Merge "Support libraries (not just boot jars) that have hiddenapi"
diff --git a/cc/coverage.go b/cc/coverage.go
index 79f7d7d..cf67c9f 100644
--- a/cc/coverage.go
+++ b/cc/coverage.go
@@ -111,6 +111,8 @@
 			// Just turn off for now.
 		} else if c.useVndk() || c.hasVendorVariant() {
 			// Do not enable coverage for VNDK libraries
+		} else if c.IsStubs() {
+			// Do not enable coverage for platform stub libraries
 		} else if c.isNDKStubLibrary() {
 			// Do not enable coverage for NDK stub libraries
 		} else if c.coverage != nil {
diff --git a/cc/linker.go b/cc/linker.go
index 649185a..25aedd0 100644
--- a/cc/linker.go
+++ b/cc/linker.go
@@ -61,7 +61,7 @@
 	No_libgcc *bool
 
 	// don't link in libclang_rt.builtins-*.a
-	No_libcrt *bool
+	No_libcrt *bool `android:"arch_variant"`
 
 	// Use clang lld instead of gnu ld.
 	Use_clang_lld *bool `android:"arch_variant"`
diff --git a/cmd/merge_zips/merge_zips.go b/cmd/merge_zips/merge_zips.go
index c21da44..68fe259 100644
--- a/cmd/merge_zips/merge_zips.go
+++ b/cmd/merge_zips/merge_zips.go
@@ -66,7 +66,6 @@
 	stripDirEntries  = flag.Bool("D", false, "strip directory entries from the output zip file")
 	manifest         = flag.String("m", "", "manifest file to insert in jar")
 	pyMain           = flag.String("pm", "", "__main__.py file to insert in par")
-	entrypoint       = flag.String("e", "", "par entrypoint file to insert in par")
 	prefix           = flag.String("prefix", "", "A file to prefix to the zip file")
 	ignoreDuplicates = flag.Bool("ignore-duplicates", false, "take each entry from the first zip it exists in and don't warn")
 )
@@ -79,7 +78,7 @@
 
 func main() {
 	flag.Usage = func() {
-		fmt.Fprintln(os.Stderr, "usage: merge_zips [-jpsD] [-m manifest] [--prefix script] [-e entrypoint] [-pm __main__.py] output [inputs...]")
+		fmt.Fprintln(os.Stderr, "usage: merge_zips [-jpsD] [-m manifest] [--prefix script] [-pm __main__.py] output [inputs...]")
 		flag.PrintDefaults()
 	}
 
@@ -139,16 +138,12 @@
 		log.Fatal(errors.New("must specify -j when specifying a manifest via -m"))
 	}
 
-	if *entrypoint != "" && !*emulatePar {
-		log.Fatal(errors.New("must specify -p when specifying a entrypoint via -e"))
-	}
-
 	if *pyMain != "" && !*emulatePar {
 		log.Fatal(errors.New("must specify -p when specifying a Python __main__.py via -pm"))
 	}
 
 	// do merge
-	err = mergeZips(readers, writer, *manifest, *entrypoint, *pyMain, *sortEntries, *emulateJar, *emulatePar,
+	err = mergeZips(readers, writer, *manifest, *pyMain, *sortEntries, *emulateJar, *emulatePar,
 		*stripDirEntries, *ignoreDuplicates, []string(stripFiles), []string(stripDirs), map[string]bool(zipsToNotStrip))
 	if err != nil {
 		log.Fatal(err)
@@ -249,7 +244,7 @@
 	source zipSource
 }
 
-func mergeZips(readers []namedZipReader, writer *zip.Writer, manifest, entrypoint, pyMain string,
+func mergeZips(readers []namedZipReader, writer *zip.Writer, manifest, pyMain string,
 	sortEntries, emulateJar, emulatePar, stripDirEntries, ignoreDuplicates bool,
 	stripFiles, stripDirs []string, zipsToNotStrip map[string]bool) error {
 
