David Brazdil | 5a61bb7 | 2018-01-19 16:59:46 +0000 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2018 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | #ifndef ART_RUNTIME_HIDDEN_API_H_ |
| 18 | #define ART_RUNTIME_HIDDEN_API_H_ |
| 19 | |
David Brazdil | 8586569 | 2018-10-30 17:26:20 +0000 | [diff] [blame] | 20 | #include "art_field.h" |
| 21 | #include "art_method.h" |
Andreas Gampe | b74f307 | 2019-05-01 15:19:00 -0700 | [diff] [blame] | 22 | #include "base/hiddenapi_domain.h" |
David Brazdil | dcfa89b | 2018-10-31 11:04:10 +0000 | [diff] [blame] | 23 | #include "base/hiddenapi_flags.h" |
Andreas Gampe | 7fbc4a5 | 2018-11-28 08:26:47 -0800 | [diff] [blame] | 24 | #include "base/locks.h" |
David Brazdil | 8586569 | 2018-10-30 17:26:20 +0000 | [diff] [blame] | 25 | #include "intrinsics_enum.h" |
Orion Hodson | 814b928 | 2020-02-19 16:37:11 +0000 | [diff] [blame] | 26 | #include "jni/jni_internal.h" |
David Brazdil | 8ce3bfa | 2018-03-12 18:01:18 +0000 | [diff] [blame] | 27 | #include "mirror/class-inl.h" |
David Brazdil | 5a61bb7 | 2018-01-19 16:59:46 +0000 | [diff] [blame] | 28 | #include "reflection.h" |
| 29 | #include "runtime.h" |
Orion Hodson | 814b928 | 2020-02-19 16:37:11 +0000 | [diff] [blame] | 30 | #include "well_known_classes.h" |
David Brazdil | 5a61bb7 | 2018-01-19 16:59:46 +0000 | [diff] [blame] | 31 | |
| 32 | namespace art { |
| 33 | namespace hiddenapi { |
| 34 | |
Mathew Inwood | 597d7f6 | 2018-03-22 11:36:47 +0000 | [diff] [blame] | 35 | // Hidden API enforcement policy |
| 36 | // This must be kept in sync with ApplicationInfo.ApiEnforcementPolicy in |
| 37 | // frameworks/base/core/java/android/content/pm/ApplicationInfo.java |
| 38 | enum class EnforcementPolicy { |
David Brazdil | f50ac10 | 2018-10-17 18:00:06 +0100 | [diff] [blame] | 39 | kDisabled = 0, |
Mathew Inwood | a8503d9 | 2018-04-05 16:10:25 +0100 | [diff] [blame] | 40 | kJustWarn = 1, // keep checks enabled, but allow everything (enables logging) |
Andrei Onea | fc12a6c | 2020-07-29 19:52:34 +0100 | [diff] [blame] | 41 | kEnabled = 2, // ban conditionally blocked & blocklist |
David Brazdil | f50ac10 | 2018-10-17 18:00:06 +0100 | [diff] [blame] | 42 | kMax = kEnabled, |
Mathew Inwood | 597d7f6 | 2018-03-22 11:36:47 +0000 | [diff] [blame] | 43 | }; |
| 44 | |
| 45 | inline EnforcementPolicy EnforcementPolicyFromInt(int api_policy_int) { |
| 46 | DCHECK_GE(api_policy_int, 0); |
| 47 | DCHECK_LE(api_policy_int, static_cast<int>(EnforcementPolicy::kMax)); |
| 48 | return static_cast<EnforcementPolicy>(api_policy_int); |
| 49 | } |
| 50 | |
Andrei Onea | a2d2bc2 | 2019-01-25 16:18:53 +0000 | [diff] [blame] | 51 | // Hidden API access method |
| 52 | // Thist must be kept in sync with VMRuntime.HiddenApiUsageLogger.ACCESS_METHOD_* |
David Brazdil | f50ac10 | 2018-10-17 18:00:06 +0100 | [diff] [blame] | 53 | enum class AccessMethod { |
Andrei Onea | a2d2bc2 | 2019-01-25 16:18:53 +0000 | [diff] [blame] | 54 | kNone = 0, // internal test that does not correspond to an actual access by app |
| 55 | kReflection = 1, |
| 56 | kJNI = 2, |
| 57 | kLinking = 3, |
Mathew Inwood | 1fd97f2 | 2018-04-03 15:32:32 +0100 | [diff] [blame] | 58 | }; |
| 59 | |
David Brazdil | e768182 | 2018-12-14 16:25:33 +0000 | [diff] [blame] | 60 | // Represents the API domain of a caller/callee. |
| 61 | class AccessContext { |
David Brazdil | f50ac10 | 2018-10-17 18:00:06 +0100 | [diff] [blame] | 62 | public: |
David Brazdil | e768182 | 2018-12-14 16:25:33 +0000 | [diff] [blame] | 63 | // Initialize to either the fully-trusted or fully-untrusted domain. |
| 64 | explicit AccessContext(bool is_trusted) |
| 65 | : klass_(nullptr), |
| 66 | dex_file_(nullptr), |
| 67 | domain_(ComputeDomain(is_trusted)) {} |
David Brazdil | f50ac10 | 2018-10-17 18:00:06 +0100 | [diff] [blame] | 68 | |
David Brazdil | e768182 | 2018-12-14 16:25:33 +0000 | [diff] [blame] | 69 | // Initialize from class loader and dex file (via dex cache). |
David Brazdil | f50ac10 | 2018-10-17 18:00:06 +0100 | [diff] [blame] | 70 | AccessContext(ObjPtr<mirror::ClassLoader> class_loader, ObjPtr<mirror::DexCache> dex_cache) |
David Brazdil | e768182 | 2018-12-14 16:25:33 +0000 | [diff] [blame] | 71 | REQUIRES_SHARED(Locks::mutator_lock_) |
| 72 | : klass_(nullptr), |
