diff options
| author | 2019-02-28 15:04:14 +0000 | |
|---|---|---|
| committer | 2019-03-05 15:17:01 +0000 | |
| commit | e7e26d10a7a1446b42c00104b162bf07e7c01a04 (patch) | |
| tree | fb571d4903a499d9effae5940440af5159b8548e | |
| parent | 815d5e5304a5b57db64d6829813a14e464d5c55f (diff) | |
Assign non-runtime /apex/* dex files to platform domain
Until now only /system/framework and /apex/com.android.runtime were
known locations, assigning "platform" domain to the former and
"core-platform" domain to the latter. The media and conscrypt modules
were left in the "application" domain.
This patch adds a hardcoded path to the apex root and assigns all dex
files in subdirectories to the "platform" domain. This affects both
conscrypt and media modules.
Any other dex files on boot classpath are also assigned to "platform"
on first access. A warning is printed in such case and it is now deduped
to avoid logspam.
Bug: 125701194
Bug: 119068555
Test: compiles, boots, no conscrypt/media warnings about missing domain
Test: art/test.py -b -r -t 674
Change-Id: I33bef18459741095d3d99b541fc88b21cf547800
| -rw-r--r-- | libartbase/base/file_utils.cc | 11 | ||||
| -rw-r--r-- | libartbase/base/file_utils.h | 5 | ||||
| -rw-r--r-- | libdexfile/dex/art_dex_file_loader.cc | 8 | ||||
| -rw-r--r-- | libdexfile/dex/dex_file.h | 7 | ||||
| -rw-r--r-- | openjdkjvmti/fixed_up_dex_file.cc | 2 | ||||
| -rw-r--r-- | runtime/hidden_api.h | 5 |
6 files changed, 27 insertions, 11 deletions
diff --git a/libartbase/base/file_utils.cc b/libartbase/base/file_utils.cc index 2436e4528a..9e49d05c7e 100644 --- a/libartbase/base/file_utils.cc +++ b/libartbase/base/file_utils.cc @@ -65,6 +65,9 @@ namespace art { using android::base::StringPrintf; static constexpr const char* kClassesDex = "classes.dex"; +static constexpr const char* kApexDefaultPath = "/apex/"; +static constexpr const char* kRuntimeApexEnvVar = "ANDROID_RUNTIME_ROOT"; +static constexpr const char* kRuntimeApexDefaultPath = "/apex/com.android.runtime"; bool ReadFileToString(const std::string& file_name, std::string* result) { File file(file_name, O_RDONLY, false); @@ -284,8 +287,8 @@ std::string ReplaceFileExtension(const std::string& filename, const std::string& bool LocationIsOnRuntimeModule(const char* full_path) { std::string error_msg; - const char* runtime_path = GetAndroidDirSafe("ANDROID_RUNTIME_ROOT", - "/apex/com.android.runtime", + const char* runtime_path = GetAndroidDirSafe(kRuntimeApexEnvVar, + kRuntimeApexDefaultPath, &error_msg); if (runtime_path == nullptr) { return false; @@ -293,6 +296,10 @@ bool LocationIsOnRuntimeModule(const char* full_path) { return android::base::StartsWith(full_path, runtime_path); } +bool LocationIsOnApex(const char* full_path) { + return android::base::StartsWith(full_path, kApexDefaultPath); +} + bool LocationIsOnSystem(const char* path) { #ifdef _WIN32 UNUSED(path); diff --git a/libartbase/base/file_utils.h b/libartbase/base/file_utils.h index c8eca59c12..88dcbea05d 100644 --- a/libartbase/base/file_utils.h +++ b/libartbase/base/file_utils.h @@ -75,7 +75,7 @@ std::string GetVdexFilename(const std::string& oat_filename); // ReplaceFileExtension("foo", "abc") == "foo.abc" std::string ReplaceFileExtension(const std::string& filename, const std::string& new_extension); -// Return whether the location is on apex/com.android.runtime +// Return whether the location is on /apex/com.android.runtime bool LocationIsOnRuntimeModule(const char* location); // Return whether the location is on system (i.e. android root). @@ -84,6 +84,9 @@ bool LocationIsOnSystem(const char* location); // Return whether the location is on