@@ -289,22 +284,6 @@
 		addMapping(jar.ManifestFile, fileSource)
 	}
 
-	if entrypoint != "" {
-		buf, err := ioutil.ReadFile(entrypoint)
-		if err != nil {
-			return err
-		}
-		fh := &zip.FileHeader{
-			Name:               "entry_point.txt",
-			Method:             zip.Store,
-			UncompressedSize64: uint64(len(buf)),
-		}
-		fh.SetMode(0700)
-		fh.SetModTime(jar.DefaultTime)
-		fileSource := bufferEntry{fh, buf}
-		addMapping("entry_point.txt", fileSource)
-	}
-
 	if pyMain != "" {
 		buf, err := ioutil.ReadFile(pyMain)
 		if err != nil {
diff --git a/cmd/merge_zips/merge_zips_test.go b/cmd/merge_zips/merge_zips_test.go
index 19fa5ed..dbde270 100644
--- a/cmd/merge_zips/merge_zips_test.go
+++ b/cmd/merge_zips/merge_zips_test.go
@@ -221,7 +221,7 @@
 			out := &bytes.Buffer{}
 			writer := zip.NewWriter(out)
 
-			err := mergeZips(readers, writer, "", "", "",
+			err := mergeZips(readers, writer, "", "",
 				test.sort, test.jar, false, test.stripDirEntries, test.ignoreDuplicates,
 				test.stripFiles, test.stripDirs, test.zipsToNotStrip)
 
diff --git a/dexpreopt/dexpreopt_gen/dexpreopt_gen.go b/dexpreopt/dexpreopt_gen/dexpreopt_gen.go
index 1467a02..cc3c1f1 100644
--- a/dexpreopt/dexpreopt_gen/dexpreopt_gen.go
+++ b/dexpreopt/dexpreopt_gen/dexpreopt_gen.go
@@ -133,10 +133,10 @@
 		depFile := &bytes.Buffer{}
 
 		fmt.Fprint(depFile, `: \`+"\n")
-		for _, tool := range dexpreoptRule.Tools() {
+		for _, tool := range rule.Tools() {
 			fmt.Fprintf(depFile, `    %s \`+"\n", tool)
 		}
-		for _, input := range dexpreoptRule.Inputs() {
+		for _, input := range rule.Inputs() {
 			// Assume the rule that ran the script already has a dependency on the input file passed on the
 			// command line.
 			if input != "$1" {
diff --git a/java/aar.go b/java/aar.go
index 60fbe29..583a6fc 100644
--- a/java/aar.go
+++ b/java/aar.go
@@ -215,17 +215,17 @@
 
 	compiledOverlay = append(compiledOverlay, transitiveStaticLibs...)
 
-	if a.isLibrary {
-		// For a static library we treat all the resources equally with no overlay.
-		for _, compiledResDir := range compiledResDirs {
-			compiledRes = append(compiledRes, compiledResDir...)
-		}
-	} else if len(transitiveStaticLibs) > 0 {
+	if len(transitiveStaticLibs) > 0 {
 		// If we are using static android libraries, every source file becomes an overlay.
 		// This is to emulate old AAPT behavior which simulated library support.
 		for _, compiledResDir := range compiledResDirs {
 			compiledOverlay = append(compiledOverlay, compiledResDir...)
 		}
+	} else if a.isLibrary {
+		// Otherwise, for a static library we treat all the resources equally with no overlay.
+		for _, compiledResDir := range compiledResDirs {
+			compiledRes = append(compiledRes, compiledResDir...)
+		}
 	} else if len(compiledResDirs) > 0 {
 		// Without static libraries, the first directory is our directory, which can then be
 		// overlaid by the rest.
@@ -278,8 +278,8 @@
 			}
 		case staticLibTag:
 			if exportPackage != nil {
-				transitiveStaticLibs = append(transitiveStaticLibs, exportPackage)
 				transitiveStaticLibs = append(transitiveStaticLibs, aarDep.ExportedStaticPackages()...)
+				transitiveStaticLibs = append(transitiveStaticLibs, exportPackage)
 				staticLibManifests = append(staticLibManifests, aarDep.ExportedManifest())
 				staticRRODirs = append(staticRRODirs, aarDep.ExportedRRODirs()...)
 			}
diff --git a/java/app_test.go b/java/app_test.go
index 103f24b..317c752 100644
--- a/java/app_test.go
+++ b/java/app_test.go
@@ -164,11 +164,12 @@
 	}
 }
 
