blob: 9d32e51ba622b728de8b108799b3a712db55b21b [file] [log] [blame]
/*
* Copyright (C) 2018 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "hidden_api.h"
#include <atomic>
#include "art_field-inl.h"
#include "art_method-inl.h"
#include "base/dumpable.h"
#include "base/file_utils.h"
#include "class_root-inl.h"
#include "compat_framework.h"
#include "dex/class_accessor-inl.h"
#include "dex/dex_file_loader.h"
#include "mirror/class_ext.h"
#include "mirror/proxy.h"
#include "nativehelper/scoped_local_ref.h"
#include "oat_file.h"
#include "scoped_thread_state_change.h"
#include "stack.h"
#include "thread-inl.h"
#include "well_known_classes.h"
namespace art {
namespace hiddenapi {
// Should be the same as dalvik.system.VMRuntime.HIDE_MAXTARGETSDK_P_HIDDEN_APIS,
// dalvik.system.VMRuntime.HIDE_MAXTARGETSDK_Q_HIDDEN_APIS, and
// dalvik.system.VMRuntime.ALLOW_TEST_API_ACCESS.
// Corresponds to bug ids.
static constexpr uint64_t kHideMaxtargetsdkPHiddenApis = 149997251;
static constexpr uint64_t kHideMaxtargetsdkQHiddenApis = 149994052;
static constexpr uint64_t kAllowTestApiAccess = 166236554;
static constexpr uint64_t kMaxLogWarnings = 100;
// Should be the same as dalvik.system.VMRuntime.PREVENT_META_REFLECTION_BLOCKLIST_ACCESS.
// Corresponds to a bug id.
static constexpr uint64_t kPreventMetaReflectionBlocklistAccess = 142365358;
// Set to true if we should always print a warning in logcat for all hidden API accesses, not just
// conditionally and unconditionally blocked. This can be set to true for developer preview / beta
// builds, but should be false for public release builds.
// Note that when flipping this flag, you must also update the expectations of test 674-hiddenapi
// as it affects whether or not we warn for unsupported APIs that have been added to the exemptions
// list.
static constexpr bool kLogAllAccesses = false;
// Exemptions for logcat warning. Following signatures do not produce a warning as app developers
// should not be alerted on the usage of these unsupported APIs. See b/154851649.
static const std::vector<std::string> kWarningExemptions = {
"Ljava/nio/Buffer;",
"Llibcore/io/Memory;",
"Lsun/misc/Unsafe;",
};
static inline std::ostream& operator<<(std::ostream& os, AccessMethod value) {
switch (value) {
case AccessMethod::kNone:
LOG(FATAL) << "Internal access to hidden API should not be logged";
UNREACHABLE();
case AccessMethod::kReflection:
os << "reflection";
break;
case AccessMethod::kJNI:
os << "JNI";
break;
case AccessMethod::kLinking:
os << "linking";
break;
}
return os;
}
static inline std::ostream& operator<<(std::ostream& os, const AccessContext& value)
REQUIRES_SHARED(Locks::mutator_lock_) {
if (!value.GetClass().IsNull()) {
std::string tmp;
os << value.GetClass()->GetDescriptor(&tmp);
} else if (value.GetDexFile() != nullptr) {
os << value.GetDexFile()->GetLocation();
} else {
os << "<unknown_caller>";
}
return os;
}
static Domain DetermineDomainFromLocation(const std::string& dex_location,
ObjPtr<mirror::ClassLoader> class_loader) {
// If running with APEX, check `path` against known APEX locations.
// These checks will be skipped on target buildbots where ANDROID_ART_ROOT
// is set to "/system".
if (ArtModuleRootDistinctFromAndroidRoot()) {
if (LocationIsOnArtModule(dex_location) || LocationIsOnConscryptModule(dex_location) ||
LocationIsOnI18nModule(dex_location)) {
return Domain::kCorePlatform;
}
if (LocationIsOnApex(dex_location)) {
return Domain::kPlatform;
}
}
if (LocationIsOnSystemFramework(dex_location)) {
return Domain::kPlatform;
}
if (LocationIsOnSystemExtFramework(dex_location)) {
return Domain::kPlatform;
}
if (class_loader.IsNull()) {
if (kIsTargetBuild && !kIsTargetLinux) {
// This is unexpected only when running on Android.
