Merge "Refactor Trusty neverallow rules for clarity" into main

1 files changed, 32 insertions, 31 deletions

diff --git a/android/neverallow.go b/android/neverallow.go
index e67619ae2..eca8eb36d 100644
--- a/android/neverallow.go
+++ b/android/neverallow.go
@@ -60,7 +60,8 @@ func init() {
 	AddNeverAllowRules(createCcStubsRule())
 	AddNeverAllowRules(createProhibitHeaderOnlyRule())
 	AddNeverAllowRules(createLimitNdkExportRule()...)
-	AddNeverAllowRules(createLimitDirgroupRule()...)
+	AddNeverAllowRules(createLimitDirgroupRules()...)
+	AddNeverAllowRules(createLimitGenruleRules()...)
 	AddNeverAllowRules(createFilesystemIsAutoGeneratedRule())
 	AddNeverAllowRules(createKotlinPluginRule()...)
 	AddNeverAllowRules(createPrebuiltEtcBpDefineRule())
@@ -287,45 +288,45 @@ func createLimitNdkExportRule() []Rule {
 	}
 }
 
-func createLimitDirgroupRule() []Rule {
-	reason := "dirgroup module and dir_srcs / keep_gendir property of genrule is allowed only to Trusty build rule."
+func createLimitDirgroupRules() []Rule {
+	reason := "The dirgroup module can only be used with Trusty visibility"
+	scriptsDirsList := []string{"//trusty/vendor/google/aosp/scripts", "//trusty/vendor/google/proprietary/scripts"}
 	return []Rule{
 		NeverAllow().
 			ModuleType("dirgroup").
-			WithMatcher("visibility", NotInList([]string{"//trusty/vendor/google/aosp/scripts", "//trusty/vendor/google/proprietary/scripts"})).Because(reason),
+			WithMatcher("visibility", NotInList(scriptsDirsList)).Because(reason),
 		NeverAllow().
 			ModuleType("dirgroup").
-			WithoutMatcher("visibility", InAllowedList([]string{"//trusty/vendor/google/aosp/scripts", "//trusty/vendor/google/proprietary/scripts"})).Because(reason),
+			WithoutMatcher("visibility", InAllowedList(scriptsDirsList)).Because(reason),
+	}
+}
+
+func createLimitGenruleRules() []Rule {
+	dirSrcsReason := "The `dir_srcs` property in a `genrule` module can only be used by Trusty"
+	keepGendirReason := "The `keep_gendir` property in a `genrule` module can only be used by Trusty"
+	allowedModuleNameList := []string{
+		// Trusty TEE target names
+		"trusty_tee_package_goog",
+		"trusty_tee_package",
+		// Trusty vm target names
+		"trusty_test_vm_arm64.bin",
+		"trusty_test_vm_x86_64.elf",
+		"trusty_test_vm_os_arm64.bin",
+		"trusty_test_vm_os_x86_64.elf",
+		"trusty_security_vm_arm64.bin",
+		"trusty_security_vm_x86_64.elf",
+		"trusty_widevine_vm_arm64.bin",
+		"trusty_widevine_vm_x86_64.elf",
+	}
+	return []Rule{
 		NeverAllow().
 			ModuleType("genrule").
-			// Trusty TEE target names
-			Without("name", "trusty_tee_package_goog").
-			Without("name", "trusty_tee_package").
-			// Trusty vm target names
-			Without("name", "trusty_test_vm_arm64.bin").
-			Without("name", "trusty_test_vm_x86_64.elf").
-			Without("name", "trusty_test_vm_os_arm64.bin").
-			Without("name", "trusty_test_vm_os_x86_64.elf").
-			Without("name", "trusty_security_vm_arm64.bin").
-			Without("name", "trusty_security_vm_x86_64.elf").
-			Without("name", "trusty_widevine_vm_arm64.bin").
-			Without("name", "trusty_widevine_vm_x86_64.elf").
-			WithMatcher("dir_srcs", isSetMatcherInstance).Because(reason),
+			WithoutMatcher("name", InAllowedList(allowedModuleNameList)).
+			WithMatcher("dir_srcs", isSetMatcherInstance).Because(dirSrcsReason),
 		NeverAllow().
 			ModuleType("genrule").
-			// Trusty TEE target names
-			Without("name", "trusty_tee_package_goog").
-			Without("name", "trusty_tee_package").
-			// Trusty vm target names
-			Without("name", "trusty_test_vm_arm64.bin").
-			Without("name", "trusty_test_vm_x86_64.elf").
-			Without("name", "trusty_test_vm_os_arm64.bin").
-			Without("name", "trusty_test_vm_os_x86_64.elf").
-			Without("name", "trusty_security_vm_arm64.bin").
-			Without("name", "trusty_security_vm_x86_64.elf").
-			Without("name", "trusty_widevine_vm_arm64.bin").
-			Without("name", "trusty_widevine_vm_x86_64.elf").
-			With("keep_gendir", "true").Because(reason),
+			WithoutMatcher("name", InAllowedList(allowedModuleNameList)).
+			With("keep_gendir", "true").Because(keepGendirReason),
 	}
 }