1 files changed, 43 insertions, 32 deletions
diff --git a/android/neverallow.go b/android/neverallow.go
index 8995a0ffe..5c90501d7 100644
--- a/android/neverallow.go
+++ b/android/neverallow.go
@@ -60,7 +60,8 @@ func init() {
 	AddNeverAllowRules(createCcStubsRule())
 	AddNeverAllowRules(createProhibitHeaderOnlyRule())
 	AddNeverAllowRules(createLimitNdkExportRule()...)
-	AddNeverAllowRules(createLimitDirgroupRule()...)
+	AddNeverAllowRules(createLimitDirgroupRules()...)
+	AddNeverAllowRules(createLimitGenruleRules()...)
 	AddNeverAllowRules(createFilesystemIsAutoGeneratedRule())
 	AddNeverAllowRules(createKotlinPluginRule()...)
 	AddNeverAllowRules(createPrebuiltEtcBpDefineRule())
@@ -251,6 +252,7 @@ func createInstallInRootAllowingRules() []Rule {
 			NotModuleType("prebuilt_system").
 			NotModuleType("prebuilt_first_stage_ramdisk").
 			NotModuleType("prebuilt_res").
+			NotModuleType("prebuilt_any").
 			Because("install_in_root is only for init_first_stage or librecovery_ui_ext."),
 	}
 }
@@ -287,45 +289,49 @@ func createLimitNdkExportRule() []Rule {
 	}
 }
 
-func createLimitDirgroupRule() []Rule {
-	reason := "dirgroup module and dir_srcs / keep_gendir property of genrule is allowed only to Trusty build rule."
+func createLimitDirgroupRules() []Rule {
+	reason := "The dirgroup module can only be used with Trusty visibility"
+	scriptsDirsList := []string{"//trusty/vendor/google/aosp/scripts", "//trusty/vendor/google/proprietary/scripts"}
 	return []Rule{
 		NeverAllow().
 			ModuleType("dirgroup").
-			WithMatcher("visibility", NotInList([]string{"//trusty/vendor/google/aosp/scripts", "//trusty/vendor/google/proprietary/scripts"})).Because(reason),
+			WithMatcher("visibility", NotInList(scriptsDirsList)).Because(reason),
 		NeverAllow().
 			ModuleType("dirgroup").
-			WithoutMatcher("visibility", InAllowedList([]string{"//trusty/vendor/google/aosp/scripts", "//trusty/vendor/google/proprietary/scripts"})).Because(reason),
+			WithoutMatcher("visibility", InAllowedList(scriptsDirsList)).Because(reason),
+	}
+}
+
+func createLimitGenruleRules() []Rule {
+	dirSrcsReason := "The `dir_srcs` property in a `genrule` module can only be used by Trusty"
+	keepGendirReason := "The `keep_gendir` property in a `genrule` module can only be used by Trusty"
+	allowedModuleNameList := []string{
+		// Trusty TEE target names
+		"trusty_tee_package_goog",
+		"trusty_tee_package",
+		// Trusty vm target names
+		"trusty_desktop_vm_arm64.bin",
+		"trusty_desktop_vm_x86_64.elf",
+		"trusty_desktop_test_vm_arm64.bin",
+		"trusty_desktop_test_vm_x86_64.elf",
+		"trusty_test_vm_arm64.bin",
+		"trusty_test_vm_x86_64.elf",
+		"trusty_test_vm_os_arm64.bin",
+		"trusty_test_vm_os_x86_64.elf",
+		"trusty_security_vm_arm64.bin",
+		"trusty_security_vm_x86_64.elf",
+		"trusty_widevine_vm_arm64.bin",
+		"trusty_widevine_vm_x86_64.elf",
+	}
+	return []Rule{
 		NeverAllow().
 			ModuleType("genrule").
-			// Trusty TEE target names
-			Without("name", "trusty_tee_package_goog").
-			Without("name", "trusty_tee_package").
-			// Trusty vm target names
-			Without("name", "trusty_test_vm_arm64.bin").
-			Without("name", "trusty_test_vm_x86_64.elf").
-			Without("name", "trusty_test_vm_os_arm64.bin").
-			Without("name", "trusty_test_vm_os_x86_64.elf").
-			Without("name", "trusty_security_vm_arm64.bin").
-			Without("name", "trusty_security_vm_x86_64.elf").
-			Without("name", "trusty_widevine_vm_arm64.bin").
-			Without("name", "trusty_widevine_vm_x86_64.elf").
-			WithMatcher("dir_srcs", isSetMatcherInstance).Because(reason),
+			WithoutMatcher("name", InAllowedList(allowedModuleNameList)).
+			WithMatcher("dir_srcs", isSetMatcherInstance).Because(dirSrcsReason),
 		NeverAllow().
 			ModuleType("genrule").
-			// Trusty TEE target names
-			Without("name", "trusty_tee_package_goog").
-			Without("name", "trusty_tee_package").
-			// Trusty vm target names
-			Without("name", "trusty_test_vm_arm64.bin").
-			Without("name", "trusty_test_vm_x86_64.elf").
-			Without("name", "trusty_test_vm_os_arm64.bin").
-			Without("name", "trusty_test_vm_os_x86_64.elf").
-			Without("name", "trusty_security_vm_arm64.bin").
-			Without("name", "trusty_security_vm_x86_64.elf").
-			Without("name", "trusty_widevine_vm_arm64.bin").
-			Without("name", "trusty_widevine_vm_x86_64.elf").
-			With("keep_gendir", "true").Because(reason),
+			WithoutMatcher("name", InAllowedList(allowedModuleNameList)).
+			With("keep_gendir", "true").Because(keepGendirReason),
 	}
 }
 
@@ -363,6 +369,7 @@ func createKotlinPluginRule() []Rule {
 func createPrebuiltEtcBpDefineRule() Rule {
 	return NeverAllow().
 		ModuleType(
+			"prebuilt_any",
 			"prebuilt_usr_srec",
 			"prebuilt_priv_app",
 			"prebuilt_rfs",
@@ -378,6 +385,9 @@ func createPrebuiltEtcBpDefineRule() Rule {
 			"prebuilt_sbin",
 			"prebuilt_system",
 			"prebuilt_first_stage_ramdisk",
+			"prebuilt_radio",
+			"prebuilt_gpu",
+			"prebuilt_vendor_overlay",
 		).
 		DefinedInBpFile().
 		Because("module type not allowed to be defined in bp file")
@@ -409,7 +419,8 @@ func neverallowMutator(ctx BottomUpMutatorContext) {
 			continue
 		}
 
-		if !n.appliesToModuleType(ctx.ModuleType()) {
+		modType := proptools.StringDefault(m.base().baseProperties.Soong_config_base_module_type, ctx.ModuleType())
+		if !n.appliesToModuleType(modType) {
 			continue
 		}