LOG(WARNING) << "DexFile " << dex_location
<< " is in boot class path but is not in a known location";
}
return Domain::kPlatform;
}
return Domain::kApplication;
}
void InitializeDexFileDomain(const DexFile& dex_file, ObjPtr<mirror::ClassLoader> class_loader) {
Domain dex_domain = DetermineDomainFromLocation(dex_file.GetLocation(), class_loader);
// Assign the domain unless a more permissive domain has already been assigned.
// This may happen when DexFile is initialized as trusted.
if (IsDomainMoreTrustedThan(dex_domain, dex_file.GetHiddenapiDomain())) {
dex_file.SetHiddenapiDomain(dex_domain);
}
}
void InitializeCorePlatformApiPrivateFields() {
// The following fields in WellKnownClasses correspond to private fields in the Core Platform
// API that cannot be otherwise expressed and propagated through tooling (b/144502743).
ArtField* private_core_platform_api_fields[] = {
WellKnownClasses::java_io_FileDescriptor_descriptor,
WellKnownClasses::java_nio_Buffer_address,
WellKnownClasses::java_nio_Buffer_elementSizeShift,
WellKnownClasses::java_nio_Buffer_limit,
WellKnownClasses::java_nio_Buffer_position,
};
ScopedObjectAccess soa(Thread::Current());
for (ArtField* field : private_core_platform_api_fields) {
const uint32_t access_flags = field->GetAccessFlags();
uint32_t new_access_flags = access_flags | kAccCorePlatformApi;
DCHECK(new_access_flags != access_flags);
field->SetAccessFlags(new_access_flags);
}
}
hiddenapi::AccessContext GetReflectionCallerAccessContext(Thread* self)
REQUIRES_SHARED(Locks::mutator_lock_) {
// Walk the stack and find the first frame not from java.lang.Class,
// java.lang.invoke or java.lang.reflect. This is very expensive.
// Save this till the last.
struct FirstExternalCallerVisitor : public StackVisitor {
explicit FirstExternalCallerVisitor(Thread* thread)
: StackVisitor(thread, nullptr, StackVisitor::StackWalkKind::kIncludeInlinedFrames),
caller(nullptr) {}
bool VisitFrame() override REQUIRES_SHARED(Locks::mutator_lock_) {
ArtMethod* m = GetMethod();
if (m == nullptr) {
// Attached native thread. Assume this is *not* boot class path.
caller = nullptr;
return false;
} else if (m->IsRuntimeMethod()) {
// Internal runtime method, continue walking the stack.
return true;
}
ObjPtr<mirror::Class> declaring_class = m->GetDeclaringClass();
if (declaring_class->IsBootStrapClassLoaded()) {
if (declaring_class->IsClassClass()) {
return true;
}
// Check classes in the java.lang.invoke package. At the time of writing, the
// classes of interest are MethodHandles and MethodHandles.Lookup, but this
// is subject to change so conservatively cover the entire package.
// NB Static initializers within java.lang.invoke are permitted and do not
// need further stack inspection.
ObjPtr<mirror::Class> lookup_class = GetClassRoot<mirror::MethodHandlesLookup>();
if ((declaring_class == lookup_class || declaring_class->IsInSamePackage(lookup_class)) &&
!m->IsClassInitializer()) {
return true;
}
// Check for classes in the java.lang.reflect package, except for java.lang.reflect.Proxy.
// java.lang.reflect.Proxy does its own hidden api checks (https://r.android.com/915496),
// and walking over this frame would cause a null pointer dereference
// (e.g. in 691-hiddenapi-proxy).
