openkylin
/
platform_build_soong
mirror of https://gitee.com/openkylin/platform_build_soong.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

Prevent runtime module paths being used in include_dirs 

Adds a new StartsWith(string) ValueMatcher along with
With[Out]Matcher(...) methods to support new restrictions that prevent
any paths into runtime module repositories from being added to the
include_dirs.

Test: m nothing
Bug: 35624006
Change-Id: Ib954998e5fc190d8a11a8c6ac5f810cad927aac3
This commit is contained in:
Paul Duffin 2019-07-16 14:18:22 +01:00
parent 73bf054a52
commit 2ac2befc9a
2 changed files with 91 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
android/neverallow.go
View File

@ -48,6 +48,7 @@ func registerNeverallowMutator(ctx RegisterMutatorsContext) {
var neverallows = []Rule{} var neverallows = []Rule{}
func init() { func init() {
AddNeverAllowRules(createIncludeDirsRules()...)
AddNeverAllowRules(createTrebleRules()...) AddNeverAllowRules(createTrebleRules()...)
AddNeverAllowRules(createLibcoreRules()...) AddNeverAllowRules(createLibcoreRules()...)
AddNeverAllowRules(createJavaDeviceForHostRules()...) AddNeverAllowRules(createJavaDeviceForHostRules()...)
@ -58,6 +59,42 @@ func AddNeverAllowRules(rules ...Rule) {
neverallows = append(neverallows, rules...) neverallows = append(neverallows, rules...)
} }
func createIncludeDirsRules() []Rule {
// The list of paths that cannot be referenced using include_dirs
paths := []string{
"art",
"libcore",
"libnativehelper",
"external/apache-harmony",
"external/apache-xml",
"external/boringssl",
"external/bouncycastle",
"external/conscrypt",
"external/icu",
"external/okhttp",
"external/vixl",
"external/wycheproof",
"system/core/libnativebridge",
"system/core/libnativehelper",
}
// Create a composite matcher that will match if the value starts with any of the restricted
// paths. A / is appended to the prefix to ensure that restricting path X does not affect paths
// XY.
rules := make([]Rule, 0, len(paths))
for _, path := range paths {
rule :=
NeverAllow().
WithMatcher("include_dirs", StartsWith(path+"/")).
Because("include_dirs is deprecated, all usages of '" + path + "' have been migrated" +
" to use alternate mechanisms and so can no longer be used.")
rules = append(rules, rule)
}
return rules
}
func createTrebleRules() []Rule { func createTrebleRules() []Rule {
return []Rule{ return []Rule{
NeverAllow(). NeverAllow().
@ -186,6 +223,18 @@ func (m *anyMatcher) String() string {
var anyMatcherInstance = &anyMatcher{} var anyMatcherInstance = &anyMatcher{}
type startsWithMatcher struct {
prefix string
}
func (m *startsWithMatcher) test(value string) bool {
return strings.HasPrefix(value, m.prefix)
}
func (m *startsWithMatcher) String() string {
return ".starts-with(" + m.prefix + ")"
}
type ruleProperty struct { type ruleProperty struct {
fields []string // e.x.: Vndk.Enabled fields []string // e.x.: Vndk.Enabled
matcher ValueMatcher matcher ValueMatcher
@ -203,8 +252,12 @@ type Rule interface {
With(properties, value string) Rule With(properties, value string) Rule
WithMatcher(properties string, matcher ValueMatcher) Rule
Without(properties, value string) Rule Without(properties, value string) Rule
WithoutMatcher(properties string, matcher ValueMatcher) Rule
Because(reason string) Rule Because(reason string) Rule
} }
@ -248,17 +301,25 @@ func (r *rule) NotModuleType(types ...string) Rule {
} }
func (r *rule) With(properties, value string) Rule { func (r *rule) With(properties, value string) Rule {
return r.WithMatcher(properties, selectMatcher(value))
}
func (r *rule) WithMatcher(properties string, matcher ValueMatcher) Rule {
r.props = append(r.props, ruleProperty{ r.props = append(r.props, ruleProperty{
fields: fieldNamesForProperties(properties), fields: fieldNamesForProperties(properties),
matcher: selectMatcher(value), matcher: matcher,
}) })
return r return r
} }
func (r *rule) Without(properties, value string) Rule { func (r *rule) Without(properties, value string) Rule {
return r.WithoutMatcher(properties, selectMatcher(value))
}
func (r *rule) WithoutMatcher(properties string, matcher ValueMatcher) Rule {
r.unlessProps = append(r.unlessProps, ruleProperty{ r.unlessProps = append(r.unlessProps, ruleProperty{
fields: fieldNamesForProperties(properties), fields: fieldNamesForProperties(properties),
matcher: selectMatcher(value), matcher: matcher,
}) })
return r return r
} }
@ -317,6 +378,10 @@ func (r *rule) appliesToProperties(properties []interface{}) bool {
return includeProps && !excludeProps return includeProps && !excludeProps
} }
func StartsWith(prefix string) ValueMatcher {
return &startsWithMatcher{prefix}
}
// assorted utils // assorted utils
func cleanPaths(paths []string) []string { func cleanPaths(paths []string) []string {

24
android/neverallow_test.go
View File

@ -23,6 +23,29 @@ var neverallowTests = []struct {
fs map[string][]byte fs map[string][]byte
expectedError string expectedError string
}{ }{
// include_dir rule tests
{
name: "include_dir not allowed to reference art",
fs: map[string][]byte{
"other/Blueprints": []byte(`
cc_library {
name: "libother",
include_dirs: ["art/libdexfile/include"],
}`),
},
expectedError: "all usages of 'art' have been migrated",
},
{
name: "include_dir can reference another location",
fs: map[string][]byte{
"other/Blueprints": []byte(`
cc_library {
name: "libother",
include_dirs: ["another/include"],
}`),
},
},
// Treble rule tests
{ {
name: "no vndk.enabled under vendor directory", name: "no vndk.enabled under vendor directory",
fs: map[string][]byte{ fs: map[string][]byte{
@ -217,6 +240,7 @@ func testNeverallow(t *testing.T, config Config, fs map[string][]byte) (*TestCon
} }
type mockCcLibraryProperties struct { type mockCcLibraryProperties struct {
Include_dirs []string
Vendor_available *bool Vendor_available *bool
Vndk struct { Vndk struct {