diff options
| -rw-r--r-- | android/module.go | 5 | ||||
| -rw-r--r-- | android/neverallow.go | 3 | ||||
| -rw-r--r-- | android/neverallow_test.go | 25 | ||||
| -rw-r--r-- | android/soong_config_modules.go | 4 |
4 files changed, 36 insertions, 1 deletions
diff --git a/android/module.go b/android/module.go index 3d643f915..c6c4fd838 100644 --- a/android/module.go +++ b/android/module.go @@ -520,6 +520,11 @@ type baseProperties struct { // names of other modules to install on target if this module is installed Target_required []string `android:"arch_variant"` + + // If this is a soong config module, this property will be set to the name of the original + // module type. This is used by neverallow to ensure you can't bypass a ModuleType() matcher + // just by creating a soong config module type. + Soong_config_base_module_type *string `blueprint:"mutated"` } type distProperties struct { diff --git a/android/neverallow.go b/android/neverallow.go index eca8eb36d..a7bfd2dfa 100644 --- a/android/neverallow.go +++ b/android/neverallow.go @@ -412,7 +412,8 @@ func neverallowMutator(ctx BottomUpMutatorContext) { continue } - if !n.appliesToModuleType(ctx.ModuleType()) { + modType := proptools.StringDefault(m.base().baseProperties.Soong_config_base_module_type, ctx.ModuleType()) + if !n.appliesToModuleType(modType) { continue } diff --git a/android/neverallow_test.go b/android/neverallow_test.go index c74d5ff58..3ccc883af 100644 --- a/android/neverallow_test.go +++ b/android/neverallow_test.go @@ -388,6 +388,30 @@ var neverallowTests = []struct { `module type not allowed to be defined in bp file`, }, }, + // Test the a neverallowed module type can't be smuggled through a soong config module type + { + name: `smuggling module types through soong config modules`, + fs: map[string][]byte{ + "a/b/Android.bp": []byte(` + soong_config_bool_variable { + name: "my_var", + } + soong_config_module_type { + name: "smuggled_prebuilt_usr_srec", + module_type: "prebuilt_usr_srec", + config_namespace: "ANDROID", + variables: ["my_var"], + properties: ["enabled"], + } + smuggled_prebuilt_usr_srec { + name: "foo", + } + `), + }, + expectedErrors: []string{ + `module type not allowed to be defined in bp file`, + }, + }, } var prepareForNeverAllowTest = GroupFixturePreparers( @@ -399,6 +423,7 @@ var prepareForNeverAllowTest = GroupFixturePreparers( ctx.RegisterModuleType("filesystem", newMockFilesystemModule) ctx.RegisterModuleType("prebuilt_usr_srec", newMockPrebuiltUsrSrecModule) }), + PrepareForTestWithSoongConfigModuleBuildComponents, ) func TestNeverallow(t *testing.T) { diff --git a/android/soong_config_modules.go b/android/soong_config_modules.go index e0b1d7cbe..a61c9d33d 100644 --- a/android/soong_config_modules.go +++ b/android/soong_config_modules.go @@ -506,6 +506,10 @@ func configModuleFactory(factory blueprint.ModuleFactory, moduleType *soongconfi conditionalProps := proptools.CloneEmptyProperties(conditionalFactoryProps) props = append(props, conditionalProps.Interface()) + if m, ok := module.(Module); ok { + m.base().baseProperties.Soong_config_base_module_type = &moduleType.BaseModuleType + } + // Regular Soong operation wraps the existing module factory with a // conditional on Soong config variables by reading the product // config variables from Make. |