| 73 | dex_file_(GetDexFileFromDexCache(dex_cache)), |
| 74 | domain_(ComputeDomain(class_loader, dex_file_)) {} |
David Brazdil | f50ac10 | 2018-10-17 18:00:06 +0100 | [diff] [blame] | 75 | |
David Brazdil | a5c3a80 | 2019-03-08 14:59:41 +0000 | [diff] [blame] | 76 | // Initialize from class loader and dex file (only used by tests). |
| 77 | AccessContext(ObjPtr<mirror::ClassLoader> class_loader, const DexFile* dex_file) |
| 78 | : klass_(nullptr), |
| 79 | dex_file_(dex_file), |
| 80 | domain_(ComputeDomain(class_loader, dex_file_)) {} |
| 81 | |
David Brazdil | e768182 | 2018-12-14 16:25:33 +0000 | [diff] [blame] | 82 | // Initialize from Class. |
| 83 | explicit AccessContext(ObjPtr<mirror::Class> klass) |
| 84 | REQUIRES_SHARED(Locks::mutator_lock_) |
| 85 | : klass_(klass), |
| 86 | dex_file_(GetDexFileFromDexCache(klass->GetDexCache())), |
| 87 | domain_(ComputeDomain(klass, dex_file_)) {} |
| 88 | |
| 89 | ObjPtr<mirror::Class> GetClass() const { return klass_; } |
| 90 | const DexFile* GetDexFile() const { return dex_file_; } |
| 91 | Domain GetDomain() const { return domain_; } |
David Brazdil | d51e574 | 2019-02-28 14:47:32 +0000 | [diff] [blame] | 92 | bool IsApplicationDomain() const { return domain_ == Domain::kApplication; } |
David Brazdil | e768182 | 2018-12-14 16:25:33 +0000 | [diff] [blame] | 93 | |
| 94 | // Returns true if this domain is always allowed to access the domain of `callee`. |
| 95 | bool CanAlwaysAccess(const AccessContext& callee) const { |
| 96 | return IsDomainMoreTrustedThan(domain_, callee.domain_); |
| 97 | } |
David Brazdil | f50ac10 | 2018-10-17 18:00:06 +0100 | [diff] [blame] | 98 | |
| 99 | private: |
David Brazdil | e768182 | 2018-12-14 16:25:33 +0000 | [diff] [blame] | 100 | static const DexFile* GetDexFileFromDexCache(ObjPtr<mirror::DexCache> dex_cache) |
David Brazdil | f50ac10 | 2018-10-17 18:00:06 +0100 | [diff] [blame] | 101 | REQUIRES_SHARED(Locks::mutator_lock_) { |
David Brazdil | e768182 | 2018-12-14 16:25:33 +0000 | [diff] [blame] | 102 | return dex_cache.IsNull() ? nullptr : dex_cache->GetDexFile(); |
David Brazdil | f50ac10 | 2018-10-17 18:00:06 +0100 | [diff] [blame] | 103 | } |
| 104 | |
David Brazdil | e768182 | 2018-12-14 16:25:33 +0000 | [diff] [blame] | 105 | static Domain ComputeDomain(bool is_trusted) { |
| 106 | return is_trusted ? Domain::kCorePlatform : Domain::kApplication; |
| 107 | } |
David Brazdil | f50ac10 | 2018-10-17 18:00:06 +0100 | [diff] [blame] | 108 | |
David Brazdil | a5c3a80 | 2019-03-08 14:59:41 +0000 | [diff] [blame] | 109 | static Domain ComputeDomain(ObjPtr<mirror::ClassLoader> class_loader, const DexFile* dex_file) { |
David Brazdil | e768182 | 2018-12-14 16:25:33 +0000 | [diff] [blame] | 110 | if (dex_file == nullptr) { |
| 111 | return ComputeDomain(/* is_trusted= */ class_loader.IsNull()); |
David Brazdil | f50ac10 | 2018-10-17 18:00:06 +0100 | [diff] [blame] | 112 | } |
| 113 | |
David Brazdil | a5c3a80 | 2019-03-08 14:59:41 +0000 | [diff] [blame] | 114 | return dex_file->GetHiddenapiDomain(); |
David Brazdil | e768182 | 2018-12-14 16:25:33 +0000 | [diff] [blame] | 115 | } |
| 116 | |
| 117 | static Domain ComputeDomain(ObjPtr<mirror::Class> klass, const DexFile* dex_file) |
| 118 | REQUIRES_SHARED(Locks::mutator_lock_) { |
David Brazdil | f50ac10 | 2018-10-17 18:00:06 +0100 | [diff] [blame] | 119 | // Check other aspects of the context. |
David Brazdil | e768182 | 2018-12-14 16:25:33 +0000 | [diff] [blame] | 120 | Domain domain = ComputeDomain(klass->GetClassLoader(), dex_file); |
| 121 | |
| 122 | if (domain == Domain::kApplication && |
| 123 | klass->ShouldSkipHiddenApiChecks() && |
| 124 | Runtime::Current()->IsJavaDebuggable()) { |
| 125 | // Class is known, it is marked trusted and we are in debuggable mode. |
| 126 | domain = ComputeDomain(/* is_trusted= */ true); |
| 127 | } |
| 128 | |
| 129 | return domain; |
David Brazdil | f50ac10 | 2018-10-17 18:00:06 +0100 | [diff] [blame] | 130 | } |
| 131 | |
David Brazdil | e768182 | 2018-12-14 16:25:33 +0000 | [diff] [blame] | 132 | // Pointer to declaring class of the caller/callee (null if not provided). |
| 133 | // This is not safe across GC but we're only using this class for passing |
| 134 | // information about the caller to the access check logic and never retain |
