From c35c5f982479196c86bd4b37cc51d362f81bdb23 Mon Sep 17 00:00:00 2001
From: Colin Cross <ccross@android.com>
Date: Tue, 5 Mar 2019 15:06:16 -0800
Subject: [PATCH] Add neverallow rules for java_device_for_host

java_device_for_host and java_host_for_device should rarely be
used and could cause problems if used incorrectly, so restrict them
to only the necessary projects through a neverallow whitelist.

Bug: 117920228
Test: neverallow_test.go
Change-Id: I37dce489c2fb8bca71bd46dbabaaa514bf6f7eee
Merged-In: I37dce489c2fb8bca71bd46dbabaaa514bf6f7eee
---
 android/neverallow.go      | 47 ++++++++++++++++++++++++++++++++++++++
 android/neverallow_test.go | 12 ++++++++++
 2 files changed, 59 insertions(+)

diff --git a/android/neverallow.go b/android/neverallow.go
index 18744e811..f63f46181 100644
--- a/android/neverallow.go
+++ b/android/neverallow.go
@@ -51,6 +51,7 @@ func createNeverAllows() []*rule {
 	rules := []*rule{}
 	rules = append(rules, createTrebleRules()...)
 	rules = append(rules, createLibcoreRules()...)
+	rules = append(rules, createJavaDeviceForHostRules()...)
 	return rules
 }
 
@@ -125,6 +126,20 @@ func createLibcoreRules() []*rule {
 	return rules
 }
 
+func createJavaDeviceForHostRules() []*rule {
+	javaDeviceForHostProjectsWhitelist := []string{
+		"external/robolectric-shadows",
+		"framework/layoutlib",
+	}
+
+	return []*rule{
+		neverallow().
+			notIn(javaDeviceForHostProjectsWhitelist...).
+			moduleType("java_device_for_host", "java_host_for_device").
+			because("java_device_for_host can only be used in whitelisted projects"),
+	}
+}
+
 func neverallowMutator(ctx BottomUpMutatorContext) {
 	m, ok := ctx.Module().(Module)
 	if !ok {
@@ -139,6 +154,10 @@ func neverallowMutator(ctx BottomUpMutatorContext) {
 			continue
 		}
 
+		if !n.appliesToModuleType(ctx.ModuleType()) {
+			continue
+		}
+
 		if !n.appliesToProperties(properties) {
 			continue
 		}
@@ -159,6 +178,9 @@ type rule struct {
 	paths       []string
 	unlessPaths []string
 
+	moduleTypes       []string
+	unlessModuleTypes []string
+
 	props       []ruleProperty
 	unlessProps []ruleProperty
 }
@@ -166,14 +188,27 @@ type rule struct {
 func neverallow() *rule {
 	return &rule{}
 }
+
 func (r *rule) in(path ...string) *rule {
 	r.paths = append(r.paths, cleanPaths(path)...)
 	return r
 }
+
 func (r *rule) notIn(path ...string) *rule {
 	r.unlessPaths = append(r.unlessPaths, cleanPaths(path)...)
 	return r
 }
+
+func (r *rule) moduleType(types ...string) *rule {
+	r.moduleTypes = append(r.moduleTypes, types...)
+	return r
+}
+
+func (r *rule) notModuleType(types ...string) *rule {
+	r.unlessModuleTypes = append(r.unlessModuleTypes, types...)
+	return r
+}
+
 func (r *rule) with(properties, value string) *rule {
 	r.props = append(r.props, ruleProperty{
 		fields: fieldNamesForProperties(properties),
@@ -181,6 +216,7 @@ func (r *rule) with(properties, value string) *rule {
 	})
 	return r
 }
+
 func (r *rule) without(properties, value string) *rule {
 	r.unlessProps = append(r.unlessProps, ruleProperty{
 		fields: fieldNamesForProperties(properties),
@@ -188,6 +224,7 @@ func (r *rule) without(properties, value string) *rule {
 	})
 	return r
 }
+
 func (r *rule) because(reason string) *rule {
 	r.reason = reason
 	return r
@@ -201,6 +238,12 @@ func (r *rule) String() string {
 	for _, v := range r.unlessPaths {
 		s += " -dir:" + v + "*"
 	}
+	for _, v := range r.moduleTypes {
+		s += " type:" + v
+	}
+	for _, v := range r.unlessModuleTypes {
+		s += " -type:" + v
+	}
 	for _, v := range r.props {
 		s += " " + strings.Join(v.fields, ".") + "=" + v.value
 	}
@@ -219,6 +262,10 @@ func (r *rule) appliesToPath(dir string) bool {
 	return includePath && !excludePath
 }
 
+func (r *rule) appliesToModuleType(moduleType string) bool {
+	return (len(r.moduleTypes) == 0 || InList(moduleType, r.moduleTypes)) && !InList(moduleType, r.unlessModuleTypes)
+}
+
 func (r *rule) appliesToProperties(properties []interface{}) bool {
 	includeProps := hasAllProperties(properties, r.props)
 	excludeProps := hasAnyProperty(properties, r.unlessProps)
diff --git a/android/neverallow_test.go b/android/neverallow_test.go
index 8d530874d..d55ca575c 100644
--- a/android/neverallow_test.go
+++ b/android/neverallow_test.go
@@ -148,6 +148,17 @@ var neverallowTests = []struct {
 		},
 		expectedError: "Only core libraries projects can depend on core-libart",
 	},
+	{
+		name: "java_device_for_host",
+		fs: map[string][]byte{
+			"Blueprints": []byte(`
+				java_device_for_host {
+					name: "device_for_host",
+					libs: ["core-libart"],
+				}`),
+		},
+		expectedError: "java_device_for_host can only be used in whitelisted projects",
+	},
 }
 
 func TestNeverallow(t *testing.T) {
@@ -176,6 +187,7 @@ func testNeverallow(t *testing.T, config Config, fs map[string][]byte) (*TestCon
 	ctx := NewTestContext()
 	ctx.RegisterModuleType("cc_library", ModuleFactoryAdaptor(newMockCcLibraryModule))
 	ctx.RegisterModuleType("java_library", ModuleFactoryAdaptor(newMockJavaLibraryModule))
+	ctx.RegisterModuleType("java_device_for_host", ModuleFactoryAdaptor(newMockJavaLibraryModule))
 	ctx.PostDepsMutators(registerNeverallowMutator)
 	ctx.Register()