Add neverallow rules for java_device_for_host
java_device_for_host and java_host_for_device should rarely be used and could cause problems if used incorrectly, so restrict them to only the necessary projects through a neverallow whitelist. Bug: 117920228 Test: neverallow_test.go Change-Id: I37dce489c2fb8bca71bd46dbabaaa514bf6f7eee
This commit is contained in:
Colin Cross
parent
7e3b571136
commit
fd4f743bf4
|
|
@ -52,6 +52,7 @@ func createNeverAllows() []*rule {
|
|||
rules = append(rules, createTrebleRules()...)
|
||||
rules = append(rules, createLibcoreRules()...)
|
||||
rules = append(rules, createMediaRules()...)
|
||||
rules = append(rules, createJavaDeviceForHostRules()...)
|
||||
return rules
|
||||
}
|
||||
|
||||
|
|
@ -134,6 +135,20 @@ func createMediaRules() []*rule {
|
|||
}
|
||||
}
|
||||
|
||||
func createJavaDeviceForHostRules() []*rule {
|
||||
javaDeviceForHostProjectsWhitelist := []string{
|
||||
"external/robolectric-shadows",
|
||||
"framework/layoutlib",
|
||||
}
|
||||
|
||||
return []*rule{
|
||||
neverallow().
|
||||
notIn(javaDeviceForHostProjectsWhitelist...).
|
||||
moduleType("java_device_for_host", "java_host_for_device").
|
||||
because("java_device_for_host can only be used in whitelisted projects"),
|
||||
}
|
||||
}
|
||||
|
||||
func neverallowMutator(ctx BottomUpMutatorContext) {
|
||||
m, ok := ctx.Module().(Module)
|
||||
if !ok {
|
||||
|
|
@ -148,6 +163,10 @@ func neverallowMutator(ctx BottomUpMutatorContext) {
|
|||
continue
|
||||
}
|
||||
|
||||
if !n.appliesToModuleType(ctx.ModuleType()) {
|
||||
continue
|
||||
}
|
||||
|
||||
if !n.appliesToProperties(properties) {
|
||||
continue
|
||||
}
|
||||
|
|
@ -168,6 +187,9 @@ type rule struct {
|
|||
paths []string
|
||||
unlessPaths []string
|
||||
|
||||
moduleTypes []string
|
||||
unlessModuleTypes []string
|
||||
|
||||
props []ruleProperty
|
||||
unlessProps []ruleProperty
|
||||
}
|
||||
|
|
@ -175,14 +197,27 @@ type rule struct {
|
|||
func neverallow() *rule {
|
||||
return &rule{}
|
||||
}
|
||||
|
||||
func (r *rule) in(path ...string) *rule {
|
||||
r.paths = append(r.paths, cleanPaths(path)...)
|
||||
return r
|
||||
}
|
||||
|
||||
func (r *rule) notIn(path ...string) *rule {
|
||||
r.unlessPaths = append(r.unlessPaths, cleanPaths(path)...)
|
||||
return r
|
||||
}
|
||||
|
||||
func (r *rule) moduleType(types ...string) *rule {
|
||||
r.moduleTypes = append(r.moduleTypes, types...)
|
||||
return r
|
||||
}
|
||||
|
||||
func (r *rule) notModuleType(types ...string) *rule {
|
||||
r.unlessModuleTypes = append(r.unlessModuleTypes, types...)
|
||||
return r
|
||||
}
|
||||
|
||||
func (r *rule) with(properties, value string) *rule {
|
||||
r.props = append(r.props, ruleProperty{
|
||||
fields: fieldNamesForProperties(properties),
|
||||
|
|
@ -190,6 +225,7 @@ func (r *rule) with(properties, value string) *rule {
|
|||
})
|
||||
return r
|
||||
}
|
||||
|
||||
func (r *rule) without(properties, value string) *rule {
|
||||
r.unlessProps = append(r.unlessProps, ruleProperty{
|
||||
fields: fieldNamesForProperties(properties),
|
||||
|
|
@ -197,6 +233,7 @@ func (r *rule) without(properties, value string) *rule {
|
|||
})
|
||||
return r
|
||||
}
|
||||
|
||||
func (r *rule) because(reason string) *rule {
|
||||
r.reason = reason
|
||||
return r
|
||||
|
|
@ -210,6 +247,12 @@ func (r *rule) String() string {
|
|||
for _, v := range r.unlessPaths {
|
||||
s += " -dir:" + v + "*"
|
||||
}
|
||||
for _, v := range r.moduleTypes {
|
||||
s += " type:" + v
|
||||
}
|
||||
for _, v := range r.unlessModuleTypes {
|
||||
s += " -type:" + v
|
||||
}
|
||||
for _, v := range r.props {
|
||||
s += " " + strings.Join(v.fields, ".") + "=" + v.value
|
||||
}
|
||||
|
|
@ -228,6 +271,10 @@ func (r *rule) appliesToPath(dir string) bool {
|
|||
return includePath && !excludePath
|
||||
}
|
||||
|
||||
func (r *rule) appliesToModuleType(moduleType string) bool {
|
||||
return (len(r.moduleTypes) == 0 || InList(moduleType, r.moduleTypes)) && !InList(moduleType, r.unlessModuleTypes)
|
||||
}
|
||||
|
||||
func (r *rule) appliesToProperties(properties []interface{}) bool {
|
||||
includeProps := hasAllProperties(properties, r.props)
|
||||
excludeProps := hasAnyProperty(properties, r.unlessProps)
|
||||
|
|
|
|||
|
|
@ -159,6 +159,17 @@ var neverallowTests = []struct {
|
|||
},
|
||||
expectedError: "updatable-media includes private APIs. Use updatable_media_stubs instead.",
|
||||
},
|
||||
{
|
||||
name: "java_device_for_host",
|
||||
fs: map[string][]byte{
|
||||
"Blueprints": []byte(`
|
||||
java_device_for_host {
|
||||
name: "device_for_host",
|
||||
libs: ["core-libart"],
|
||||
}`),
|
||||
},
|
||||
expectedError: "java_device_for_host can only be used in whitelisted projects",
|
||||
},
|
||||
}
|
||||
|
||||
func TestNeverallow(t *testing.T) {
|
||||
|
|
@ -187,6 +198,7 @@ func testNeverallow(t *testing.T, config Config, fs map[string][]byte) (*TestCon
|
|||
ctx := NewTestContext()
|
||||
ctx.RegisterModuleType("cc_library", ModuleFactoryAdaptor(newMockCcLibraryModule))
|
||||
ctx.RegisterModuleType("java_library", ModuleFactoryAdaptor(newMockJavaLibraryModule))
|
||||
ctx.RegisterModuleType("java_device_for_host", ModuleFactoryAdaptor(newMockJavaLibraryModule))
|
||||
ctx.PostDepsMutators(registerNeverallowMutator)
|
||||
ctx.Register()
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue