diff options
| author | 2024-10-31 20:08:59 +0000 | |
|---|---|---|
| committer | 2025-01-28 10:25:44 -0800 | |
| commit | 64031cfed5d7e0f372cf5893d88aa73507ad5c63 (patch) | |
| tree | c7d3b7b6a1ae268a3be9bb0a1d1c488fc25563b6 /runtime/hidden_api_test.cc | |
| parent | 701bd96db052c26b1605066af7f1230b66435638 (diff) | |
Fix missing logging of core platform API violations in just-warn mode.
In one case a hiddenapi access check was done with
hiddenapi::AccessMethod::kNone for an app access, with the intention of
following it up with another "real" check that does log and applies the
enforcement policy.
However, hiddenapi::AccessMethod::kNone applied the current enforcement
policy, so the second check would always get skipped if the policy
isn't hiddenapi::EnforcementPolicy::kEnabled. That's a problem when
it's kJustWarn, because the first check won't log, and the second -
which would - is skipped.
Fix that by returning an access failure for the first check, regardless
of the policy, so that the second doesn't get skipped. The behaviour
doesn't change if the policy is kEnabled, and the second check won't do
anything if it's kDisabled, so this change only has effect when it's
kJustWarn.
Also rename kNone to the more apt kCheck.
For compatibility in other places where access checks with kNone aren't
used like above, introduce a new access method kCheckWithPolicy, which
keeps the behaviour of kNone (but with a more descriptive name). Some
of those code paths should perhaps be changed to kCheck as well, but
that's for another time.
Test: Boot and check logcat with planted API violations in system_server.
Test: 674-hiddenapi 690-hiddenapi-same-name-methods 691-hiddenapi-proxy
817-hiddenapi 822-hiddenapi-future 999-redefine-hiddenapi
2038-hiddenapi-jvmti-ext 2270-mh-internal-hiddenapi-use
on host and target
Bug: 377676642
Change-Id: I4ca70c229bd6261a78dcd68990708a318b0e7588
Diffstat (limited to 'runtime/hidden_api_test.cc')
| -rw-r--r-- | runtime/hidden_api_test.cc | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/runtime/hidden_api_test.cc b/runtime/hidden_api_test.cc index 28f1d28c1f..5a2ee55723 100644 --- a/runtime/hidden_api_test.cc +++ b/runtime/hidden_api_test.cc @@ -191,7 +191,7 @@ class HiddenApiTest : public CommonRuntimeTest { // This is only used for log messages, so its state doesn't matter. const hiddenapi::AccessContext placeholder_context(/* is_trusted= */ false); - // Choose parameters such that there are no side effects (AccessMethod::kNone) + // Choose parameters such that there are no side effects (AccessMethod::kCheck) // and that the member is not on the exemptions list (here we choose one which // is not even in boot class path). return ShouldDenyAccessToMemberImpl(/* member= */ class1_field1_, @@ -199,7 +199,7 @@ class HiddenApiTest : public CommonRuntimeTest { /* runtime_flags= */ 0, /* caller_context= */ placeholder_context, /* callee_context= */ placeholder_context, - /* access_method= */ hiddenapi::AccessMethod::kNone); + hiddenapi::AccessMethod::kCheck); } void TestLocation(const std::string& location, hiddenapi::Domain expected_domain) { |