ObjPtr<mirror::Class> proxy_class = GetClassRoot<mirror::Proxy>();
CompatFramework& compat_framework = Runtime::Current()->GetCompatFramework();
if (declaring_class->IsInSamePackage(proxy_class) && declaring_class != proxy_class) {
if (compat_framework.IsChangeEnabled(kPreventMetaReflectionBlocklistAccess)) {
return true;
}
}
}
caller = m;
return false;
}
ArtMethod* caller;
};
FirstExternalCallerVisitor visitor(self);
visitor.WalkStack();
// Construct AccessContext from the calling class found on the stack.
// If the calling class cannot be determined, e.g. unattached threads,
// we conservatively assume the caller is trusted.
ObjPtr<mirror::Class> caller =
(visitor.caller == nullptr) ? nullptr : visitor.caller->GetDeclaringClass();
return caller.IsNull() ? AccessContext(/* is_trusted= */ true) : AccessContext(caller);
}
namespace detail {
// Do not change the values of items in this enum, as they are written to the
// event log for offline analysis. Any changes will interfere with that analysis.
enum AccessContextFlags {
// Accessed member is a field if this bit is set, else a method
kMemberIsField = 1 << 0,
// Indicates if access was denied to the member, instead of just printing a warning.
kAccessDenied = 1 << 1,
};
MemberSignature::MemberSignature(ArtField* field) {
class_name_ = field->GetDeclaringClass()->GetDescriptor(&tmp_);
member_name_ = field->GetName();
type_signature_ = field->GetTypeDescriptor();
type_ = kField;
}
MemberSignature::MemberSignature(ArtMethod* method) {
DCHECK(method == method->GetInterfaceMethodIfProxy(kRuntimePointerSize))
<< "Caller should have replaced proxy method with interface method";
class_name_ = method->GetDeclaringClass()->GetDescriptor(&tmp_);
member_name_ = method->GetName();
type_signature_ = method->GetSignature().ToString();
type_ = kMethod;
}
MemberSignature::MemberSignature(const ClassAccessor::Field& field) {
const DexFile& dex_file = field.GetDexFile();
const dex::FieldId& field_id = dex_file.GetFieldId(field.GetIndex());
class_name_ = dex_file.GetFieldDeclaringClassDescriptor(field_id);
member_name_ = dex_file.GetFieldName(field_id);
type_signature_ = dex_file.GetFieldTypeDescriptor(field_id);
type_ = kField;
}
MemberSignature::MemberSignature(const ClassAccessor::Method& method) {
const DexFile& dex_file = method.GetDexFile();
const dex::MethodId& method_id = dex_file.GetMethodId(method.GetIndex());
class_name_ = dex_file.GetMethodDeclaringClassDescriptor(method_id);
member_name_ = dex_file.GetMethodName(method_id);
type_signature_ = dex_file.GetMethodSignature(method_id).ToString();
type_ = kMethod;
}
inline std::vector<const char*> MemberSignature::GetSignatureParts() const {
if (type_ == kField) {
return {class_name_.c_str(), "->", member_name_.c_str(), ":", type_signature_.c_str()};
} else {
DCHECK_EQ(type_, kMethod);
return {class_name_.c_str(), "->", member_name_.c_str(), type_signature_.c_str()};
}
}
bool MemberSignature::DoesPrefixMatch(const std::string& prefix) const {
size_t pos = 0;
for (const char* part : GetSignatureParts()) {
size_t count = std::min(prefix.length() - pos, strlen(part));
if (prefix.compare(pos, count, part, 0, count) == 0) {
pos += count;
} else {
return false;
}
}
// We have a complete match if all parts match (we exit the loop without
// returning) AND we've matched the whole prefix.