| 135 | // the AccessContext instance beyond that. |
| 136 | const ObjPtr<mirror::Class> klass_; |
| 137 | |
| 138 | // DexFile of the caller/callee (null if not provided). |
| 139 | const DexFile* const dex_file_; |
| 140 | |
| 141 | // Computed domain of the caller/callee. |
| 142 | const Domain domain_; |
David Brazdil | 068d68d | 2018-02-12 13:04:17 -0800 | [diff] [blame] | 143 | }; |
| 144 | |
David Brazdil | 32bde99 | 2018-05-14 15:24:34 +0100 | [diff] [blame] | 145 | class ScopedHiddenApiEnforcementPolicySetting { |
| 146 | public: |
| 147 | explicit ScopedHiddenApiEnforcementPolicySetting(EnforcementPolicy new_policy) |
| 148 | : initial_policy_(Runtime::Current()->GetHiddenApiEnforcementPolicy()) { |
| 149 | Runtime::Current()->SetHiddenApiEnforcementPolicy(new_policy); |
| 150 | } |
| 151 | |
| 152 | ~ScopedHiddenApiEnforcementPolicySetting() { |
| 153 | Runtime::Current()->SetHiddenApiEnforcementPolicy(initial_policy_); |
| 154 | } |
| 155 | |
| 156 | private: |
| 157 | const EnforcementPolicy initial_policy_; |
| 158 | DISALLOW_COPY_AND_ASSIGN(ScopedHiddenApiEnforcementPolicySetting); |
| 159 | }; |
| 160 | |
Orion Hodson | 814b928 | 2020-02-19 16:37:11 +0000 | [diff] [blame] | 161 | void InitializeCorePlatformApiPrivateFields() REQUIRES(!Locks::mutator_lock_); |
| 162 | |
Andreas Gampe | aa12001 | 2018-03-28 16:23:24 -0700 | [diff] [blame] | 163 | // Implementation details. DO NOT ACCESS DIRECTLY. |
| 164 | namespace detail { |
David Brazdil | ee7d2fd | 2018-01-20 17:25:23 +0000 | [diff] [blame] | 165 | |
Mathew Inwood | 7d74ef5 | 2018-03-16 14:18:33 +0000 | [diff] [blame] | 166 | // Class to encapsulate the signature of a member (ArtField or ArtMethod). This |
| 167 | // is used as a helper when matching prefixes, and when logging the signature. |
| 168 | class MemberSignature { |
| 169 | private: |
Mathew Inwood | 1fd97f2 | 2018-04-03 15:32:32 +0100 | [diff] [blame] | 170 | enum MemberType { |
| 171 | kField, |
| 172 | kMethod, |
| 173 | }; |
| 174 | |
| 175 | std::string class_name_; |
| 176 | std::string member_name_; |
| 177 | std::string type_signature_; |
Mathew Inwood | 7d74ef5 | 2018-03-16 14:18:33 +0000 | [diff] [blame] | 178 | std::string tmp_; |
Mathew Inwood | 1fd97f2 | 2018-04-03 15:32:32 +0100 | [diff] [blame] | 179 | MemberType type_; |
| 180 | |
| 181 | inline std::vector<const char*> GetSignatureParts() const; |
Mathew Inwood | 7d74ef5 | 2018-03-16 14:18:33 +0000 | [diff] [blame] | 182 | |
| 183 | public: |
Andreas Gampe | aa12001 | 2018-03-28 16:23:24 -0700 | [diff] [blame] | 184 | explicit MemberSignature(ArtField* field) REQUIRES_SHARED(Locks::mutator_lock_); |
| 185 | explicit MemberSignature(ArtMethod* method) REQUIRES_SHARED(Locks::mutator_lock_); |
David Brazdil | 1a65863 | 2018-12-01 17:54:26 +0000 | [diff] [blame] | 186 | explicit MemberSignature(const ClassAccessor::Field& field); |
| 187 | explicit MemberSignature(const ClassAccessor::Method& method); |
Mathew Inwood | 7d74ef5 | 2018-03-16 14:18:33 +0000 | [diff] [blame] | 188 | |
Andreas Gampe | aa12001 | 2018-03-28 16:23:24 -0700 | [diff] [blame] | 189 | void Dump(std::ostream& os) const; |
Mathew Inwood | 7d74ef5 | 2018-03-16 14:18:33 +0000 | [diff] [blame] | 190 | |
David Brazdil | 1a65863 | 2018-12-01 17:54:26 +0000 | [diff] [blame] | 191 | bool Equals(const MemberSignature& other); |
| 192 | bool MemberNameAndTypeMatch(const MemberSignature& other); |
| 193 | |
Mathew Inwood | 7d74ef5 | 2018-03-16 14:18:33 +0000 | [diff] [blame] | 194 | // Performs prefix match on this member. Since the full member signature is |
| 195 | // composed of several parts, we match each part in turn (rather than |
| 196 | // building the entire thing in memory and performing a simple prefix match) |
Andreas Gampe | aa12001 | 2018-03-28 16:23:24 -0700 | [diff] [blame] | 197 | bool DoesPrefixMatch(const std::string& prefix) const; |
Mathew Inwood | 7d74ef5 | 2018-03-16 14:18:33 +0000 | [diff] [blame] | 198 | |
Artur Satayev | 4a1e4dd | 2020-04-23 22:28:59 +0100 | [diff] [blame] | 199 | bool DoesPrefixMatchAny(const std::vector<std::string>& exemptions); |
Mathew Inwood | 7d74ef5 | 2018-03-16 14:18:33 +0000 | [diff] [blame] | 200 | |
