Apply CFI include paths to all product configs.

The current VNDK ABI snapshot expects that CFI is disabled for components that either in the include paths (from cfi-common.mk) OR enabled directly in the makefile/blueprint. However, on non-arm64 architectures, the build system was only disabling CFI for vendor components in the include paths. This topic corrects it by (a) removing the include paths check to disable CFI for vendor variants, and (b) inheriting the CFI include paths in all product configs to ensure that when we update the ABI we're able to move to relying exclusively on (PRODUCT_)CFI_INCLUDE_PATHS. Bug: 66301104 Test: ABI matches for all architectures. Change-Id: I4d845cd9925354d565e06020c479cc3f7ab28f61
2018-05-28 13:38:24 -07:00 · 2018-05-28 13:38:24 -07:00 · f8d4dc5787
parent 014d1fc969
commit f8d4dc5787
4 changed files with 4 additions and 12 deletions
--- a/target/product/aosp_arm64_ab.mk
+++ b/target/product/aosp_arm64_ab.mk
@ -27,10 +27,6 @@ PRODUCT_PACKAGES += \
    update_engine \
    update_verifier

-# Enable control-flow integrity (CFI) for security sensitive components
-$(call inherit-product, $(SRC_TARGET_DIR)/product/cfi-common.mk)
-$(call inherit-product-if-exists, vendor/google/products/cfi-vendor.mk)
-
 PRODUCT_NAME := aosp_arm64_ab
 PRODUCT_DEVICE := generic_arm64_ab
 PRODUCT_BRAND := Android
--- a/target/product/core_64_bit.mk
+++ b/target/product/core_64_bit.mk
@ -31,7 +31,3 @@ PRODUCT_DEFAULT_PROPERTY_OVERRIDES += ro.zygote=zygote64_32

 TARGET_SUPPORTS_32_BIT_APPS := true
 TARGET_SUPPORTS_64_BIT_APPS := true
-
-# Enable CFI for security-sensitive components
-$(call inherit-product, $(SRC_TARGET_DIR)/product/cfi-common.mk)
-$(call inherit-product-if-exists, vendor/google/products/cfi-vendor.mk)
--- a/target/product/core_64_bit_only.mk
+++ b/target/product/core_64_bit_only.mk
@ -28,7 +28,3 @@ PRODUCT_DEFAULT_PROPERTY_OVERRIDES += ro.zygote=zygote64

 TARGET_SUPPORTS_32_BIT_APPS := false
 TARGET_SUPPORTS_64_BIT_APPS := true
-
-# Enable CFI for security-sensitive components
-$(call inherit-product, $(SRC_TARGET_DIR)/product/cfi-common.mk)
-$(call inherit-product-if-exists, vendor/google/products/cfi-vendor.mk)
--- a/target/product/core_minimal.mk
+++ b/target/product/core_minimal.mk
@ -178,3 +178,7 @@ PRODUCT_DEFAULT_PROPERTY_OVERRIDES += \

 $(call inherit-product, $(SRC_TARGET_DIR)/product/runtime_libart.mk)
 $(call inherit-product, $(SRC_TARGET_DIR)/product/base.mk)
+
+# Enable CFI for security-sensitive components
+$(call inherit-product, $(SRC_TARGET_DIR)/product/cfi-common.mk)
+$(call inherit-product-if-exists, vendor/google/products/cfi-vendor.mk)