return pos == prefix.length();
}
bool MemberSignature::DoesPrefixMatchAny(const std::vector<std::string>& exemptions) {
for (const std::string& exemption : exemptions) {
if (DoesPrefixMatch(exemption)) {
return true;
}
}
return false;
}
void MemberSignature::Dump(std::ostream& os) const {
for (const char* part : GetSignatureParts()) {
os << part;
}
}
void MemberSignature::WarnAboutAccess(AccessMethod access_method,
hiddenapi::ApiList list,
bool access_denied) {
static std::atomic<uint64_t> log_warning_count_ = 0;
if (log_warning_count_ > kMaxLogWarnings) {
return;
}
LOG(WARNING) << "Accessing hidden " << (type_ == kField ? "field " : "method ")
<< Dumpable<MemberSignature>(*this) << " (" << list << ", " << access_method
<< (access_denied ? ", denied)" : ", allowed)");
if (access_denied && list.IsTestApi()) {
// see b/177047045 for more details about test api access getting denied
LOG(WARNING) << "If this is a platform test consider enabling "
<< "VMRuntime.ALLOW_TEST_API_ACCESS change id for this package.";
}
if (log_warning_count_ >= kMaxLogWarnings) {
LOG(WARNING) << "Reached maximum number of hidden api access warnings.";
}
++log_warning_count_;
}
bool MemberSignature::Equals(const MemberSignature& other) {
return type_ == other.type_ && class_name_ == other.class_name_ &&
member_name_ == other.member_name_ && type_signature_ == other.type_signature_;
}
bool MemberSignature::MemberNameAndTypeMatch(const MemberSignature& other) {
return member_name_ == other.member_name_ && type_signature_ == other.type_signature_;
}
void MemberSignature::LogAccessToEventLog(uint32_t sampled_value,
AccessMethod access_method,
bool access_denied) {
#ifdef ART_TARGET_ANDROID
if (access_method == AccessMethod::kLinking || access_method == AccessMethod::kNone) {
// Linking warnings come from static analysis/compilation of the bytecode
// and can contain false positives (i.e. code that is never run). We choose
// not to log these in the event log.
// None does not correspond to actual access, so should also be ignored.
return;
}
Runtime* runtime = Runtime::Current();
if (runtime->IsAotCompiler()) {
return;
}
const std::string& package_name = runtime->GetProcessPackageName();
std::ostringstream signature_str;
Dump(signature_str);
ScopedObjectAccess soa(Thread::Current());
StackHandleScope<2u> hs(soa.Self());
Handle<mirror::String> package_str =
hs.NewHandle(mirror::String::AllocFromModifiedUtf8(soa.Self(), package_name.c_str()));
if (soa.Self()->IsExceptionPending()) {
soa.Self()->ClearException();
LOG(ERROR) << "Unable to allocate string for package name which called hidden api";
}
Handle<mirror::String> signature_jstr =
hs.NewHandle(mirror::String::AllocFromModifiedUtf8(soa.Self(), signature_str.str().c_str()));
if (soa.Self()->IsExceptionPending()) {
soa.Self()->ClearException();
LOG(ERROR) << "Unable to allocate string for hidden api method signature";
}
WellKnownClasses::dalvik_system_VMRuntime_hiddenApiUsed
->InvokeStatic<'V', 'I', 'L', 'L', 'I', 'Z'>(soa.Self(),
static_cast<jint>(sampled_value),
package_str.Get(),
signature_jstr.Get(),
static_cast<jint>(access_method),
access_denied);
if (soa.Self()->IsExceptionPending()) {
soa.Self()->ClearException();
LOG(ERROR) << "Unable to report hidden api usage";
}
#else
UNUSED(sampled_value);
UNUSED(access_method);
UNUSED(access_denied);
#endif
}
void MemberSignature::NotifyHiddenApiListener(AccessMethod access_method) {
if (access_method != AccessMethod::kReflection && access_method != AccessMethod::kJNI) {
// We can only up-call into Java during reflection and JNI down-calls.