David Brazdil | 4de9bb6 | 2019-04-03 13:06:17 +0100 | [diff] [blame] | 201 | void WarnAboutAccess(AccessMethod access_method, ApiList list, bool access_denied); |
Mathew Inwood | 1fd97f2 | 2018-04-03 15:32:32 +0100 | [diff] [blame] | 202 | |
Andrei Onea | 6ad020d | 2019-02-18 12:15:51 +0000 | [diff] [blame] | 203 | void LogAccessToEventLog(uint32_t sampled_value, AccessMethod access_method, bool access_denied); |
David Brazdil | f50ac10 | 2018-10-17 18:00:06 +0100 | [diff] [blame] | 204 | |
| 205 | // Calls back into managed code to notify VMRuntime.nonSdkApiUsageConsumer that |
Andrei Onea | 02db072 | 2020-08-07 14:56:59 +0100 | [diff] [blame] | 206 | // |member| was accessed. This is usually called when an API is unsupported, |
| 207 | // conditionally or unconditionally blocked. Given that the callback can execute arbitrary |
David Brazdil | f50ac10 | 2018-10-17 18:00:06 +0100 | [diff] [blame] | 208 | // code, a call to this method can result in thread suspension. |
| 209 | void NotifyHiddenApiListener(AccessMethod access_method); |
Mathew Inwood | 7d74ef5 | 2018-03-16 14:18:33 +0000 | [diff] [blame] | 210 | }; |
David Brazdil | ee7d2fd | 2018-01-20 17:25:23 +0000 | [diff] [blame] | 211 | |
David Brazdil | 8586569 | 2018-10-30 17:26:20 +0000 | [diff] [blame] | 212 | // Locates hiddenapi flags for `field` in the corresponding dex file. |
| 213 | // NB: This is an O(N) operation, linear with the number of members in the class def. |
David Brazdil | 1a65863 | 2018-12-01 17:54:26 +0000 | [diff] [blame] | 214 | template<typename T> |
| 215 | uint32_t GetDexFlags(T* member) REQUIRES_SHARED(Locks::mutator_lock_); |
David Brazdil | 8586569 | 2018-10-30 17:26:20 +0000 | [diff] [blame] | 216 | |
David Brazdil | d51e574 | 2019-02-28 14:47:32 +0000 | [diff] [blame] | 217 | // Handler of detected core platform API violations. Returns true if access to |
| 218 | // `member` should be denied. |
Andreas Gampe | aa12001 | 2018-03-28 16:23:24 -0700 | [diff] [blame] | 219 | template<typename T> |
David Brazdil | d51e574 | 2019-02-28 14:47:32 +0000 | [diff] [blame] | 220 | bool HandleCorePlatformApiViolation(T* member, |
| 221 | const AccessContext& caller_context, |
| 222 | AccessMethod access_method, |
| 223 | EnforcementPolicy policy) |
David Brazdil | e768182 | 2018-12-14 16:25:33 +0000 | [diff] [blame] | 224 | REQUIRES_SHARED(Locks::mutator_lock_); |
| 225 | |
| 226 | template<typename T> |
David Brazdil | f50ac10 | 2018-10-17 18:00:06 +0100 | [diff] [blame] | 227 | bool ShouldDenyAccessToMemberImpl(T* member, ApiList api_list, AccessMethod access_method) |
Andreas Gampe | aa12001 | 2018-03-28 16:23:24 -0700 | [diff] [blame] | 228 | REQUIRES_SHARED(Locks::mutator_lock_); |
| 229 | |
David Brazdil | 6a1dab4 | 2019-02-28 18:45:15 +0000 | [diff] [blame] | 230 | inline ArtField* GetInterfaceMemberIfProxy(ArtField* field) { return field; } |
| 231 | |
| 232 | inline ArtMethod* GetInterfaceMemberIfProxy(ArtMethod* method) |
| 233 | REQUIRES_SHARED(Locks::mutator_lock_) { |
| 234 | return method->GetInterfaceMethodIfProxy(kRuntimePointerSize); |
| 235 | } |
| 236 | |
David Brazdil | 8586569 | 2018-10-30 17:26:20 +0000 | [diff] [blame] | 237 | // Returns access flags for the runtime representation of a class member (ArtField/ArtMember). |
David Brazdil | 31cc279 | 2019-04-10 00:31:15 +0100 | [diff] [blame] | 238 | ALWAYS_INLINE inline uint32_t CreateRuntimeFlags_Impl(uint32_t dex_flags) { |
David Brazdil | 8586569 | 2018-10-30 17:26:20 +0000 | [diff] [blame] | 239 | uint32_t runtime_flags = 0u; |
| 240 | |
David Brazdil | 31cc279 | 2019-04-10 00:31:15 +0100 | [diff] [blame] | 241 | ApiList api_list(dex_flags); |
David Brazdil | 90faceb | 2018-12-14 14:36:15 +0000 | [diff] [blame] | 242 | DCHECK(api_list.IsValid()); |
David Brazdil | 8586569 | 2018-10-30 17:26:20 +0000 | [diff] [blame] | 243 | |
Andrei Onea | fc12a6c | 2020-07-29 19:52:34 +0100 | [diff] [blame] | 244 | if (api_list.Contains(ApiList::Sdk())) { |
David Brazdil | 8586569 | 2018-10-30 17:26:20 +0000 | [diff] [blame] | 245 | runtime_flags |= kAccPublicApi; |
David Brazdil | 90faceb | 2018-12-14 14:36:15 +0000 | [diff] [blame] | 246 | } else { |
| 247 | // Only add domain-specific flags for non-public API members. |
| 248 | // This simplifies hardcoded values for intrinsics. |
