and using an alternative already in the " +
"bootclasspath, or perhaps a shared library." +
@@ -3300,55 +3298,56 @@
" 3. Jarjar the offending code. Please be mindful of the potential system " +
"health implications of bundling that code, particularly if the offending jar " +
"is part of the bootclasspath.")
+
rules = append(rules, permittedPackagesRule)
}
return rules
}
-// DO NOT EDIT! These are the package prefixes that are exempted from being AOT'ed by ART on Q/R/S.
+// DO NOT EDIT! These are the package prefixes that are exempted from being AOT'ed by ART.
// Adding code to the bootclasspath in new packages will cause issues on module update.
-func qModulesPackages() map[string][]string {
+func qBcpPackages() map[string][]string {
return map[string][]string{
- "com.android.conscrypt": []string{
+ "conscrypt": []string{
"android.net.ssl",
"com.android.org.conscrypt",
},
- "com.android.media": []string{
+ "updatable-media": []string{
"android.media",
},
}
}
-// DO NOT EDIT! These are the package prefixes that are exempted from being AOT'ed by ART on R/S.
+// DO NOT EDIT! These are the package prefixes that are exempted from being AOT'ed by ART.
// Adding code to the bootclasspath in new packages will cause issues on module update.
-func rModulesPackages() map[string][]string {
+func rBcpPackages() map[string][]string {
return map[string][]string{
- "com.android.mediaprovider": []string{
+ "framework-mediaprovider": []string{
"android.provider",
},
- "com.android.permission": []string{
+ "framework-permission": []string{
"android.permission",
"android.app.role",
"com.android.permission",
"com.android.role",
},
- "com.android.sdkext": []string{
+ "framework-sdkextensions": []string{
"android.os.ext",
},
- "com.android.os.statsd": []string{
+ "framework-statsd": []string{
"android.app",
"android.os",
"android.util",
"com.android.internal.statsd",
"com.android.server.stats",
},
- "com.android.wifi": []string{
+ "framework-wifi": []string{
"com.android.server.wifi",
"com.android.wifi.x",
"android.hardware.wifi",
"android.net.wifi",
},
- "com.android.tethering": []string{
+ "framework-tethering": []string{
"android.net",
},
}
diff --git a/apex/apex_test.go b/apex/apex_test.go
index ec815c4..5706a2c 100644
--- a/apex/apex_test.go
+++ b/apex/apex_test.go
@@ -7580,7 +7580,7 @@
})
}
-func testApexPermittedPackagesRules(t *testing.T, errmsg, bp string, bootJars []string, rules []android.Rule) {
+func testBootJarPermittedPackagesRules(t *testing.T, errmsg, bp string, bootJars []string, rules []android.Rule) {
t.Helper()
bp += `
apex_key {
@@ -7619,11 +7619,11 @@
func TestApexPermittedPackagesRules(t *testing.T) {
testcases := []struct {
- name string
- expectedError string
- bp string
- bootJars []string
- modulesPackages map[string][]string
+ name string
+ expectedError string
+ bp string
+ bootJars []string
+ bcpPermittedPackages map[string][]string
}{
{
@@ -7637,7 +7637,6 @@
apex_available: ["myapex"],
sdk_version: "none",
system_modules: "none",
- min_sdk_version: "30",
}
java_library {
name: "nonbcp_lib2",
@@ -7646,25 +7645,23 @@
permitted_packages: ["a.b"],
sdk_version: "none",
system_modules: "none",
- min_sdk_version: "30",
}
apex {
name: "myapex",
- min_sdk_version: "30",
key: "myapex.key",
java_libs: ["bcp_lib1", "nonbcp_lib2"],
updatable: false,
}`,
bootJars: []string{"bcp_lib1"},
- modulesPackages: map[string][]string{
- "myapex": []string{
+ bcpPermittedPackages: map[string][]string{
+ "bcp_lib1": []string{
"foo.bar",
},
},
},
{
- name: "Bootclasspath apex jar not satisfying allowed module packages on Q.",
- expectedError: `(?s)module "bcp_lib2" .* which is restricted because jars that are part of the myapex module may only use these package prefixes: foo.bar with min_sdk < T. Please consider the following alternatives:\n 1. If the offending code is from a statically linked library, consider removing that dependency and using an alternative already in the bootclasspath, or perhaps a shared library. 2. Move the offending code into an allowed package.\n 3. Jarjar the offending code. Please be mindful of the potential system health implications of bundling that code, particularly if the offending jar is part of the bootclasspath.`,
+ name: "Bootclasspath apex jar not satisfying allowed module packages.",