return;
}
Runtime* runtime = Runtime::Current();
if (!runtime->IsAotCompiler()) {
ScopedObjectAccess soa(Thread::Current());
StackHandleScope<2u> hs(soa.Self());
ArtField* consumer_field = WellKnownClasses::dalvik_system_VMRuntime_nonSdkApiUsageConsumer;
DCHECK(consumer_field->GetDeclaringClass()->IsInitialized());
Handle<mirror::Object> consumer_object =
hs.NewHandle(consumer_field->GetObject(consumer_field->GetDeclaringClass()));
// If the consumer is non-null, we call back to it to let it know that we
// have encountered an API that's in one of our lists.
if (consumer_object != nullptr) {
std::ostringstream member_signature_str;
Dump(member_signature_str);
Handle<mirror::String> signature_str = hs.NewHandle(
mirror::String::AllocFromModifiedUtf8(soa.Self(), member_signature_str.str().c_str()));
// FIXME: Handle OOME. For now, crash immediatelly (do not continue with a pending exception).
CHECK(signature_str != nullptr);
// Call through to Consumer.accept(String memberSignature);
WellKnownClasses::java_util_function_Consumer_accept->InvokeInterface<'V', 'L'>(
soa.Self(), consumer_object.Get(), signature_str.Get());
}
}
}
static ALWAYS_INLINE bool CanUpdateRuntimeFlags(ArtField*) { return true; }
static ALWAYS_INLINE bool CanUpdateRuntimeFlags(ArtMethod* method) {
return !method->IsIntrinsic();
}
template <typename T>
static ALWAYS_INLINE void MaybeUpdateAccessFlags(Runtime* runtime, T* member, uint32_t flag)
REQUIRES_SHARED(Locks::mutator_lock_) {
// Update the access flags unless:
// (a) `member` is an intrinsic
// (b) this is AOT compiler, as we do not want the updated access flags in the boot/app image
// (c) deduping warnings has been explicitly switched off.
if (CanUpdateRuntimeFlags(member) && !runtime->IsAotCompiler() &&
runtime->ShouldDedupeHiddenApiWarnings()) {
member->SetAccessFlags(member->GetAccessFlags() | flag);
}
}
static ALWAYS_INLINE uint32_t GetMemberDexIndex(ArtField* field) {
return field->GetDexFieldIndex();
}
static ALWAYS_INLINE uint32_t GetMemberDexIndex(ArtMethod* method)
REQUIRES_SHARED(Locks::mutator_lock_) {
// Use the non-obsolete method to avoid DexFile mismatch between
// the method index and the declaring class.
return method->GetNonObsoleteMethod()->GetDexMethodIndex();
}
static void VisitMembers(const DexFile& dex_file,
const dex::ClassDef& class_def,
const std::function<void(const ClassAccessor::Field&)>& fn_visit) {
ClassAccessor accessor(dex_file, class_def, /* parse_hiddenapi_class_data= */ true);
accessor.VisitFields(fn_visit, fn_visit);
}
static void VisitMembers(const DexFile& dex_file,
const dex::ClassDef& class_def,
const std::function<void(const ClassAccessor::Method&)>& fn_visit) {
ClassAccessor accessor(dex_file, class_def, /* parse_hiddenapi_class_data= */ true);
accessor.VisitMethods(fn_visit, fn_visit);
}
template <typename T>
uint32_t GetDexFlags(T* member) REQUIRES_SHARED(Locks::mutator_lock_) {
static_assert(std::is_same<T, ArtField>::value || std::is_same<T, ArtMethod>::value);
constexpr bool kMemberIsField = std::is_same<T, ArtField>::value;
using AccessorType = typename std::conditional<std::is_same<T, ArtField>::value,
ClassAccessor::Field,
ClassAccessor::Method>::type;
ObjPtr<mirror::Class> declaring_class = member->GetDeclaringClass();
DCHECK(!declaring_class.IsNull()) << "Attempting to access a runtime method";
ApiList flags;
DCHECK(!flags.IsValid());
// Check if the declaring class has ClassExt allocated. If it does, check if
// the pre-JVMTI redefine dex file has been set to determine if the declaring
// class has been JVMTI-redefined.
ObjPtr<mirror::ClassExt> ext(declaring_class->GetExtData());
const DexFile* original_dex = ext.IsNull() ? nullptr : ext->GetPreRedefineDexFile();
if (LIKELY(original_dex == nullptr)) {
// Class is not redefined. Find the class def, iterate over its members and
// find the entry corresponding to this `member`.
const dex::ClassDef* class_def = declaring_class->GetClassDef();
if (class_def == nullptr) {
// ClassDef is not set for proxy classes. Only their fields can ever be inspected.
DCHECK(declaring_class->IsProxyClass())
<< "Only proxy classes are expected not to have a class def";
DCHECK(kMemberIsField)
<< "Interface methods should be inspected instead of proxy class methods";
flags = ApiList::Unsupported();
} else {
uint32_t member_index = GetMemberDexIndex(member);
auto fn_visit = [&](const AccessorType& dex_member) {
if (dex_member.GetIndex() == member_index) {
flags = ApiList(dex_member.GetHiddenapiFlags());
}
};
VisitMembers(declaring_class->GetDexFile(), *class_def, fn_visit);
}
} else {
// Class was redefined using JVMTI. We have a pointer to the original dex file
// and the class def index of this class in that dex file, but the field/method
// indices are lost. Iterate over all members of the class def and find the one
// corresponding to this `member` by name and type string comparison.
// This is obviously very slow, but it is only used when non-exempt code tries
// to access a hidden member of a JVMTI-redefined class.
uint16_t class_def_idx = ext->GetPreRedefineClassDefIndex();
DCHECK_NE(class_def_idx, DexFile::kDexNoIndex16);
const dex::ClassDef& original_class_def = original_dex->GetClassDef(class_def_idx);
MemberSignature member_signature(member);
auto fn_visit = [&](const AccessorType& dex_member) {
MemberSignature cur_signature(dex_member);
if (member_signature.MemberNameAndTypeMatch(cur_signature)) {
DCHECK(member_signature.Equals(cur_signature));
flags = ApiList(dex_member.GetHiddenapiFlags());
}
};
VisitMembers(*original_dex, original_class_def, fn_visit);
}
CHECK(flags.IsValid()) << "Could not find hiddenapi flags for "
<< Dumpable<MemberSignature>(MemberSignature(member));
return flags.GetDexFlags();
}
template <typename T>
bool HandleCorePlatformApiViolation(T* member,
const AccessContext& caller_context,
AccessMethod access_method,
EnforcementPolicy policy) {
DCHECK(policy != EnforcementPolicy::kDisabled)
<< "Should never enter this function when access checks are completely disabled";
if (access_method != AccessMethod::kNone) {
LOG(WARNING) << "Core platform API violation: "
<< Dumpable<MemberSignature>(MemberSignature(member)) << " from " << caller_context
<< " using " << access_method;
// If policy is set to just warn, add kAccCorePlatformApi to access flags of
// `member` to avoid reporting the violation again next time.
if (policy == EnforcementPolicy::kJustWarn) {
MaybeUpdateAccessFlags(Runtime::Current(), member, kAccCorePlatformApi);
}
}
// Deny access if enforcement is enabled.
return policy == EnforcementPolicy::kEnabled;
}
template <typename T>
bool ShouldDenyAccessToMemberImpl(T* member, ApiList api_list, AccessMethod access_method) {
DCHECK(member != nullptr);
Runtime* runtime = Runtime::Current();
CompatFramework& compatFramework = runtime->GetCompatFramework();
EnforcementPolicy hiddenApiPolicy = runtime->GetHiddenApiEnforcementPolicy();
DCHECK(hiddenApiPolicy != EnforcementPolicy::kDisabled)
<< "Should never enter this function when access checks are completely disabled";
MemberSignature member_signature(member);
// Check for an exemption first. Exempted APIs are treated as SDK.
if (member_signature.DoesPrefixMatchAny(runtime->GetHiddenApiExemptions())) {
// Avoid re-examining the exemption list next time.
