diff options
| author | 2018-03-22 11:36:47 +0000 | |
|---|---|---|
| committer | 2018-03-23 11:43:35 +0000 | |
| commit | 597d7f650b0656fcb3985b01f53284717b41e5cc (patch) | |
| tree | 59ba9853104427b19f2449ce547301764d22756b /runtime/runtime.cc | |
| parent | 753ce1bcf458ad6c6fbb41689901943d44e7738e (diff) | |
More flexible API enforcement policy support.
This CL adds the ability to configure which banned API lists to enforce,
defined by new enum hiddenapi::ApiEnforcementPolicy. Currently, the policy
can be set at zygote fork time, but not at dex optimization time where
blacklist enforcement is still assumed. As such, making the policy more
strict will not work as expected yet. This will be improved in a follow up
CL.
Test: art tests pass
Test: Device boots
BUG: 73337509
(cherry-picked from commit 159f596eec01adbb5a1c9654402c137cdb943131)
Change-Id: I6c319bb8a3000cb1d3c4693b4fb196e749c36d96
Merged-In: I33f9afce628a86727e400052f4d5979d3536da8c
Diffstat (limited to 'runtime/runtime.cc')
| -rw-r--r-- | runtime/runtime.cc | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/runtime/runtime.cc b/runtime/runtime.cc index 7d9d3426fc..53982ae833 100644 --- a/runtime/runtime.cc +++ b/runtime/runtime.cc @@ -267,7 +267,7 @@ Runtime::Runtime() oat_file_manager_(nullptr), is_low_memory_mode_(false), safe_mode_(false), - do_hidden_api_checks_(false), + hidden_api_policy_(hiddenapi::EnforcementPolicy::kNoChecks), pending_hidden_api_warning_(false), dedupe_hidden_api_warnings_(true), always_set_hidden_api_warning_flag_(false), @@ -1196,9 +1196,14 @@ bool Runtime::Init(RuntimeArgumentMap&& runtime_options_in) { // by default and we only enable them if: // (a) runtime was started with a flag that enables the checks, or // (b) Zygote forked a new process that is not exempt (see ZygoteHooks). - do_hidden_api_checks_ = runtime_options.Exists(Opt::HiddenApiChecks); - DCHECK(!is_zygote_ || !do_hidden_api_checks_) - << "Zygote should not be started with hidden API checks"; + bool do_hidden_api_checks = runtime_options.Exists(Opt::HiddenApiChecks); + DCHECK(!is_zygote_ || !do_hidden_api_checks); + // TODO pass the actual enforcement policy in, rather than just a single bit. + // As is, we're encoding some logic here about which specific policy to use, which would be better + // controlled by the framework. + hidden_api_policy_ = do_hidden_api_checks + ? hiddenapi::EnforcementPolicy::kBlacklistOnly + : hiddenapi::EnforcementPolicy::kNoChecks; no_sig_chain_ = runtime_options.Exists(Opt::NoSigChain); force_native_bridge_ = runtime_options.Exists(Opt::ForceNativeBridge); |