-func TestEnforceRRO(t *testing.T) {
+func TestAndroidResources(t *testing.T) {
 	testCases := []struct {
 		name                       string
 		enforceRROTargets          []string
 		enforceRROExcludedOverlays []string
+		resourceFiles              map[string][]string
 		overlayFiles               map[string][]string
 		rroDirs                    map[string][]string
 	}{
@@ -176,17 +177,29 @@
 			name:                       "no RRO",
 			enforceRROTargets:          nil,
 			enforceRROExcludedOverlays: nil,
+			resourceFiles: map[string][]string{
+				"foo":  nil,
+				"bar":  {"bar/res/res/values/strings.xml"},
+				"lib":  nil,
+				"lib2": {"lib2/res/res/values/strings.xml"},
+			},
 			overlayFiles: map[string][]string{
-				"foo": []string{
+				"foo": {
+					buildDir + "/.intermediates/lib2/android_common/package-res.apk",
 					buildDir + "/.intermediates/lib/android_common/package-res.apk",
 					"foo/res/res/values/strings.xml",
 					"device/vendor/blah/static_overlay/foo/res/values/strings.xml",
 					"device/vendor/blah/overlay/foo/res/values/strings.xml",
 				},
-				"bar": []string{
+				"bar": {
 					"device/vendor/blah/static_overlay/bar/res/values/strings.xml",
 					"device/vendor/blah/overlay/bar/res/values/strings.xml",
 				},
+				"lib": {
+					buildDir + "/.intermediates/lib2/android_common/package-res.apk",
+					"lib/res/res/values/strings.xml",
+					"device/vendor/blah/overlay/lib/res/values/strings.xml",
+				},
 			},
 			rroDirs: map[string][]string{
 				"foo": nil,
@@ -197,25 +210,38 @@
 			name:                       "enforce RRO on foo",
 			enforceRROTargets:          []string{"foo"},
 			enforceRROExcludedOverlays: []string{"device/vendor/blah/static_overlay"},
+			resourceFiles: map[string][]string{
+				"foo":  nil,
+				"bar":  {"bar/res/res/values/strings.xml"},
+				"lib":  nil,
+				"lib2": {"lib2/res/res/values/strings.xml"},
+			},
 			overlayFiles: map[string][]string{
-				"foo": []string{
+				"foo": {
+					buildDir + "/.intermediates/lib2/android_common/package-res.apk",
 					buildDir + "/.intermediates/lib/android_common/package-res.apk",
 					"foo/res/res/values/strings.xml",
 					"device/vendor/blah/static_overlay/foo/res/values/strings.xml",
 				},
-				"bar": []string{
+				"bar": {
 					"device/vendor/blah/static_overlay/bar/res/values/strings.xml",
 					"device/vendor/blah/overlay/bar/res/values/strings.xml",
 				},
+				"lib": {
+					buildDir + "/.intermediates/lib2/android_common/package-res.apk",
+					"lib/res/res/values/strings.xml",
+					"device/vendor/blah/overlay/lib/res/values/strings.xml",
+				},
 			},
 
