Merge "Default avb_hash_algorithm to sha256 for android_filesystem modules" into main

author: Nikita Ioffe <ioffe@google.com> 2025-02-04 09:49:50 -0800
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> 2025-02-04 09:49:50 -0800
commit: 93a9c7341c217406c2f6db53e14ee7fb39d8e6fa (patch)
tree: f808cab9ca294296663813911232f32a971223dd /android/neverallow.go
parent: 0e60ed234eb2e7fe827d300ddeb12c3d7f1c74e8 (diff)
parent: 50fb49cabe70cfbde6743acb18543cd14befb7a5 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/android/neverallow.go b/android/neverallow.go
index d345ee8e4..70af2acc3 100644
--- a/android/neverallow.go
+++ b/android/neverallow.go
@@ -65,6 +65,7 @@ func init() {
 	AddNeverAllowRules(createKotlinPluginRule()...)
 	AddNeverAllowRules(createPrebuiltEtcBpDefineRule())
 	AddNeverAllowRules(createAutogenRroBpDefineRule())
+	AddNeverAllowRules(createNoSha1HashRule())
 }
 
 // Add a NeverAllow rule to the set of rules to apply.
@@ -336,6 +337,14 @@ func createFilesystemIsAutoGeneratedRule() Rule {
 		Because("is_auto_generated property is only allowed for filesystem modules in build/soong/fsgen directory")
 }
 
+func createNoSha1HashRule() Rule {
+	return NeverAllow().
+		ModuleType("filesystem", "android_filesystem").
+		ModuleType("filesystem", "android_system_image").
+		With("avb_hash_algorithm", "sha1").
+		Because("sha1 is discouraged")
+}
+
 func createKotlinPluginRule() []Rule {
 	kotlinPluginProjectsAllowedList := []string{
 		"external/kotlinc",
author	Nikita Ioffe <ioffe@google.com>	2025-02-04 09:49:50 -0800
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	2025-02-04 09:49:50 -0800
commit	93a9c7341c217406c2f6db53e14ee7fb39d8e6fa (patch)
tree	f808cab9ca294296663813911232f32a971223dd /android/neverallow.go
parent	0e60ed234eb2e7fe827d300ddeb12c3d7f1c74e8 (diff)
parent	50fb49cabe70cfbde6743acb18543cd14befb7a5 (diff)