From cd25740cba701f21a90f13fe084f2a5caf3bd596 Mon Sep 17 00:00:00 2001 From: Andreas Gampe Date: Mon, 20 Jun 2016 17:36:49 -0700 Subject: [PATCH 1/3] Build: Add option to restrict sanitization by architecture Add Make variable SANITIZE_ARCH to selectively sanitize binaries. This uses the "bitness," i.e., 32 or 64, to potentially filter the sanitization. By default, both are being sanitized. This can be used to create builds that lower the sanitization burden by not sanitizing "half" of the platform. Bug: 29498013 Change-Id: I73e6d479f08a970ba912f4f63967d32f3487125f (cherry picked from commit 0290a416c844f9a8ec953f63f199b00d36283228) --- core/config_sanitizers.mk | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/core/config_sanitizers.mk b/core/config_sanitizers.mk index 26dbb7334..62807aa8d 100644 --- a/core/config_sanitizers.mk +++ b/core/config_sanitizers.mk @@ -24,6 +24,12 @@ ifneq ($(my_global_sanitize),) my_sanitize := $(my_global_sanitize) endif +# Add a filter point for 32-bit vs 64-bit sanitization (to lighten the burden). +SANITIZE_ARCH ?= 32 64 +ifeq ($(filter $(SANITIZE_ARCH),$(my_32_64_bit_suffix)),) + my_sanitize := +endif + # Don't apply sanitizers to NDK code. ifdef LOCAL_SDK_VERSION my_sanitize := From 3d3b0c950d97d931de0b013e4ed70bb43c8162d3 Mon Sep 17 00:00:00 2001 From: Andreas Gampe Date: Mon, 20 Jun 2016 17:46:29 -0700 Subject: [PATCH 2/3] Build: Add option to restrict sanitization by owner Add Make variable SANITIZE_NEVER_BY_OWNER to selectively sanitize modules. By default, both are being sanitized. The value of the variable is interpreted as a space or colon separated list of owner names. This can be used to create builds that lower the sanitization burden by not sanitizing parts of the platform. Bug: 29498013 Change-Id: Ib4412657fd38ff28a5c0863eddc2acde63c88ebb (cherry picked from commit ea38d8e95d7daea49cc2a528d69e06a0005b31a6) --- core/config_sanitizers.mk | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/core/config_sanitizers.mk b/core/config_sanitizers.mk index 62807aa8d..f387f053a 100644 --- a/core/config_sanitizers.mk +++ b/core/config_sanitizers.mk @@ -30,6 +30,17 @@ ifeq ($(filter $(SANITIZE_ARCH),$(my_32_64_bit_suffix)),) my_sanitize := endif +# Add a filter point based on module owner (to lighten the burden). The format is a space- or +# colon-separated list of owner names. +ifneq (,$(SANITIZE_NEVER_BY_OWNER)) + ifneq (,$(LOCAL_MODULE_OWNER)) + ifneq (,$(filter $(LOCAL_MODULE_OWNER),$(subst :, ,$(SANITIZE_NEVER_BY_OWNER)))) + $(warning Not sanitizing $(LOCAL_MODULE) based on module owner.) + my_sanitize := + endif + endif +endif + # Don't apply sanitizers to NDK code. ifdef LOCAL_SDK_VERSION my_sanitize := From 6b30d770f025de95cb9f3f3df70d56d4d3291470 Mon Sep 17 00:00:00 2001 From: Andreas Gampe Date: Mon, 27 Jun 2016 15:15:31 -0700 Subject: [PATCH 3/3] Build: Add module-level product configuration of sanitization To allow special sanitizer settings for modules shared between products, add product-specific module settings. This was copied from the product-specific dexopt settings. Bug: 29498013 Change-Id: I17a96b975bb6ac7f4ffb3d5b08e2f00b21bd97a1 (cherry picked from commit bb5454b6db5770f0b0275424148b2d7d3c52a56d) --- core/config_sanitizers.mk | 8 ++++++++ core/product.mk | 12 ++++++++++++ core/product_config.mk | 16 +++++++++++++++- 3 files changed, 35 insertions(+), 1 deletion(-) diff --git a/core/config_sanitizers.mk b/core/config_sanitizers.mk index f387f053a..10208b422 100644 --- a/core/config_sanitizers.mk +++ b/core/config_sanitizers.mk @@ -24,6 +24,14 @@ ifneq ($(my_global_sanitize),) my_sanitize := $(my_global_sanitize) endif +# The sanitizer specified in the product configuration wins over the previous. +ifneq ($(SANITIZER.