Refactor Trusty neverallow rules for clarity
- Separate rule sets that affect different things
- Clarify reason text
- Avoid duplication so future diffs touch less
- Correct plurality of func names
This CL is intended to make no functional changes.
Bug: None
Test: m
Change-Id: Ic68eb2657899e7106d252f8eafc8ced22b4e9baf
diff --git a/android/neverallow.go b/android/neverallow.go
index 8995a0f..0d6699d 100644
--- a/android/neverallow.go
+++ b/android/neverallow.go
@@ -60,7 +60,8 @@
AddNeverAllowRules(createCcStubsRule())
AddNeverAllowRules(createProhibitHeaderOnlyRule())
AddNeverAllowRules(createLimitNdkExportRule()...)
- AddNeverAllowRules(createLimitDirgroupRule()...)
+ AddNeverAllowRules(createLimitDirgroupRules()...)
+ AddNeverAllowRules(createLimitGenruleRules()...)
AddNeverAllowRules(createFilesystemIsAutoGeneratedRule())
AddNeverAllowRules(createKotlinPluginRule()...)
AddNeverAllowRules(createPrebuiltEtcBpDefineRule())
@@ -287,45 +288,45 @@
}
}
-func createLimitDirgroupRule() []Rule {
- reason := "dirgroup module and dir_srcs / keep_gendir property of genrule is allowed only to Trusty build rule."
+func createLimitDirgroupRules() []Rule {
+ reason := "The dirgroup module can only be used with Trusty visibility"
+ scriptsDirsList := []string{"//trusty/vendor/google/aosp/scripts", "//trusty/vendor/google/proprietary/scripts"}
return []Rule{
NeverAllow().
ModuleType("dirgroup").
- WithMatcher("visibility", NotInList([]string{"//trusty/vendor/google/aosp/scripts", "//trusty/vendor/google/proprietary/scripts"})).Because(reason),
+ WithMatcher("visibility", NotInList(scriptsDirsList)).Because(reason),
NeverAllow().
ModuleType("dirgroup").
- WithoutMatcher("visibility", InAllowedList([]string{"//trusty/vendor/google/aosp/scripts", "//trusty/vendor/google/proprietary/scripts"})).Because(reason),
+ WithoutMatcher("visibility", InAllowedList(scriptsDirsList)).Because(reason),
+ }
+}
+
+func createLimitGenruleRules() []Rule {
+ dirSrcsReason := "The `dir_srcs` property in a `genrule` module can only be used by Trusty"
+ keepGendirReason := "The `keep_gendir` property in a `genrule` module can only be used by Trusty"
+ allowedModuleNameList := []string{
+ // Trusty TEE target names
+ "trusty_tee_package_goog",
+ "trusty_tee_package",
+ // Trusty vm target names
+ "trusty_test_vm_arm64.bin",
+ "trusty_test_vm_x86_64.elf",
+ "trusty_test_vm_os_arm64.bin",
+ "trusty_test_vm_os_x86_64.elf",
+ "trusty_security_vm_arm64.bin",
+ "trusty_security_vm_x86_64.elf",
+ "trusty_widevine_vm_arm64.bin",
+ "trusty_widevine_vm_x86_64.elf",
+ }
+ return []Rule{
NeverAllow().
ModuleType("genrule").
- // Trusty TEE target names
- Without("name", "trusty_tee_package_goog").
- Without("name", "trusty_tee_package").
- // Trusty vm target names
- Without("name", "trusty_test_vm_arm64.bin").
- Without("name", "trusty_test_vm_x86_64.elf").
- Without("name", "trusty_test_vm_os_arm64.bin").
- Without("name", "trusty_test_vm_os_x86_64.elf").
- Without("name", "trusty_security_vm_arm64.bin").
- Without("name", "trusty_security_vm_x86_64.elf").
- Without("name", "trusty_widevine_vm_arm64.bin").
- Without("name", "trusty_widevine_vm_x86_64.elf").
- WithMatcher("dir_srcs", isSetMatcherInstance).Because(reason),
+ WithoutMatcher("name", InAllowedList(allowedModuleNameList)).
+ WithMatcher("dir_srcs", isSetMatcherInstance).Because(dirSrcsReason),
NeverAllow().
ModuleType("genrule").
- // Trusty TEE target names
- Without("name", "trusty_tee_package_goog").
- Without("name", "trusty_tee_package").
- // Trusty vm target names
- Without("name", "trusty_test_vm_arm64.bin").
- Without("name", "trusty_test_vm_x86_64.elf").
- Without("name", "trusty_test_vm_os_arm64.bin").
- Without("name", "trusty_test_vm_os_x86_64.elf").
- Without("name", "trusty_security_vm_arm64.bin").
- Without("name", "trusty_security_vm_x86_64.elf").
- Without("name", "trusty_widevine_vm_arm64.bin").
- Without("name", "trusty_widevine_vm_x86_64.elf").
- With("keep_gendir", "true").Because(reason),
+ WithoutMatcher("name", InAllowedList(allowedModuleNameList)).
+ With("keep_gendir", "true").Because(keepGendirReason),
}
}