+ expectedError: `(?s)module "bcp_lib2" .* which is restricted because bcp_lib2 bootjar may only use these package prefixes: foo.bar. Please consider the following alternatives:\n 1. If the offending code is from a statically linked library, consider removing that dependency and using an alternative already in the bootclasspath, or perhaps a shared library. 2. Move the offending code into an allowed package.\n 3. Jarjar the offending code. Please be mindful of the potential system health implications of bundling that code, particularly if the offending jar is part of the bootclasspath.`,
bp: `
java_library {
name: "bcp_lib1",
@@ -7673,7 +7670,6 @@
permitted_packages: ["foo.bar"],
sdk_version: "none",
system_modules: "none",
- min_sdk_version: "29",
}
java_library {
name: "bcp_lib2",
@@ -7682,102 +7678,67 @@
permitted_packages: ["foo.bar", "bar.baz"],
sdk_version: "none",
system_modules: "none",
- min_sdk_version: "29",
}
apex {
name: "myapex",
- min_sdk_version: "29",
key: "myapex.key",
java_libs: ["bcp_lib1", "bcp_lib2"],
updatable: false,
}
`,
bootJars: []string{"bcp_lib1", "bcp_lib2"},
- modulesPackages: map[string][]string{
- "myapex": []string{
+ bcpPermittedPackages: map[string][]string{
+ "bcp_lib1": []string{
+ "foo.bar",
+ },
+ "bcp_lib2": []string{
"foo.bar",
},
},
},
{
- name: "Bootclasspath apex jar not satisfying allowed module packages on R.",
- expectedError: `(?s)module "bcp_lib2" .* which is restricted because jars that are part of the myapex module may only use these package prefixes: foo.bar with min_sdk < T. Please consider the following alternatives:\n 1. If the offending code is from a statically linked library, consider removing that dependency and using an alternative already in the bootclasspath, or perhaps a shared library. 2. Move the offending code into an allowed package.\n 3. Jarjar the offending code. Please be mindful of the potential system health implications of bundling that code, particularly if the offending jar is part of the bootclasspath.`,
- bp: `
- java_library {
- name: "bcp_lib1",
- srcs: ["lib1/src/*.java"],
- apex_available: ["myapex"],
- permitted_packages: ["foo.bar"],
- sdk_version: "none",
- system_modules: "none",
- min_sdk_version: "30",
- }
- java_library {
- name: "bcp_lib2",
- srcs: ["lib2/src/*.java"],
- apex_available: ["myapex"],
- permitted_packages: ["foo.bar", "bar.baz"],
- sdk_version: "none",
- system_modules: "none",
- min_sdk_version: "30",
- }
- apex {
- name: "myapex",
- min_sdk_version: "30",
- key: "myapex.key",
- java_libs: ["bcp_lib1", "bcp_lib2"],
- updatable: false,
- }
- `,
- bootJars: []string{"bcp_lib1", "bcp_lib2"},
- modulesPackages: map[string][]string{
- "myapex": []string{
- "foo.bar",
- },
- },
- },
- {
- name: "Bootclasspath apex jar >= T not satisfying Q/R/S allowed module packages.",
+ name: "Updateable Bootclasspath apex jar not satisfying allowed module packages.",
expectedError: "",
bp: `
java_library {
- name: "bcp_lib1",
+ name: "bcp_lib_restricted",
srcs: ["lib1/src/*.java"],
apex_available: ["myapex"],
permitted_packages: ["foo.bar"],
sdk_version: "none",
+ min_sdk_version: "29",
system_modules: "none",
- min_sdk_version: "current",
}
java_library {
- name: "bcp_lib2",
+ name: "bcp_lib_unrestricted",
srcs: ["lib2/src/*.java"],
apex_available: ["myapex"],
permitted_packages: ["foo.bar", "bar.baz"],
sdk_version: "none",
+ min_sdk_version: "29",
system_modules: "none",
- min_sdk_version: "current",
}
apex {
name: "myapex",
- min_sdk_version: "current",
key: "myapex.key",
- java_libs: ["bcp_lib1", "bcp_lib2"],
- updatable: false,
+ java_libs: ["bcp_lib_restricted", "bcp_lib_unrestricted"],
+ updatable: true,
+ min_sdk_version: "29",
}
`,
bootJars: []string{"bcp_lib1", "bcp_lib2"},
- modulesPackages: map[string][]string{
- "myapex": []string{
+ bcpPermittedPackages: map[string][]string{
+ "bcp_lib1_non_updateable": []string{
"foo.bar",
},
+ // bcp_lib2_updateable has no entry here since updateable bcp can contain new packages - tracking via an allowlist is not necessary
},
},
}
for _, tc := range testcases {
t.Run(tc.name, func(t *testing.T) {
- rules := createApexPermittedPackagesRules(tc.modulesPackages)
- testApexPermittedPackagesRules(t, tc.expectedError, tc.bp, tc.bootJars, rules)
+ rules := createBcpPermittedPackagesRules(tc.bcpPermittedPackages)
+ testBootJarPermittedPackagesRules(t, tc.expectedError, tc.bp, tc.bootJars, rules)
})
}
}