1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
|
// Copyright 2024 Google Inc. All rights reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package android
import (
"reflect"
"slices"
"github.com/google/blueprint"
)
// ----------------------------------------------------------------------------
// Start of the definitions of exception functions and the lookup table.
//
// Functions cannot be used as a value passed in providers, because functions are not
// hashable. As a workaround, the [exceptionHandleFuncLabel] enum values are passed using providers,
// and the corresponding functions are called from [exceptionHandleFunctionsTable] map.
// ----------------------------------------------------------------------------
type exceptionHandleFunc func(ModuleContext, Module, Module) bool
type StubsAvailableModule interface {
IsStubsModule() bool
}
// Returns true if the dependency module is a stubs module
var depIsStubsModule exceptionHandleFunc = func(_ ModuleContext, _, dep Module) bool {
if stubsModule, ok := dep.(StubsAvailableModule); ok {
return stubsModule.IsStubsModule()
}
return false
}
// Returns true if the dependency module belongs to any of the apexes.
var depIsApexModule exceptionHandleFunc = func(mctx ModuleContext, _, dep Module) bool {
depContainersInfo, _ := getContainerModuleInfo(mctx, dep)
return InList(ApexContainer, depContainersInfo.belongingContainers)
}
// Returns true if the module and the dependent module belongs to common apexes.
var belongsToCommonApexes exceptionHandleFunc = func(mctx ModuleContext, m, dep Module) bool {
mContainersInfo, _ := getContainerModuleInfo(mctx, m)
depContainersInfo, _ := getContainerModuleInfo(mctx, dep)
return HasIntersection(mContainersInfo.ApexNames(), depContainersInfo.ApexNames())
}
// Returns true when all apexes that the module belongs to are non updatable.
// For an apex module to be allowed to depend on a non-apex partition module,
// all apexes that the module belong to must be non updatable.
var belongsToNonUpdatableApex exceptionHandleFunc = func(mctx ModuleContext, m, _ Module) bool {
mContainersInfo, _ := getContainerModuleInfo(mctx, m)
return !mContainersInfo.UpdatableApex()
}
// Returns true if the dependency is added via dependency tags that are not used to tag dynamic
// dependency tags.
var depIsNotDynamicDepTag exceptionHandleFunc = func(ctx ModuleContext, m, dep Module) bool {
mInstallable, _ := m.(InstallableModule)
depTag := ctx.OtherModuleDependencyTag(dep)
return !InList(depTag, mInstallable.DynamicDependencyTags())
}
// Returns true if the dependency is added via dependency tags that are not used to tag static
// or dynamic dependency tags. These dependencies do not affect the module in compile time or in
// runtime, thus are not significant enough to raise an error.
var depIsNotStaticOrDynamicDepTag exceptionHandleFunc = func(ctx ModuleContext, m, dep Module) bool {
mInstallable, _ := m.(InstallableModule)
depTag := ctx.OtherModuleDependencyTag(dep)
return !InList(depTag, append(mInstallable.StaticDependencyTags(), mInstallable.DynamicDependencyTags()...))
}
var globallyAllowlistedDependencies = []string{
// Modules that provide annotations used within the platform and apexes.
"aconfig-annotations-lib",
"framework-annotations-lib",
"unsupportedappusage",
// framework-res provides core resources essential for building apps and system UI.
// This module is implicitly added as a dependency for java modules even when the
// dependency specifies sdk_version.
"framework-res",
// jacocoagent is implicitly added as a dependency in coverage builds, and is not installed
// on the device.
"jacocoagent",
}
// Returns true when the dependency is globally allowlisted for inter-container dependency
var depIsGloballyAllowlisted exceptionHandleFunc = func(_ ModuleContext, _, dep Module) bool {
return InList(dep.Name(), globallyAllowlistedDependencies)
}
// Labels of exception functions, which are used to determine special dependencies that allow
// otherwise restricted inter-container dependencies
type exceptionHandleFuncLabel int
const (
checkStubs exceptionHandleFuncLabel = iota
checkApexModule
checkInCommonApexes
checkApexIsNonUpdatable
checkNotDynamicDepTag
checkNotStaticOrDynamicDepTag
checkGlobalAllowlistedDep
)
// Map of [exceptionHandleFuncLabel] to the [exceptionHandleFunc]
var exceptionHandleFunctionsTable = map[exceptionHandleFuncLabel]exceptionHandleFunc{
checkStubs: depIsStubsModule,
checkApexModule: depIsApexModule,
checkInCommonApexes: belongsToCommonApexes,
checkApexIsNonUpdatable: belongsToNonUpdatableApex,
checkNotDynamicDepTag: depIsNotDynamicDepTag,
checkNotStaticOrDynamicDepTag: depIsNotStaticOrDynamicDepTag,
checkGlobalAllowlistedDep: depIsGloballyAllowlisted,
}
// ----------------------------------------------------------------------------
// Start of the definitions of container determination functions.
//
// Similar to the above section, below defines the functions used to determine
// the container of each modules.
// ----------------------------------------------------------------------------
type containerBoundaryFunc func(mctx ModuleContext) bool
var vendorContainerBoundaryFunc containerBoundaryFunc = func(mctx ModuleContext) bool {
m, ok := mctx.Module().(ImageInterface)
return mctx.Module().InstallInVendor() || (ok && m.VendorVariantNeeded(mctx))
}
var systemContainerBoundaryFunc containerBoundaryFunc = func(mctx ModuleContext) bool {
module := mctx.Module()
return !module.InstallInTestcases() &&
!module.InstallInData() &&
!module.InstallInRamdisk() &&
!module.InstallInVendorRamdisk() &&
!module.InstallInDebugRamdisk() &&
!module.InstallInRecovery() &&
!module.InstallInVendor() &&
!module.InstallInOdm() &&
!module.InstallInProduct() &&
determineModuleKind(module.base(), mctx.blueprintBaseModuleContext()) == platformModule
}
var productContainerBoundaryFunc containerBoundaryFunc = func(mctx ModuleContext) bool {
m, ok := mctx.Module().(ImageInterface)
return mctx.Module().InstallInProduct() || (ok && m.ProductVariantNeeded(mctx))
}
var apexContainerBoundaryFunc containerBoundaryFunc = func(mctx ModuleContext) bool {
_, ok := ModuleProvider(mctx, AllApexInfoProvider)
return ok
}
var ctsContainerBoundaryFunc containerBoundaryFunc = func(mctx ModuleContext) bool {
props := mctx.Module().GetProperties()
for _, prop := range props {
val := reflect.ValueOf(prop).Elem()
if val.Kind() == reflect.Struct {
testSuites := val.FieldByName("Test_suites")
if testSuites.IsValid() && testSuites.Kind() == reflect.Slice && slices.Contains(testSuites.Interface().([]string), "cts") {
return true
}
}
}
return false
}
type unstableInfo struct {
// Determines if the module contains the private APIs of the platform.
ContainsPlatformPrivateApis bool
}
var unstableInfoProvider = blueprint.NewProvider[unstableInfo]()
func determineUnstableModule(mctx ModuleContext) bool {
module := mctx.Module()
unstableModule := module.Name() == "framework-minus-apex"
if installable, ok := module.(InstallableModule); ok {
for _, staticDepTag := range installable.StaticDependencyTags() {
mctx.VisitDirectDepsWithTag(staticDepTag, func(dep Module) {
if unstableInfo, ok := OtherModuleProvider(mctx, dep, unstableInfoProvider); ok {
unstableModule = unstableModule || unstableInfo.ContainsPlatformPrivateApis
}
})
}
}
return unstableModule
}
var unstableContainerBoundaryFunc containerBoundaryFunc = func(mctx ModuleContext) bool {
return determineUnstableModule(mctx)
}
// Map of [*container] to the [containerBoundaryFunc]
var containerBoundaryFunctionsTable = map[*container]containerBoundaryFunc{
VendorContainer: vendorContainerBoundaryFunc,
SystemContainer: systemContainerBoundaryFunc,
ProductContainer: productContainerBoundaryFunc,
ApexContainer: apexContainerBoundaryFunc,
CtsContainer: ctsContainerBoundaryFunc,
UnstableContainer: unstableContainerBoundaryFunc,
}
// ----------------------------------------------------------------------------
// End of the definitions of container determination functions.
// ----------------------------------------------------------------------------
type InstallableModule interface {
ContainersInfo() ContainersInfo
StaticDependencyTags() []blueprint.DependencyTag
DynamicDependencyTags() []blueprint.DependencyTag
}
type restriction struct {
// container of the dependency
dependency *container
// Error message to be emitted to the user when the dependency meets this restriction
errorMessage string
// List of labels of allowed exception functions that allows bypassing this restriction.
// If any of the functions mapped to each labels returns true, this dependency would be
// considered allowed and an error will not be thrown.
allowedExceptions []exceptionHandleFuncLabel
}
type container struct {
// The name of the container i.e. partition, api domain
name string
// Map of dependency restricted containers.
restricted []restriction
}
var (
VendorContainer = &container{
name: VendorVariation,
restricted: nil,
}
SystemContainer = &container{
name: "system",
restricted: []restriction{
{
dependency: VendorContainer,
errorMessage: "Module belonging to the system partition other than HALs is " +
"not allowed to depend on the vendor partition module, in order to support " +
"independent development/update cycles and to support the Generic System " +
"Image. Try depending on HALs, VNDK or AIDL instead.",
allowedExceptions: []exceptionHandleFuncLabel{
checkStubs,
checkNotDynamicDepTag,
checkGlobalAllowlistedDep,
},
},
},
}
ProductContainer = &container{
name: ProductVariation,
restricted: []restriction{
{
dependency: VendorContainer,
errorMessage: "Module belonging to the product partition is not allowed to " +
"depend on the vendor partition module, as this may lead to security " +
"vulnerabilities. Try depending on the HALs or utilize AIDL instead.",
allowedExceptions: []exceptionHandleFuncLabel{
checkStubs,
checkNotDynamicDepTag,
checkGlobalAllowlistedDep,
},
},
},
}
ApexContainer = initializeApexContainer()
CtsContainer = &container{
name: "cts",
restricted: []restriction{
{
dependency: UnstableContainer,
errorMessage: "CTS module should not depend on the modules that contain the " +
"platform implementation details, including \"framework\". Depending on these " +
"modules may lead to disclosure of implementation details and regression " +
"due to API changes across platform versions. Try depending on the stubs instead " +
"and ensure that the module sets an appropriate 'sdk_version'.",
allowedExceptions: []exceptionHandleFuncLabel{
checkStubs,
checkNotStaticOrDynamicDepTag,
checkGlobalAllowlistedDep,
},
},
},
}
// Container signifying that the module contains unstable platform private APIs
UnstableContainer = &container{
name: "unstable",
restricted: nil,
}
allContainers = []*container{
VendorContainer,
SystemContainer,
ProductContainer,
ApexContainer,
CtsContainer,
UnstableContainer,
}
)
func initializeApexContainer() *container {
apexContainer := &container{
name: "apex",
restricted: []restriction{
{
dependency: SystemContainer,
errorMessage: "Module belonging to Apex(es) is not allowed to depend on the " +
"modules belonging to the system partition. Either statically depend on the " +
"module or convert the depending module to java_sdk_library and depend on " +
"the stubs.",
allowedExceptions: []exceptionHandleFuncLabel{
checkStubs,
checkApexModule,
checkInCommonApexes,
checkApexIsNonUpdatable,
checkNotStaticOrDynamicDepTag,
checkGlobalAllowlistedDep,
},
},
},
}
apexContainer.restricted = append(apexContainer.restricted, restriction{
dependency: apexContainer,
errorMessage: "Module belonging to Apex(es) is not allowed to depend on the " +
"modules belonging to other Apex(es). Either include the depending " +
"module in the Apex or convert the depending module to java_sdk_library " +
"and depend on its stubs.",
allowedExceptions: []exceptionHandleFuncLabel{
checkStubs,
checkInCommonApexes,
checkNotStaticOrDynamicDepTag,
checkGlobalAllowlistedDep,
},
})
return apexContainer
}
type ContainersInfo struct {
belongingContainers []*container
belongingApexes []ApexInfo
}
func (c *ContainersInfo) BelongingContainers() []*container {
return c.belongingContainers
}
func (c *ContainersInfo) ApexNames() (ret []string) {
for _, apex := range c.belongingApexes {
ret = append(ret, apex.InApexModules...)
}
slices.Sort(ret)
return ret
}
// Returns true if any of the apex the module belongs to is updatable.
func (c *ContainersInfo) UpdatableApex() bool {
for _, apex := range c.belongingApexes {
if apex.Updatable {
return true
}
}
return false
}
var ContainersInfoProvider = blueprint.NewProvider[ContainersInfo]()
func generateContainerInfo(ctx ModuleContext) ContainersInfo {
var containers []*container
for _, cnt := range allContainers {
if containerBoundaryFunctionsTable[cnt](ctx) {
containers = append(containers, cnt)
}
}
var belongingApexes []ApexInfo
if apexInfo, ok := ModuleProvider(ctx, AllApexInfoProvider); ok {
belongingApexes = apexInfo.ApexInfos
}
return ContainersInfo{
belongingContainers: containers,
belongingApexes: belongingApexes,
}
}
func getContainerModuleInfo(ctx ModuleContext, module Module) (ContainersInfo, bool) {
if ctx.Module() == module {
return module.ContainersInfo(), true
}
return OtherModuleProvider(ctx, module, ContainersInfoProvider)
}
func setContainerInfo(ctx ModuleContext) {
// Required to determine the unstable container. This provider is set here instead of the
// unstableContainerBoundaryFunc in order to prevent setting the provider multiple times.
SetProvider(ctx, unstableInfoProvider, unstableInfo{
ContainsPlatformPrivateApis: determineUnstableModule(ctx),
})
if _, ok := ctx.Module().(InstallableModule); ok {
containersInfo := generateContainerInfo(ctx)
ctx.Module().base().containersInfo = containersInfo
SetProvider(ctx, ContainersInfoProvider, containersInfo)
}
}
|