 			rroDirs: map[string][]string{
-				"foo": []string{
+				"foo": {
 					"device/vendor/blah/overlay/foo/res",
 					// Enforce RRO on "foo" could imply RRO on static dependencies, but for now it doesn't.
 					// "device/vendor/blah/overlay/lib/res",
 				},
 				"bar": nil,
+				"lib": nil,
 			},
 		},
 		{
@@ -226,20 +252,32 @@
 				"device/vendor/blah/static_overlay/foo",
 				"device/vendor/blah/static_overlay/bar/res",
 			},
+			resourceFiles: map[string][]string{
+				"foo":  nil,
+				"bar":  {"bar/res/res/values/strings.xml"},
+				"lib":  nil,
+				"lib2": {"lib2/res/res/values/strings.xml"},
+			},
 			overlayFiles: map[string][]string{
-				"foo": []string{
+				"foo": {
+					buildDir + "/.intermediates/lib2/android_common/package-res.apk",
 					buildDir + "/.intermediates/lib/android_common/package-res.apk",
 					"foo/res/res/values/strings.xml",
 					"device/vendor/blah/static_overlay/foo/res/values/strings.xml",
 				},
-				"bar": []string{"device/vendor/blah/static_overlay/bar/res/values/strings.xml"},
+				"bar": {"device/vendor/blah/static_overlay/bar/res/values/strings.xml"},
+				"lib": {
+					buildDir + "/.intermediates/lib2/android_common/package-res.apk",
+					"lib/res/res/values/strings.xml",
+				},
 			},
 			rroDirs: map[string][]string{
-				"foo": []string{
+				"foo": {
 					"device/vendor/blah/overlay/foo/res",
 					"device/vendor/blah/overlay/lib/res",
 				},
-				"bar": []string{"device/vendor/blah/overlay/bar/res"},
+				"bar": {"device/vendor/blah/overlay/bar/res"},
+				"lib": {"device/vendor/blah/overlay/lib/res"},
 			},
 		},
 	}
@@ -254,6 +292,7 @@
 		"foo/res/res/values/strings.xml":                               nil,
 		"bar/res/res/values/strings.xml":                               nil,
 		"lib/res/res/values/strings.xml":                               nil,
+		"lib2/res/res/values/strings.xml":                              nil,
 		"device/vendor/blah/overlay/foo/res/values/strings.xml":        nil,
 		"device/vendor/blah/overlay/bar/res/values/strings.xml":        nil,
 		"device/vendor/blah/overlay/lib/res/values/strings.xml":        nil,
@@ -277,6 +316,12 @@
 			android_library {
 				name: "lib",
 				resource_dirs: ["lib/res"],
+				static_libs: ["lib2"],
+			}
+
+			android_library {
+				name: "lib2",
+				resource_dirs: ["lib2/res"],
 			}
 		`
 
@@ -294,40 +339,52 @@
 			ctx := testAppContext(config, bp, fs)
 			run(t, ctx, config)
 
-			getOverlays := func(moduleName string) ([]string, []string) {
-				module := ctx.ModuleForTests(moduleName, "android_common")
-				overlayFile := module.MaybeOutput("aapt2/overlay.list")
-				var overlayFiles []string
-				if overlayFile.Rule != nil {
-					for _, o := range overlayFile.Inputs.Strings() {
-						overlayOutput := module.MaybeOutput(o)
-						if overlayOutput.Rule != nil {
-							// If the overlay is compiled as part of this module (i.e. a .arsc.flat file),
-							// verify the inputs to the .arsc.flat rule.
-							overlayFiles = append(overlayFiles, overlayOutput.Inputs.Strings()...)
-						} else {
-							// Otherwise, verify the full path to the output of the other module
-							overlayFiles = append(overlayFiles, o)
-						}
+			resourceListToFiles := func(module android.TestingModule, list []string) (files []string) {
+				for _, o := range list {
+					res := module.MaybeOutput(o)
+					if res.Rule != nil {
+						// If the overlay is compiled as part of this module (i.e. a .arsc.flat file),
+						// verify the inputs to the .arsc.flat rule.
+						files = append(files, res.Inputs.Strings()...)
+					} else {
+						// Otherwise, verify the full path to the output of the other module
+						files = append(files, o)
 					}
 				}
-
-				rroDirs := module.Module().(*AndroidApp).rroDirs.Strings()
-
-				return overlayFiles, rroDirs
+				return files
 			}
 
-			apps := []string{"foo", "bar"}
-			for _, app := range apps {
-				overlayFiles, rroDirs := getOverlays(app)
-
-				if !reflect.DeepEqual(overlayFiles, testCase.overlayFiles[app]) {
-					t.Errorf("expected %s overlay files:\n  %#v\n got:\n  %#v",
-						app, testCase.overlayFiles[app], overlayFiles)
+			getResources := func(moduleName string) (resourceFiles, overlayFiles, rroDirs []string) {
+				module := ctx.ModuleForTests(moduleName, "android_common")
+				resourceList := module.MaybeOutput("aapt2/res.list")
+				if resourceList.Rule != nil {
+					resourceFiles = resourceListToFiles(module, resourceList.Inputs.Strings())
 				}
-				if !reflect.DeepEqual(rroDirs, testCase.rroDirs[app]) {
+				overlayList := module.MaybeOutput("aapt2/overlay.list")
+				if overlayList.Rule != nil {
+					overlayFiles = resourceListToFiles(module, overlayList.Inputs.Strings())
+				}
+
+				rroDirs = module.Module().(AndroidLibraryDependency).ExportedRRODirs().Strings()
+
+				return resourceFiles, overlayFiles, rroDirs
+			}
+
+			modules := []string{"foo", "bar", "lib", "lib2"}
+			for _, module := range modules {
+				resourceFiles, overlayFiles, rroDirs := getResources(module)
+
+				if !reflect.DeepEqual(resourceFiles, testCase.resourceFiles[module]) {
+					t.Errorf("expected %s resource files:\n  %#v\n got:\n  %#v",
+						module, testCase.resourceFiles[module], resourceFiles)
+				}
+				if !reflect.DeepEqual(overlayFiles, testCase.overlayFiles[module]) {
+					t.Errorf("expected %s overlay files:\n  %#v\n got:\n  %#v",
+						module, testCase.overlayFiles[module], overlayFiles)
+				}
+				if !reflect.DeepEqual(rroDirs, testCase.rroDirs[module]) {
 					t.Errorf("expected %s rroDirs:  %#v\n got:\n  %#v",
-						app, testCase.rroDirs[app], rroDirs)
+						module, testCase.rroDirs[module], rroDirs)
 				}
 			}
 		})
diff --git a/java/prebuilt_apis.go b/java/prebuilt_apis.go
index 49cc931..02b9b45 100644
--- a/java/prebuilt_apis.go
+++ b/java/prebuilt_apis.go
@@ -103,19 +103,25 @@
 	mctx.CreateModule(android.ModuleFactoryAdaptor(android.FileGroupFactory), &filegroupProps)
 }
 
-func prebuiltSdkStubs(mctx android.TopDownMutatorContext) {
+func getPrebuiltFiles(mctx android.TopDownMutatorContext, name string) []string {
 	mydir := mctx.ModuleDir() + "/"
-	// <apiver>/<scope>/<module>.jar
 	var files []string
 	for _, apiver := range mctx.Module().(*prebuiltApis).properties.Api_dirs {
 		for _, scope := range []string{"public", "system", "test", "core"} {
-			vfiles, err := mctx.GlobWithDeps(mydir+apiver+"/"+scope+"*/*.jar", nil)
+			vfiles, err := mctx.GlobWithDeps(mydir+apiver+"/"+scope+"/"+name, nil)
 			if err != nil {
-				mctx.ModuleErrorf("failed to glob jar files under %q: %s", mydir+apiver+"/"+scope, err)
+				mctx.ModuleErrorf("failed to glob %s files under %q: %s", name, mydir+apiver+"/"+scope, err)
 			}
 			files = append(files, vfiles...)
 		}
 	}
+	return files
+}
+
+func prebuiltSdkStubs(mctx android.TopDownMutatorContext) {
+	mydir := mctx.ModuleDir() + "/"
+	// <apiver>/<scope>/<module>.jar
+	files := getPrebuiltFiles(mctx, "*.jar")
 