| 249 | if (api_list.Contains(ApiList::CorePlatformApi())) { |
| 250 | runtime_flags |= kAccCorePlatformApi; |
| 251 | } |
David Brazdil | 8586569 | 2018-10-30 17:26:20 +0000 | [diff] [blame] | 252 | } |
| 253 | |
| 254 | DCHECK_EQ(runtime_flags & kAccHiddenapiBits, runtime_flags) |
| 255 | << "Runtime flags not in reserved access flags bits"; |
| 256 | return runtime_flags; |
| 257 | } |
| 258 | |
David Brazdil | 31cc279 | 2019-04-10 00:31:15 +0100 | [diff] [blame] | 259 | } // namespace detail |
| 260 | |
| 261 | // Returns access flags for the runtime representation of a class member (ArtField/ArtMember). |
| 262 | ALWAYS_INLINE inline uint32_t CreateRuntimeFlags(const ClassAccessor::BaseItem& member) { |
| 263 | return detail::CreateRuntimeFlags_Impl(member.GetHiddenapiFlags()); |
| 264 | } |
| 265 | |
| 266 | // Returns access flags for the runtime representation of a class member (ArtField/ArtMember). |
| 267 | template<typename T> |
| 268 | ALWAYS_INLINE inline uint32_t CreateRuntimeFlags(T* member) REQUIRES_SHARED(Locks::mutator_lock_) { |
| 269 | return detail::CreateRuntimeFlags_Impl(detail::GetDexFlags(member)); |
| 270 | } |
| 271 | |
David Brazdil | 8586569 | 2018-10-30 17:26:20 +0000 | [diff] [blame] | 272 | // Extracts hiddenapi runtime flags from access flags of ArtField. |
| 273 | ALWAYS_INLINE inline uint32_t GetRuntimeFlags(ArtField* field) |
| 274 | REQUIRES_SHARED(Locks::mutator_lock_) { |
| 275 | return field->GetAccessFlags() & kAccHiddenapiBits; |
| 276 | } |
| 277 | |
| 278 | // Extracts hiddenapi runtime flags from access flags of ArtMethod. |
| 279 | // Uses hardcoded values for intrinsics. |
| 280 | ALWAYS_INLINE inline uint32_t GetRuntimeFlags(ArtMethod* method) |
| 281 | REQUIRES_SHARED(Locks::mutator_lock_) { |
| 282 | if (UNLIKELY(method->IsIntrinsic())) { |
| 283 | switch (static_cast<Intrinsics>(method->GetIntrinsic())) { |
| 284 | case Intrinsics::kSystemArrayCopyChar: |
| 285 | case Intrinsics::kStringGetCharsNoCheck: |
| 286 | case Intrinsics::kReferenceGetReferent: |
Vladimir Marko | ac27ac0 | 2021-02-01 09:31:02 +0000 | [diff] [blame] | 287 | case Intrinsics::kReferenceRefersTo: |
David Brazdil | 8586569 | 2018-10-30 17:26:20 +0000 | [diff] [blame] | 288 | case Intrinsics::kMemoryPeekByte: |
| 289 | case Intrinsics::kMemoryPokeByte: |
David Brazdil | 8586569 | 2018-10-30 17:26:20 +0000 | [diff] [blame] | 290 | case Intrinsics::kCRC32Update: |
Evgeny Astigeevich | 15c5b97 | 2018-11-20 13:41:40 +0000 | [diff] [blame] | 291 | case Intrinsics::kCRC32UpdateBytes: |
Evgeny Astigeevich | 776a7c2 | 2018-12-17 11:40:34 +0000 | [diff] [blame] | 292 | case Intrinsics::kCRC32UpdateByteBuffer: |
David Brazdil | 8586569 | 2018-10-30 17:26:20 +0000 | [diff] [blame] | 293 | case Intrinsics::kStringNewStringFromBytes: |
| 294 | case Intrinsics::kStringNewStringFromChars: |
| 295 | case Intrinsics::kStringNewStringFromString: |
| 296 | case Intrinsics::kMemoryPeekIntNative: |
| 297 | case Intrinsics::kMemoryPeekLongNative: |
| 298 | case Intrinsics::kMemoryPeekShortNative: |
| 299 | case Intrinsics::kMemoryPokeIntNative: |
| 300 | case Intrinsics::kMemoryPokeLongNative: |
| 301 | case Intrinsics::kMemoryPokeShortNative: |
Orion Hodson | 53f9e65 | 2020-02-26 10:27:05 +0000 | [diff] [blame] | 302 | case Intrinsics::kUnsafeCASInt: |
| 303 | case Intrinsics::kUnsafeCASLong: |
| 304 | case Intrinsics::kUnsafeCASObject: |
| 305 | case Intrinsics::kUnsafeGetAndAddInt: |
| 306 | case Intrinsics::kUnsafeGetAndAddLong: |
| 307 | case Intrinsics::kUnsafeGetAndSetInt: |
| 308 | case Intrinsics::kUnsafeGetAndSetLong: |
| 309 | case Intrinsics::kUnsafeGetAndSetObject: |
| 310 | case Intrinsics::kUnsafeGetLongVolatile: |
| 311 | case Intrinsics::kUnsafeGetObjectVolatile: |
| 312 | case Intrinsics::kUnsafeGetVolatile: |
| 313 | case Intrinsics::kUnsafePutLongOrdered: |
| 314 | case Intrinsics::kUnsafePutLongVolatile: |
| 315 | case Intrinsics::kUnsafePutObjectOrdered: |
| 316 | case Intrinsics::kUnsafePutObjectVolatile: |
| 317 | case Intrinsics::kUnsafePutOrdered: |
| 318 | case Intrinsics::kUnsafePutVolatile: |
| 319 | case Intrinsics::kUnsafeLoadFence: |
| 320 | case Intrinsics::kUnsafeStoreFence: |
| 321 | case Intrinsics::kUnsafeFullFence: |