// Note this results in no warning for the member, which seems like what one would expect.
// Exemptions effectively adds new members to the public API list.
MaybeUpdateAccessFlags(runtime, member, kAccPublicApi);
return false;
}
EnforcementPolicy testApiPolicy = runtime->GetTestApiEnforcementPolicy();
bool deny_access = false;
if (hiddenApiPolicy == EnforcementPolicy::kEnabled) {
if (api_list.IsTestApi() && (testApiPolicy == EnforcementPolicy::kDisabled ||
compatFramework.IsChangeEnabled(kAllowTestApiAccess))) {
deny_access = false;
} else {
switch (api_list.GetMaxAllowedSdkVersion()) {
case SdkVersion::kP:
deny_access = compatFramework.IsChangeEnabled(kHideMaxtargetsdkPHiddenApis);
break;
case SdkVersion::kQ:
deny_access = compatFramework.IsChangeEnabled(kHideMaxtargetsdkQHiddenApis);
break;
default:
deny_access = IsSdkVersionSetAndMoreThan(runtime->GetTargetSdkVersion(),
api_list.GetMaxAllowedSdkVersion());
}
}
}
if (access_method != AccessMethod::kNone) {
// Warn if blocked signature is being accessed or it is not exempted.
if (deny_access || !member_signature.DoesPrefixMatchAny(kWarningExemptions)) {
// Print a log message with information about this class member access.
// We do this if we're about to deny access, or the app is debuggable.
if (kLogAllAccesses || deny_access || runtime->IsJavaDebuggable()) {
member_signature.WarnAboutAccess(access_method, api_list, deny_access);
}
// If there is a StrictMode listener, notify it about this violation.
member_signature.NotifyHiddenApiListener(access_method);
}
// If event log sampling is enabled, report this violation.
if (kIsTargetBuild && !kIsTargetLinux) {
uint32_t eventLogSampleRate = runtime->GetHiddenApiEventLogSampleRate();
// Assert that RAND_MAX is big enough, to ensure sampling below works as expected.
static_assert(RAND_MAX >= 0xffff, "RAND_MAX too small");
if (eventLogSampleRate != 0) {
const uint32_t sampled_value = static_cast<uint32_t>(std::rand()) & 0xffff;
if (sampled_value < eventLogSampleRate) {
member_signature.LogAccessToEventLog(sampled_value, access_method, deny_access);
}
}
}
// If this access was not denied, flag member as SDK and skip
// the warning the next time the member is accessed. Don't update for
// non-debuggable apps as this has a memory cost.
if (!deny_access && runtime->IsJavaDebuggable()) {
MaybeUpdateAccessFlags(runtime, member, kAccPublicApi);
}
}
return deny_access;
}
// Need to instantiate these.
template uint32_t GetDexFlags<ArtField>(ArtField* member);
template uint32_t GetDexFlags<ArtMethod>(ArtMethod* member);
template bool HandleCorePlatformApiViolation(ArtField* member,
const AccessContext& caller_context,
AccessMethod access_method,
EnforcementPolicy policy);
template bool HandleCorePlatformApiViolation(ArtMethod* member,
const AccessContext& caller_context,
AccessMethod access_method,
EnforcementPolicy policy);
template bool ShouldDenyAccessToMemberImpl<ArtField>(ArtField* member,
ApiList api_list,
AccessMethod access_method);
template bool ShouldDenyAccessToMemberImpl<ArtMethod>(ArtMethod* member,
ApiList api_list,
AccessMethod access_method);
} // namespace detail
template <typename T>
bool ShouldDenyAccessToMember(T* member,
const std::function<AccessContext()>& fn_get_access_context,
AccessMethod access_method) {
DCHECK(member != nullptr);
// First check if we have an explicit sdk checker installed that should be used to
// verify access. If so, make the decision based on it.
