diff --git a/core/config_sanitizers.mk b/core/config_sanitizers.mk index fce0b5a8b..8bd92486e 100644 --- a/core/config_sanitizers.mk +++ b/core/config_sanitizers.mk @@ -34,6 +34,18 @@ ifneq ($(filter integer_overflow, $(my_global_sanitize)),) endif endif +# Disable global CFI in excluded paths +ifneq ($(filter cfi, $(my_global_sanitize)),) + combined_exclude_paths := $(CFI_EXCLUDE_PATHS) \ + $(PRODUCT_CFI_EXCLUDE_PATHS) + + ifneq ($(strip $(foreach dir,$(subst $(comma),$(space),$(combined_exclude_paths)),\ + $(filter $(dir)%,$(LOCAL_PATH)))),) + my_global_sanitize := $(filter-out cfi,$(my_global_sanitize)) + my_global_sanitize_diag := $(filter-out cfi,$(my_global_sanitize_diag)) + endif +endif + ifneq ($(my_global_sanitize),) my_sanitize := $(my_global_sanitize) $(my_sanitize) endif @@ -84,6 +96,18 @@ ifeq ($(LOCAL_SANITIZE),never) my_sanitize_diag := endif +# Enable CFI in included paths. +ifeq ($(filter cfi, $(my_sanitize)),) + combined_include_paths := $(CFI_INCLUDE_PATHS) \ + $(PRODUCT_CFI_INCLUDE_PATHS) + + ifneq ($(strip $(foreach dir,$(subst $(comma),$(space),$(combined_include_paths)),\ + $(filter $(dir)%,$(LOCAL_PATH)))),) + my_sanitize := cfi $(my_sanitize) + my_sanitize_diag := cfi $(my_sanitize_diag) + endif +endif + # If CFI is disabled globally, remove it from my_sanitize. ifeq ($(strip $(ENABLE_CFI)),false) my_sanitize := $(filter-out cfi,$(my_sanitize)) diff --git a/core/product.mk b/core/product.mk index 03098b7f2..c01a856f7 100644 --- a/core/product.mk +++ b/core/product.mk @@ -146,8 +146,8 @@ _product_var_list := \ PRODUCT_MINIMIZE_JAVA_DEBUG_INFO \ PRODUCT_INTEGER_OVERFLOW_EXCLUDE_PATHS \ PRODUCT_ADB_KEYS \ - - + PRODUCT_CFI_INCLUDE_PATHS \ + PRODUCT_CFI_EXCLUDE_PATHS \ define dump-product $(info ==== $(1) ====)\ diff --git a/core/product_config.mk b/core/product_config.mk index 387903636..4e2d5aefb 100644 --- a/core/product_config.mk +++ b/core/product_config.mk @@ -472,3 +472,11 @@ ifneq ($(filter-out 0 1,$(words $(PRODUCT_ADB_KEYS))),) $(error Only one file may be in PRODUCT_ADB_KEYS: $(PRODUCT_ADB_KEYS)) endif .KATI_READONLY := PRODUCT_ADB_KEYS + +# Whether any paths are excluded from sanitization when SANITIZE_TARGET=cfi +PRODUCT_CFI_EXCLUDE_PATHS := \ + $(strip $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_CFI_EXCLUDE_PATHS)) + +# Whether any paths should have CFI enabled for components +PRODUCT_CFI_INCLUDE_PATHS := \ + $(strip $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_CFI_INCLUDE_PATHS)) diff --git a/core/soong_config.mk b/core/soong_config.mk index 41e2382d8..5ebd12311 100644 --- a/core/soong_config.mk +++ b/core/soong_config.mk @@ -90,6 +90,8 @@ $(call add_json_list, SanitizeDeviceArch, $(SANITIZE_TARGET_ARCH) $(call add_json_bool, Safestack, $(filter true,$(USE_SAFESTACK))) $(call add_json_bool, EnableCFI, $(call invert_bool,$(filter false,$(ENABLE_CFI)))) +$(call add_json_list, CFIExcludePaths, $(CFI_EXCLUDE_PATHS) $(PRODUCT_CFI_EXCLUDE_PATHS)) +$(call add_json_list, CFIIncludePaths, $(CFI_INCLUDE_PATHS) $(PRODUCT_CFI_INCLUDE_PATHS)) $(call add_json_list, IntegerOverflowExcludePaths, $(INTEGER_OVERFLOW_EXCLUDE_PATHS) $(PRODUCT_INTEGER_OVERFLOW_EXCLUDE_PATHS)) $(call add_json_bool, ClangTidy, $(filter 1 true,$(WITH_TIDY)))