David Brazdil | 8586569 | 2018-10-30 17:26:20 +0000 | [diff] [blame] | 322 | case Intrinsics::kVarHandleFullFence: |
| 323 | case Intrinsics::kVarHandleAcquireFence: |
| 324 | case Intrinsics::kVarHandleReleaseFence: |
| 325 | case Intrinsics::kVarHandleLoadLoadFence: |
| 326 | case Intrinsics::kVarHandleStoreStoreFence: |
| 327 | case Intrinsics::kVarHandleCompareAndExchange: |
| 328 | case Intrinsics::kVarHandleCompareAndExchangeAcquire: |
| 329 | case Intrinsics::kVarHandleCompareAndExchangeRelease: |
| 330 | case Intrinsics::kVarHandleCompareAndSet: |
| 331 | case Intrinsics::kVarHandleGet: |
| 332 | case Intrinsics::kVarHandleGetAcquire: |
| 333 | case Intrinsics::kVarHandleGetAndAdd: |
| 334 | case Intrinsics::kVarHandleGetAndAddAcquire: |
| 335 | case Intrinsics::kVarHandleGetAndAddRelease: |
| 336 | case Intrinsics::kVarHandleGetAndBitwiseAnd: |
| 337 | case Intrinsics::kVarHandleGetAndBitwiseAndAcquire: |
| 338 | case Intrinsics::kVarHandleGetAndBitwiseAndRelease: |
| 339 | case Intrinsics::kVarHandleGetAndBitwiseOr: |
| 340 | case Intrinsics::kVarHandleGetAndBitwiseOrAcquire: |
| 341 | case Intrinsics::kVarHandleGetAndBitwiseOrRelease: |
| 342 | case Intrinsics::kVarHandleGetAndBitwiseXor: |
| 343 | case Intrinsics::kVarHandleGetAndBitwiseXorAcquire: |
| 344 | case Intrinsics::kVarHandleGetAndBitwiseXorRelease: |
| 345 | case Intrinsics::kVarHandleGetAndSet: |
| 346 | case Intrinsics::kVarHandleGetAndSetAcquire: |
| 347 | case Intrinsics::kVarHandleGetAndSetRelease: |
| 348 | case Intrinsics::kVarHandleGetOpaque: |
| 349 | case Intrinsics::kVarHandleGetVolatile: |
| 350 | case Intrinsics::kVarHandleSet: |
| 351 | case Intrinsics::kVarHandleSetOpaque: |
| 352 | case Intrinsics::kVarHandleSetRelease: |
| 353 | case Intrinsics::kVarHandleSetVolatile: |
| 354 | case Intrinsics::kVarHandleWeakCompareAndSet: |
| 355 | case Intrinsics::kVarHandleWeakCompareAndSetAcquire: |
| 356 | case Intrinsics::kVarHandleWeakCompareAndSetPlain: |
| 357 | case Intrinsics::kVarHandleWeakCompareAndSetRelease: |
| 358 | return 0u; |
Usama Arif | 665aac4 | 2019-10-29 11:13:18 +0000 | [diff] [blame] | 359 | case Intrinsics::kFP16Ceil: |
Usama Arif | b9f02c2 | 2019-10-25 17:37:33 +0100 | [diff] [blame] | 360 | case Intrinsics::kFP16Floor: |
Usama Arif | 457e9fa | 2019-11-11 15:29:59 +0000 | [diff] [blame] | 361 | case Intrinsics::kFP16Greater: |
| 362 | case Intrinsics::kFP16GreaterEquals: |
| 363 | case Intrinsics::kFP16Less: |
| 364 | case Intrinsics::kFP16LessEquals: |
xueliang.zhong | 9ce340f | 2019-01-22 17:46:09 +0000 | [diff] [blame] | 365 | case Intrinsics::kFP16ToFloat: |
Vladimir Marko | 7f958e3 | 2019-10-24 09:03:58 +0000 | [diff] [blame] | 366 | case Intrinsics::kFP16ToHalf: |
Usama Arif | 681692b | 2019-10-30 16:23:26 +0000 | [diff] [blame] | 367 | case Intrinsics::kFP16Rint: |
Orion Hodson | 53f9e65 | 2020-02-26 10:27:05 +0000 | [diff] [blame] | 368 | case Intrinsics::kUnsafeGet: |
| 369 | case Intrinsics::kUnsafeGetLong: |
| 370 | case Intrinsics::kUnsafeGetObject: |
| 371 | case Intrinsics::kUnsafePutLong: |
| 372 | case Intrinsics::kUnsafePut: |
| 373 | case Intrinsics::kUnsafePutObject: |
David Brazdil | c63d566 | 2019-04-10 00:31:46 +0100 | [diff] [blame] | 374 | return kAccCorePlatformApi; |
David Brazdil | 8586569 | 2018-10-30 17:26:20 +0000 | [diff] [blame] | 375 | default: |
| 376 | // Remaining intrinsics are public API. We DCHECK that in SetIntrinsic(). |
| 377 | return kAccPublicApi; |
| 378 | } |
| 379 | } else { |
| 380 | return method->GetAccessFlags() & kAccHiddenapiBits; |
| 381 | } |
| 382 | } |
| 383 | |
David Brazdil | a5c3a80 | 2019-03-08 14:59:41 +0000 | [diff] [blame] | 384 | // Called by class linker when a new dex file has been registered. Assigns |
| 385 | // the AccessContext domain to the newly-registered dex file based on its |
| 386 | // location and class loader. |
| 387 | void InitializeDexFileDomain(const DexFile& dex_file, ObjPtr<mirror::ClassLoader> class_loader); |
| 388 | |
David Brazdil | f50ac10 | 2018-10-17 18:00:06 +0100 | [diff] [blame] | 389 | // Returns true if access to `member` should be denied in the given context. |
| 390 | // The decision is based on whether the caller is in a trusted context or not. |
| 391 | // Because determining the access context can be expensive, a lambda function |