 	for _, f := range files {
 		// create a Import module for each jar file
@@ -128,10 +134,8 @@
 func prebuiltApiFiles(mctx android.TopDownMutatorContext) {
 	mydir := mctx.ModuleDir() + "/"
 	// <apiver>/<scope>/api/<module>.txt
-	files, err := mctx.GlobWithDeps(mydir+"*/*/api/*.txt", nil)
-	if err != nil {
-		mctx.ModuleErrorf("failed to glob api txt files under %q: %s", mydir, err)
-	}
+	files := getPrebuiltFiles(mctx, "api/*.txt")
+
 	if len(files) == 0 {
 		mctx.ModuleErrorf("no api file found under %q", mydir)
 	}
@@ -161,6 +165,7 @@
 			strings.Compare(apiver, info.apiver) > 0) {
 			info.apiver = apiver
 			info.path = localPath
+			m[key] = info
 		}
 	}
 	// create filegroups for the latest version of (<module>, <scope>) pairs
diff --git a/python/builder.go b/python/builder.go
index cbbe56e..e277bfd 100644
--- a/python/builder.go
+++ b/python/builder.go
@@ -54,15 +54,14 @@
 
 	embeddedPar = pctx.AndroidStaticRule("embeddedPar",
 		blueprint.RuleParams{
-			// `echo -n` to trim the newline, since the python code just wants the name.
-			// /bin/sh (used by ninja) on Mac turns off posix mode, and stops supporting -n.
-			// Explicitly use bash instead.
-			Command: `/bin/bash -c "echo -n '$main' > $entryPoint" &&` +
-				`$mergeParCmd -p --prefix $launcher -e $entryPoint $out $srcsZips && ` +
-				`chmod +x $out && (rm -f $entryPoint)`,
-			CommandDeps: []string{"$mergeParCmd"},
+			// `echo -n` to trim the newline, since the python code just wants the name
+			Command: `rm -f $out.main && ` +
+				`sed 's/ENTRY_POINT/$main/' build/soong/python/scripts/main.py >$out.main &&` +
+				`$mergeParCmd -p -pm $out.main --prefix $launcher $out $srcsZips && ` +
+				`chmod +x $out && rm -rf $out.main`,
+			CommandDeps: []string{"$mergeParCmd", "$parCmd", "build/soong/python/scripts/main.py"},
 		},
-		"main", "entryPoint", "srcsZips", "launcher")
+		"main", "srcsZips", "launcher")
 )
 
 func init() {
@@ -108,19 +107,15 @@
 		// added launcherPath to the implicits Ninja dependencies.
 		implicits = append(implicits, launcherPath.Path())
 
-		// .intermediate output path for entry_point.txt
-		entryPoint := android.PathForModuleOut(ctx, entryPointFile).String()
-
 		ctx.Build(pctx, android.BuildParams{
 			Rule:        embeddedPar,
 			Description: "embedded python archive",
 			Output:      binFile,
 			Implicits:   implicits,
 			Args: map[string]string{
-				"main":       strings.Replace(strings.TrimSuffix(main, pyExt), "/", ".", -1),
-				"entryPoint": entryPoint,
-				"srcsZips":   strings.Join(srcsZips.Strings(), " "),
-				"launcher":   launcherPath.String(),
+				"main":     strings.Replace(strings.TrimSuffix(main, pyExt), "/", ".", -1),
+				"srcsZips": strings.Join(srcsZips.Strings(), " "),
+				"launcher": launcherPath.String(),
 			},
 		})
 	}
diff --git a/python/scripts/main.py b/python/scripts/main.py
new file mode 100644
index 0000000..225dbe4
--- /dev/null
+++ b/python/scripts/main.py
@@ -0,0 +1,12 @@
+import runpy
+import sys
+
+sys.argv[0] = __loader__.archive
+
+# Set sys.executable to None. The real executable is available as
+# sys.argv[0], and too many things assume sys.executable is a regular Python
+# binary, which isn't available. By setting it to None we get clear errors
+# when people try to use it.
+sys.executable = None
+
+runpy._run_module_as_main("ENTRY_POINT", alter_argv=False)
diff --git a/ui/build/path.go b/ui/build/path.go
index ee72cfd..0e1c02c 100644
--- a/ui/build/path.go
+++ b/ui/build/path.go
@@ -147,11 +147,10 @@
 
 	myPath, _ = filepath.Abs(myPath)
 