$(TARGET_PRODUCT).$(LOCAL_MODULE).CONFIG),) + my_sanitize := $(SANITIZER.$(TARGET_PRODUCT).$(LOCAL_MODULE).CONFIG) + ifeq ($(my_sanitize),never) + my_sanitize := + endif +endif + # Add a filter point for 32-bit vs 64-bit sanitization (to lighten the burden). SANITIZE_ARCH ?= 32 64 ifeq ($(filter $(SANITIZE_ARCH),$(my_32_64_bit_suffix)),) diff --git a/core/product.mk b/core/product.mk index 8f3fcb840..7dfaa1909 100644 --- a/core/product.mk +++ b/core/product.mk @@ -120,6 +120,7 @@ _product_var_list := \ PRODUCT_DEX_PREOPT_MODULE_CONFIGS \ PRODUCT_DEX_PREOPT_DEFAULT_FLAGS \ PRODUCT_DEX_PREOPT_BOOT_FLAGS \ + PRODUCT_SANITIZER_MODULE_CONFIGS \ PRODUCT_SHIPPING_API_LEVEL \ VENDOR_PRODUCT_RESTRICT_VENDOR_FILES \ VENDOR_EXCEPTION_MODULES \ @@ -333,3 +334,14 @@ $(eval _c := $(subst $(space),$(_PDPMC_SP_PLACE_HOLDER),$(strip $(2))))\ $(eval PRODUCT_DEX_PREOPT_MODULE_CONFIGS += \ $(foreach m,$(1),$(m)=$(_c))) endef + +# whitespace placeholder when we record module's sanitizer config. +_PSMC_SP_PLACE_HOLDER := |@SP@| +# Set up sanitizer config for a module. +# $(1) list of module names +# $(2) the modules' sanitizer config +define add-product-sanitizer-module-config +$(eval _c := $(subst $(space),$(_PSMC_SP_PLACE_HOLDER),$(strip $(2))))\ +$(eval PRODUCT_SANITIZER_MODULE_CONFIGS += \ + $(foreach m,$(1),$(m)=$(_c))) +endef diff --git a/core/product_config.mk b/core/product_config.mk index a4063f1ee..f00f4cd1a 100644 --- a/core/product_config.mk +++ b/core/product_config.mk @@ -390,7 +390,7 @@ PRODUCT_DEX_PREOPT_DEFAULT_FLAGS := \ $(strip $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_DEX_PREOPT_DEFAULT_FLAGS)) PRODUCT_DEX_PREOPT_BOOT_FLAGS := \ $(strip $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_DEX_PREOPT_BOOT_FLAGS)) -# Resolve and setup per-module dex-preopot configs. +# Resolve and setup per-module dex-preopt configs. PRODUCT_DEX_PREOPT_MODULE_CONFIGS := \ $(strip $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_DEX_PREOPT_MODULE_CONFIGS)) # If a module has multiple setups, the first takes precedence. @@ -403,3 +403,17 @@ $(foreach c,$(PRODUCT_DEX_PREOPT_MODULE_CONFIGS),\ $(eval cf := $(subst $(_PDPMC_SP_PLACE_HOLDER),$(space),$(cf)))\ $(eval DEXPREOPT.$(TARGET_PRODUCT).$(m).CONFIG := $(cf)))) _pdpmc_modules := + +# Resolve and setup per-module sanitizer configs. +PRODUCT_SANITIZER_MODULE_CONFIGS := \ + $(strip $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SANITIZER_MODULE_CONFIGS)) +# If a module has multiple setups, the first takes precedence. +_psmc_modules := +$(foreach c,$(PRODUCT_SANITIZER_MODULE_CONFIGS),\ + $(eval m := $(firstword $(subst =,$(space),$(c))))\ + $(if $(filter $(_psmc_modules),$(m)),,\ + $(eval _psmc_modules += $(m))\ + $(eval cf := $(patsubst $(m)=%,%,$(c)))\ + $(eval cf := $(subst $(_PSMC_SP_PLACE_HOLDER),$(space),$(cf)))\ + $(eval SANITIZER.$(TARGET_PRODUCT).$(m).CONFIG := $(cf)))) +_psmc_modules :=