//
// This is used during off-device AOT compilation which may want to generate verification
// metadata only for a specific list of public SDKs. Note that the check here is made
// based on descriptor equality and it's aim to further restrict a symbol that would
// otherwise be resolved.
//
// The check only applies to boot classpaths dex files.
Runtime* runtime = Runtime::Current();
if (UNLIKELY(runtime->IsAotCompiler())) {
if (member->GetDeclaringClass()->IsBootStrapClassLoaded() &&
runtime->GetClassLinker()->DenyAccessBasedOnPublicSdk(member)) {
return true;
}
}
// Get the runtime flags encoded in member's access flags.
// Note: this works for proxy methods because they inherit access flags from their
// respective interface methods.
const uint32_t runtime_flags = GetRuntimeFlags(member);
// Exit early if member is public API. This flag is also set for non-boot class
// path fields/methods.
if ((runtime_flags & kAccPublicApi) != 0) {
return false;
}
// Determine which domain the caller and callee belong to.
// This can be *very* expensive. This is why ShouldDenyAccessToMember
// should not be called on every individual access.
const AccessContext caller_context = fn_get_access_context();
const AccessContext callee_context(member->GetDeclaringClass());
// Non-boot classpath callers should have exited early.
DCHECK(!callee_context.IsApplicationDomain());
// Check if the caller is always allowed to access members in the callee context.
if (caller_context.CanAlwaysAccess(callee_context)) {
return false;
}
// Check if this is platform accessing core platform. We may warn if `member` is
// not part of core platform API.
switch (caller_context.GetDomain()) {
case Domain::kApplication: {
DCHECK(!callee_context.IsApplicationDomain());
// Exit early if access checks are completely disabled.
EnforcementPolicy policy = runtime->GetHiddenApiEnforcementPolicy();
if (policy == EnforcementPolicy::kDisabled) {
return false;
}
// If this is a proxy method, look at the interface method instead.
member = detail::GetInterfaceMemberIfProxy(member);
// Decode hidden API access flags from the dex file.
// This is an O(N) operation scaling with the number of fields/methods
// in the class. Only do this on slow path and only do it once.
ApiList api_list(detail::GetDexFlags(member));
DCHECK(api_list.IsValid());
// Member is hidden and caller is not exempted. Enter slow path.
return detail::ShouldDenyAccessToMemberImpl(member, api_list, access_method);
}
case Domain::kPlatform: {
DCHECK(callee_context.GetDomain() == Domain::kCorePlatform);
// Member is part of core platform API. Accessing it is allowed.
if ((runtime_flags & kAccCorePlatformApi) != 0) {
return false;
}
// Allow access if access checks are disabled.
EnforcementPolicy policy = Runtime::Current()->GetCorePlatformApiEnforcementPolicy();
if (policy == EnforcementPolicy::kDisabled) {
return false;
}
// If this is a proxy method, look at the interface method instead.
member = detail::GetInterfaceMemberIfProxy(member);
// Access checks are not disabled, report the violation.
// This may also add kAccCorePlatformApi to the access flags of `member`
// so as to not warn again on next access.
return detail::HandleCorePlatformApiViolation(member, caller_context, access_method, policy);
}
case Domain::kCorePlatform: {
LOG(FATAL) << "CorePlatform domain should be allowed to access all domains";
UNREACHABLE();
}
}
}
// Need to instantiate these.
template bool ShouldDenyAccessToMember<ArtField>(
ArtField* member,
const std::function<AccessContext()>& fn_get_access_context,
AccessMethod access_method);
template bool ShouldDenyAccessToMember<ArtMethod>(
ArtMethod* member,
const std::function<AccessContext()>& fn_get_access_context,
AccessMethod access_method);
} // namespace hiddenapi
} // namespace art