-	// Use the toybox prebuilts on linux
-	if runtime.GOOS == "linux" {
-		toyboxPath, _ := filepath.Abs("prebuilts/build-tools/toybox/linux-x86")
-		myPath = toyboxPath + string(os.PathListSeparator) + myPath
-	}
+	// We put some prebuilts in $PATH, since it's infeasible to add dependencies for all of
+	// them.
+	prebuiltsPath, _ := filepath.Abs("prebuilts/build-tools/path/" + runtime.GOOS + "-x86")
+	myPath = prebuiltsPath + string(os.PathListSeparator) + myPath
 
 	config.Environment().Set("PATH", myPath)
 	config.pathReplaced = true
diff --git a/ui/build/paths/config.go b/ui/build/paths/config.go
index b9713fe..d4922f3 100644
--- a/ui/build/paths/config.go
+++ b/ui/build/paths/config.go
@@ -26,9 +26,9 @@
 	// Whether to exit with an error instead of invoking the underlying tool.
 	Error bool
 
-	// Whether we use a toybox prebuilt for this tool. Since we don't have
-	// toybox for Darwin, we'll use the host version instead.
-	Toybox bool
+	// Whether we use a linux-specific prebuilt for this tool. On Darwin,
+	// we'll allow the host executable instead.
+	LinuxOnlyPrebuilt bool
 }
 
 var Allowed = PathConfig{
@@ -59,11 +59,11 @@
 	Error:   true,
 }
 
-var Toybox = PathConfig{
-	Symlink: false,
-	Log:     true,
-	Error:   true,
-	Toybox:  true,
+var LinuxOnlyPrebuilt = PathConfig{
+	Symlink:           false,
+	Log:               true,
+	Error:             true,
+	LinuxOnlyPrebuilt: true,
 }
 
 func GetConfig(name string) PathConfig {
@@ -101,7 +101,6 @@
 	"python3":   Allowed,
 	"realpath":  Allowed,
 	"rsync":     Allowed,
-	"sed":       Allowed,
 	"sh":        Allowed,
 	"tar":       Allowed,
 	"timeout":   Allowed,
@@ -126,57 +125,57 @@
 	"pkg-config": Forbidden,
 