| 392 | // "fn_get_access_context" is lazily invoked after other criteria have been |
| 393 | // considered. |
David Brazdil | 8ce3bfa | 2018-03-12 18:01:18 +0000 | [diff] [blame] | 394 | // This function might print warnings into the log if the member is hidden. |
David Brazdil | ee7d2fd | 2018-01-20 17:25:23 +0000 | [diff] [blame] | 395 | template<typename T> |
David Brazdil | f50ac10 | 2018-10-17 18:00:06 +0100 | [diff] [blame] | 396 | inline bool ShouldDenyAccessToMember(T* member, |
David Brazdil | 4bcd657 | 2019-02-02 20:08:44 +0000 | [diff] [blame] | 397 | const std::function<AccessContext()>& fn_get_access_context, |
David Brazdil | f50ac10 | 2018-10-17 18:00:06 +0100 | [diff] [blame] | 398 | AccessMethod access_method) |
David Brazdil | ee7d2fd | 2018-01-20 17:25:23 +0000 | [diff] [blame] | 399 | REQUIRES_SHARED(Locks::mutator_lock_) { |
| 400 | DCHECK(member != nullptr); |
David Brazdil | 6a1dab4 | 2019-02-28 18:45:15 +0000 | [diff] [blame] | 401 | |
Calin Juravle | 3378768 | 2019-07-26 14:27:18 -0700 | [diff] [blame] | 402 | // First check if we have an explicit sdk checker installed that should be used to |
| 403 | // verify access. If so, make the decision based on it. |
| 404 | // |
| 405 | // This is used during off-device AOT compilation which may want to generate verification |
| 406 | // metadata only for a specific list of public SDKs. Note that the check here is made |
| 407 | // based on descriptor equality and it's aim to further restrict a symbol that would |
| 408 | // otherwise be resolved. |
| 409 | // |
| 410 | // The check only applies to boot classpaths dex files. |
| 411 | Runtime* runtime = Runtime::Current(); |
| 412 | if (UNLIKELY(runtime->IsAotCompiler())) { |
| 413 | if (member->GetDeclaringClass()->GetClassLoader() == nullptr && |
| 414 | runtime->GetClassLinker()->DenyAccessBasedOnPublicSdk(member)) { |
| 415 | return true; |
| 416 | } |
| 417 | } |
| 418 | |
David Brazdil | 6a1dab4 | 2019-02-28 18:45:15 +0000 | [diff] [blame] | 419 | // Get the runtime flags encoded in member's access flags. |
| 420 | // Note: this works for proxy methods because they inherit access flags from their |
| 421 | // respective interface methods. |
David Brazdil | e768182 | 2018-12-14 16:25:33 +0000 | [diff] [blame] | 422 | const uint32_t runtime_flags = GetRuntimeFlags(member); |
David Brazdil | ee7d2fd | 2018-01-20 17:25:23 +0000 | [diff] [blame] | 423 | |
David Brazdil | 8586569 | 2018-10-30 17:26:20 +0000 | [diff] [blame] | 424 | // Exit early if member is public API. This flag is also set for non-boot class |
| 425 | // path fields/methods. |
David Brazdil | e768182 | 2018-12-14 16:25:33 +0000 | [diff] [blame] | 426 | if ((runtime_flags & kAccPublicApi) != 0) { |
David Brazdil | f50ac10 | 2018-10-17 18:00:06 +0100 | [diff] [blame] | 427 | return false; |
David Brazdil | a02cb11 | 2018-01-31 11:36:39 +0000 | [diff] [blame] | 428 | } |
| 429 | |
David Brazdil | e768182 | 2018-12-14 16:25:33 +0000 | [diff] [blame] | 430 | // Determine which domain the caller and callee belong to. |
| 431 | // This can be *very* expensive. This is why ShouldDenyAccessToMember |
| 432 | // should not be called on every individual access. |
| 433 | const AccessContext caller_context = fn_get_access_context(); |
| 434 | const AccessContext callee_context(member->GetDeclaringClass()); |
| 435 | |
| 436 | // Non-boot classpath callers should have exited early. |
David Brazdil | d51e574 | 2019-02-28 14:47:32 +0000 | [diff] [blame] | 437 | DCHECK(!callee_context.IsApplicationDomain()); |
David Brazdil | e768182 | 2018-12-14 16:25:33 +0000 | [diff] [blame] | 438 | |
| 439 | // Check if the caller is always allowed to access members in the callee context. |
| 440 | if (caller_context.CanAlwaysAccess(callee_context)) { |
David Brazdil | c5a96e4 | 2019-01-09 10:04:45 +0000 | [diff] [blame] | 441 | return false; |
| 442 | } |
| 443 | |
David Brazdil | e768182 | 2018-12-14 16:25:33 +0000 | [diff] [blame] | 444 | // Check if this is platform accessing core platform. We may warn if `member` is |
| 445 | // not part of core platform API. |
| 446 | switch (caller_context.GetDomain()) { |
| 447 | case Domain::kApplication: { |
David Brazdil | d51e574 | 2019-02-28 14:47:32 +0000 | [diff] [blame] | 448 | DCHECK(!callee_context.IsApplicationDomain()); |