system/framework (i.e. android_root/framework). bool LocationIsOnSystemFramework(const char* location); +// Return whether the location is on /apex/. +bool LocationIsOnApex(const char* location); + // dup(2), except setting the O_CLOEXEC flag atomically, when possible. int DupCloexec(int fd); diff --git a/libdexfile/dex/art_dex_file_loader.cc b/libdexfile/dex/art_dex_file_loader.cc index 7e93639a4a..180ed7b32e 100644 --- a/libdexfile/dex/art_dex_file_loader.cc +++ b/libdexfile/dex/art_dex_file_loader.cc @@ -544,10 +544,12 @@ std::unique_ptr<DexFile> ArtDexFileLoader::OpenCommon(const uint8_t* base, // Location can contain multidex suffix, so fetch its canonical version. Note // that this will call `realpath`. std::string path = DexFileLoader::GetDexCanonicalLocation(location.c_str()); - if (LocationIsOnSystemFramework(path.c_str())) { - dex_file->SetHiddenapiDomain(hiddenapi::Domain::kPlatform); - } else if (LocationIsOnRuntimeModule(path.c_str())) { + if (LocationIsOnRuntimeModule(path.c_str())) { dex_file->SetHiddenapiDomain(hiddenapi::Domain::kCorePlatform); + } else if (LocationIsOnApex(path.c_str()) || LocationIsOnSystemFramework(path.c_str())) { + dex_file->SetHiddenapiDomain(hiddenapi::Domain::kPlatform); + } else { + dex_file->SetHiddenapiDomain(hiddenapi::Domain::kApplication); } } return dex_file; diff --git a/libdexfile/dex/dex_file.h b/libdexfile/dex/dex_file.h index 4dae1c055c..8a96123253 100644 --- a/libdexfile/dex/dex_file.h +++ b/libdexfile/dex/dex_file.h @@ -756,7 +756,7 @@ class DexFile { ALWAYS_INLINE const CompactDexFile* AsCompactDexFile() const; hiddenapi::Domain GetHiddenapiDomain() const { return hiddenapi_domain_; } - void SetHiddenapiDomain(hiddenapi::Domain value) { hiddenapi_domain_ = value; } + void SetHiddenapiDomain(hiddenapi::Domain value) const { hiddenapi_domain_ = value; } bool IsInMainSection(const void* addr) const { return Begin() <= addr && addr < Begin() + Size(); @@ -870,7 +870,10 @@ class DexFile { // If the dex file is a compact dex file. If false then the dex file is a standard dex file. const bool is_compact_dex_; - hiddenapi::Domain hiddenapi_domain_; + // The domain this dex file belongs to for hidden API access checks. + // It is decleared `mutable` because the domain is assigned after the DexFile + // has been created and can be changed later by the runtime. + mutable hiddenapi::Domain hiddenapi_domain_; friend class DexFileLoader; friend class DexFileVerifierTest; diff --git a/openjdkjvmti/fixed_up_dex_file.cc b/openjdkjvmti/fixed_up_dex_file.cc index da7eef963d..e8b34354a6 100644 --- a/openjdkjvmti/fixed_up_dex_file.cc +++ b/openjdkjvmti/fixed_up_dex_file.cc @@ -148,7 +148,7 @@ std::unique_ptr<FixedUpDexFile> FixedUpDexFile::Create(const art::DexFile& origi return nullptr; } - const_cast<art::DexFile*>(new_dex_file.get())->SetHiddenapiDomain(original.GetHiddenapiDomain()); + new_dex_file->SetHiddenapiDomain(original.GetHiddenapiDomain()); DoDexUnquicken(*new_dex_file, original); diff --git a/runtime/hidden_api.h b/runtime/hidden_api.h index c4f7cbfa79..0a403411e4 100644 --- a/runtime/hidden_api.h +++ b/runtime/hidden_api.h @@ -106,8 +106,9 @@ class AccessContext { Domain dex_domain = dex_file->GetHiddenapiDomain(); if (class_loader.IsNull() && dex_domain == Domain::kApplication) { - // LOG(WARNING) << "DexFile " << dex_file->GetLocation() << " is in boot classpath " - // << "but is assigned untrusted domain"; + LOG(WARNING) << "DexFile " << dex_file->GetLocation() + << " is in boot classpath but is assigned the application domain"; + dex_file->SetHiddenapiDomain(Domain::kPlatform); dex_domain = Domain::kPlatform; } return dex_domain; |