 	// On Linux we'll use the toybox versions of these instead.
-	"awk":       Toybox, // Strictly one-true-awk, but...
-	"basename":  Toybox,
-	"cat":       Toybox,
-	"chmod":     Toybox,
-	"cmp":       Toybox,
-	"cp":        Toybox,
-	"comm":      Toybox,
-	"cut":       Toybox,
-	"dirname":   Toybox,
-	"du":        Toybox,
-	"echo":      Toybox,
-	"env":       Toybox,
-	"expr":      Toybox,
-	"head":      Toybox,
-	"getconf":   Toybox,
-	"hostname":  Toybox,
-	"id":        Toybox,
-	"ln":        Toybox,
-	"ls":        Toybox,
-	"md5sum":    Toybox,
-	"mkdir":     Toybox,
-	"mktemp":    Toybox,
-	"mv":        Toybox,
-	"od":        Toybox,
-	"paste":     Toybox,
-	"pgrep":     Toybox,
-	"pkill":     Toybox,
-	"ps":        Toybox,
-	"pwd":       Toybox,
-	"readlink":  Toybox,
-	"rm":        Toybox,
-	"rmdir":     Toybox,
-	"setsid":    Toybox,
-	"sha1sum":   Toybox,
-	"sha256sum": Toybox,
-	"sha512sum": Toybox,
-	"sleep":     Toybox,
-	"sort":      Toybox,
-	"stat":      Toybox,
-	"tail":      Toybox,
-	"tee":       Toybox,
-	"touch":     Toybox,
-	"true":      Toybox,
-	"uname":     Toybox,
-	"uniq":      Toybox,
-	"unix2dos":  Toybox,
-	"wc":        Toybox,
-	"whoami":    Toybox,
-	"which":     Toybox,
-	"xargs":     Toybox,
-	"xxd":       Toybox,
+	"basename":  LinuxOnlyPrebuilt,
+	"cat":       LinuxOnlyPrebuilt,
+	"chmod":     LinuxOnlyPrebuilt,
+	"cmp":       LinuxOnlyPrebuilt,
+	"cp":        LinuxOnlyPrebuilt,
+	"comm":      LinuxOnlyPrebuilt,
+	"cut":       LinuxOnlyPrebuilt,
+	"dirname":   LinuxOnlyPrebuilt,
+	"du":        LinuxOnlyPrebuilt,
+	"echo":      LinuxOnlyPrebuilt,
+	"env":       LinuxOnlyPrebuilt,
+	"expr":      LinuxOnlyPrebuilt,
+	"head":      LinuxOnlyPrebuilt,
+	"getconf":   LinuxOnlyPrebuilt,
+	"hostname":  LinuxOnlyPrebuilt,
+	"id":        LinuxOnlyPrebuilt,
+	"ln":        LinuxOnlyPrebuilt,
+	"ls":        LinuxOnlyPrebuilt,
+	"md5sum":    LinuxOnlyPrebuilt,
+	"mkdir":     LinuxOnlyPrebuilt,
+	"mktemp":    LinuxOnlyPrebuilt,
+	"mv":        LinuxOnlyPrebuilt,
+	"od":        LinuxOnlyPrebuilt,
+	"paste":     LinuxOnlyPrebuilt,
+	"pgrep":     LinuxOnlyPrebuilt,
+	"pkill":     LinuxOnlyPrebuilt,
+	"ps":        LinuxOnlyPrebuilt,
+	"pwd":       LinuxOnlyPrebuilt,
+	"readlink":  LinuxOnlyPrebuilt,
+	"rm":        LinuxOnlyPrebuilt,
+	"rmdir":     LinuxOnlyPrebuilt,
+	"sed":       LinuxOnlyPrebuilt,
+	"setsid":    LinuxOnlyPrebuilt,
+	"sha1sum":   LinuxOnlyPrebuilt,
+	"sha256sum": LinuxOnlyPrebuilt,
+	"sha512sum": LinuxOnlyPrebuilt,
+	"sleep":     LinuxOnlyPrebuilt,
+	"sort":      LinuxOnlyPrebuilt,
+	"stat":      LinuxOnlyPrebuilt,
+	"tail":      LinuxOnlyPrebuilt,
+	"tee":       LinuxOnlyPrebuilt,
+	"touch":     LinuxOnlyPrebuilt,
+	"true":      LinuxOnlyPrebuilt,
+	"uname":     LinuxOnlyPrebuilt,
+	"uniq":      LinuxOnlyPrebuilt,
+	"unix2dos":  LinuxOnlyPrebuilt,
+	"wc":        LinuxOnlyPrebuilt,
+	"whoami":    LinuxOnlyPrebuilt,
+	"which":     LinuxOnlyPrebuilt,
+	"xargs":     LinuxOnlyPrebuilt,
+	"xxd":       LinuxOnlyPrebuilt,
 }
 
 func init() {
@@ -185,10 +184,10 @@
 		Configuration["sw_vers"] = Allowed
 		Configuration["xcrun"] = Allowed
 
-		// We don't have toybox prebuilts for darwin, so allow the
-		// host versions.
+		// We don't have darwin prebuilts for some tools (like toybox),
+		// so allow the host versions.
 		for name, config := range Configuration {
-			if config.Toybox {
+			if config.LinuxOnlyPrebuilt {
 				Configuration[name] = Allowed
 			}
 		}