David Brazdil | e768182 | 2018-12-14 16:25:33 +0000 | [diff] [blame] | 449 | |
| 450 | // Exit early if access checks are completely disabled. |
Calin Juravle | 3378768 | 2019-07-26 14:27:18 -0700 | [diff] [blame] | 451 | EnforcementPolicy policy = runtime->GetHiddenApiEnforcementPolicy(); |
David Brazdil | e768182 | 2018-12-14 16:25:33 +0000 | [diff] [blame] | 452 | if (policy == EnforcementPolicy::kDisabled) { |
| 453 | return false; |
| 454 | } |
| 455 | |
David Brazdil | 6a1dab4 | 2019-02-28 18:45:15 +0000 | [diff] [blame] | 456 | // If this is a proxy method, look at the interface method instead. |
| 457 | member = detail::GetInterfaceMemberIfProxy(member); |
| 458 | |
David Brazdil | e768182 | 2018-12-14 16:25:33 +0000 | [diff] [blame] | 459 | // Decode hidden API access flags from the dex file. |
| 460 | // This is an O(N) operation scaling with the number of fields/methods |
| 461 | // in the class. Only do this on slow path and only do it once. |
| 462 | ApiList api_list(detail::GetDexFlags(member)); |
| 463 | DCHECK(api_list.IsValid()); |
| 464 | |
| 465 | // Member is hidden and caller is not exempted. Enter slow path. |
| 466 | return detail::ShouldDenyAccessToMemberImpl(member, api_list, access_method); |
| 467 | } |
| 468 | |
| 469 | case Domain::kPlatform: { |
| 470 | DCHECK(callee_context.GetDomain() == Domain::kCorePlatform); |
| 471 | |
| 472 | // Member is part of core platform API. Accessing it is allowed. |
| 473 | if ((runtime_flags & kAccCorePlatformApi) != 0) { |
| 474 | return false; |
| 475 | } |
| 476 | |
| 477 | // Allow access if access checks are disabled. |
| 478 | EnforcementPolicy policy = Runtime::Current()->GetCorePlatformApiEnforcementPolicy(); |
| 479 | if (policy == EnforcementPolicy::kDisabled) { |
| 480 | return false; |
| 481 | } |
| 482 | |
David Brazdil | 6a1dab4 | 2019-02-28 18:45:15 +0000 | [diff] [blame] | 483 | // If this is a proxy method, look at the interface method instead. |
| 484 | member = detail::GetInterfaceMemberIfProxy(member); |
| 485 | |
David Brazdil | e768182 | 2018-12-14 16:25:33 +0000 | [diff] [blame] | 486 | // Access checks are not disabled, report the violation. |
David Brazdil | d51e574 | 2019-02-28 14:47:32 +0000 | [diff] [blame] | 487 | // This may also add kAccCorePlatformApi to the access flags of `member` |
| 488 | // so as to not warn again on next access. |
| 489 | return detail::HandleCorePlatformApiViolation(member, |
| 490 | caller_context, |
| 491 | access_method, |
| 492 | policy); |
David Brazdil | e768182 | 2018-12-14 16:25:33 +0000 | [diff] [blame] | 493 | } |
| 494 | |
| 495 | case Domain::kCorePlatform: { |
| 496 | LOG(FATAL) << "CorePlatform domain should be allowed to access all domains"; |
| 497 | UNREACHABLE(); |
| 498 | } |
David Brazdil | a02cb11 | 2018-01-31 11:36:39 +0000 | [diff] [blame] | 499 | } |
David Brazdil | 8e1a7cb | 2018-03-27 08:14:25 +0000 | [diff] [blame] | 500 | } |
| 501 | |
David Brazdil | f50ac10 | 2018-10-17 18:00:06 +0100 | [diff] [blame] | 502 | // Helper method for callers where access context can be determined beforehand. |
| 503 | // Wraps AccessContext in a lambda and passes it to the real ShouldDenyAccessToMember. |
David Brazdil | 8ce3bfa | 2018-03-12 18:01:18 +0000 | [diff] [blame] | 504 | template<typename T> |
David Brazdil | f50ac10 | 2018-10-17 18:00:06 +0100 | [diff] [blame] | 505 | inline bool ShouldDenyAccessToMember(T* member, |
David Brazdil | e768182 | 2018-12-14 16:25:33 +0000 | [diff] [blame] | 506 | const AccessContext& access_context, |
David Brazdil | f50ac10 | 2018-10-17 18:00:06 +0100 | [diff] [blame] | 507 | AccessMethod access_method) |
David Brazdil | ee7d2fd | 2018-01-20 17:25:23 +0000 | [diff] [blame] | 508 | REQUIRES_SHARED(Locks::mutator_lock_) { |
David Brazdil | e768182 | 2018-12-14 16:25:33 +0000 | [diff] [blame] | 509 | return ShouldDenyAccessToMember(member, [&]() { return access_context; }, access_method); |
David Brazdil | ee7d2fd | 2018-01-20 17:25:23 +0000 | [diff] [blame] | 510 | } |
| 511 | |
David Brazdil | 5a61bb7 | 2018-01-19 16:59:46 +0000 | [diff] [blame] | 512 | } // namespace hiddenapi |
| 513 | } // namespace art |
| 514 | |
| 515 | #endif // ART_RUNTIME_HIDDEN_API_H_ |