From 427d8557280dd21f4e7848b5633f43071c9a3454 Mon Sep 17 00:00:00 2001 From: Anton Hansson Date: Tue, 5 Jun 2018 17:53:09 +0100 Subject: [PATCH] Add support enforcing all path requirements. Setting PRODUCT_ENFORCE_ARTIFACT_PATH_REQUIREMENTS to be non-empty will verify that when an inherited product file makes an path requirement claim, no files other than the ones it produces are allowed inside its paths. This allows more rigorous control of what goes where, and specifically stops accidental inclusion of modules in the wrong places (which is very easy to do otherwise). In order to enable iterative improvements to current offenders, support for a whitelist is also added (via the new PRODUCT_ARTIFACT_PATH_REQUIREMENT_WHITELIST property). Verification is done that this variable corresponds to exactly the list of current offenders. Example use: PRODUCT_ENFORCE_ARTIFACT_PATH_REQUIREMENTS := true PRODUCT_ARTIFACT_PATH_REQUIREMENT_WHITELIST := system/priv-app/Dialer/Dialer.apk Bug: 80410283 Test: In a downstream CL specifying the above. Change-Id: I58047db08bde34da21759cfc55f398892b1c809a --- core/main.mk | 11 +++++++++++ core/product.mk | 2 ++ 2 files changed, 13 insertions(+) diff --git a/core/main.mk b/core/main.mk index 01dc0c177..d831ad096 100644 --- a/core/main.mk +++ b/core/main.mk @@ -965,6 +965,17 @@ $(foreach makefile,$(ARTIFACT_PATH_REQUIREMENT_PRODUCTS),\ $(call maybe-print-list-and-error,$(offending_files),$(makefile) produces files outside its artifact path requirement.) \ $(eval unused_whitelist := $(filter-out $(files),$(whitelist_patterns))) \ $(call maybe-print-list-and-error,$(unused_whitelist),$(makefile) includes redundant whitelist entries in its artifact path requirement.) \ + $(eval ### Optionally verify that nothing else produces files inside this artifact path requirement.) \ + $(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_ENFORCE_ARTIFACT_PATH_REQUIREMENTS),\ + $(eval extra_files := $(filter-out $(files) $(HOST_OUT)/%,$(product_FILES))) \ + $(eval whitelist := $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_ARTIFACT_PATH_REQUIREMENT_WHITELIST)) \ + $(eval whitelist_patterns := $(call resolve-product-relative-paths,$(whitelist))) \ + $(eval files_in_requirement := $(filter $(path_patterns),$(extra_files))) \ + $(eval offending_files := $(filter-out $(whitelist_patterns),$(files_in_requirement))) \ + $(call maybe-print-list-and-error,$(offending_files),$(INTERNAL_PRODUCT) produces files inside $(makefile)s artifact path requirement.) \ + $(eval unused_whitelist := $(filter-out $(extra_files),$(whitelist_patterns))) \ + $(call maybe-print-list-and-error,$(unused_whitelist),$(INTERNAL_PRODUCT) includes redundant artifact path requirement whitelist entries.) \ + ) \ ) ifeq (0,1) diff --git a/core/product.mk b/core/product.mk index 3cf521ab1..f22a3e5fa 100644 --- a/core/product.mk +++ b/core/product.mk @@ -198,6 +198,8 @@ _product_var_list := \ PRODUCT_COMPATIBLE_PROPERTY_OVERRIDE \ PRODUCT_ACTIONABLE_COMPATIBLE_PROPERTY_DISABLE \ PRODUCT_USE_LOGICAL_PARTITIONS \ + PRODUCT_ENFORCE_ARTIFACT_PATH_REQUIREMENTS \ + PRODUCT_ARTIFACT_PATH_REQUIREMENT_WHITELIST \ define dump-product $(info ==== $(1) ====)\