blob: 16c2fe8cf62aabe86a019c11a8ae8de567ac613b [file] [log] [blame]
David Brazdil5a61bb72018-01-19 16:59:46 +00001/*
2 * Copyright (C) 2018 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#ifndef ART_RUNTIME_HIDDEN_API_H_
18#define ART_RUNTIME_HIDDEN_API_H_
19
David Brazdil85865692018-10-30 17:26:20 +000020#include "art_field.h"
21#include "art_method.h"
Andreas Gampeb74f3072019-05-01 15:19:00 -070022#include "base/hiddenapi_domain.h"
David Brazdildcfa89b2018-10-31 11:04:10 +000023#include "base/hiddenapi_flags.h"
Andreas Gampe7fbc4a52018-11-28 08:26:47 -080024#include "base/locks.h"
David Brazdil85865692018-10-30 17:26:20 +000025#include "intrinsics_enum.h"
Orion Hodson814b9282020-02-19 16:37:11 +000026#include "jni/jni_internal.h"
David Brazdil8ce3bfa2018-03-12 18:01:18 +000027#include "mirror/class-inl.h"
David Brazdil5a61bb72018-01-19 16:59:46 +000028#include "reflection.h"
29#include "runtime.h"
Orion Hodson814b9282020-02-19 16:37:11 +000030#include "well_known_classes.h"
David Brazdil5a61bb72018-01-19 16:59:46 +000031
32namespace art {
33namespace hiddenapi {
34
Mathew Inwood597d7f62018-03-22 11:36:47 +000035// Hidden API enforcement policy
36// This must be kept in sync with ApplicationInfo.ApiEnforcementPolicy in
37// frameworks/base/core/java/android/content/pm/ApplicationInfo.java
38enum class EnforcementPolicy {
David Brazdilf50ac102018-10-17 18:00:06 +010039 kDisabled = 0,
Mathew Inwooda8503d92018-04-05 16:10:25 +010040 kJustWarn = 1, // keep checks enabled, but allow everything (enables logging)
Andrei Oneafc12a6c2020-07-29 19:52:34 +010041 kEnabled = 2, // ban conditionally blocked & blocklist
David Brazdilf50ac102018-10-17 18:00:06 +010042 kMax = kEnabled,
Mathew Inwood597d7f62018-03-22 11:36:47 +000043};
44
45inline EnforcementPolicy EnforcementPolicyFromInt(int api_policy_int) {
46 DCHECK_GE(api_policy_int, 0);
47 DCHECK_LE(api_policy_int, static_cast<int>(EnforcementPolicy::kMax));
48 return static_cast<EnforcementPolicy>(api_policy_int);
49}
50
Andrei Oneaa2d2bc22019-01-25 16:18:53 +000051// Hidden API access method
52// Thist must be kept in sync with VMRuntime.HiddenApiUsageLogger.ACCESS_METHOD_*
David Brazdilf50ac102018-10-17 18:00:06 +010053enum class AccessMethod {
Andrei Oneaa2d2bc22019-01-25 16:18:53 +000054 kNone = 0, // internal test that does not correspond to an actual access by app
55 kReflection = 1,
56 kJNI = 2,
57 kLinking = 3,
Mathew Inwood1fd97f22018-04-03 15:32:32 +010058};
59
David Brazdile7681822018-12-14 16:25:33 +000060// Represents the API domain of a caller/callee.
61class AccessContext {
David Brazdilf50ac102018-10-17 18:00:06 +010062 public:
David Brazdile7681822018-12-14 16:25:33 +000063 // Initialize to either the fully-trusted or fully-untrusted domain.
64 explicit AccessContext(bool is_trusted)
65 : klass_(nullptr),
66 dex_file_(nullptr),
67 domain_(ComputeDomain(is_trusted)) {}
David Brazdilf50ac102018-10-17 18:00:06 +010068
David Brazdile7681822018-12-14 16:25:33 +000069 // Initialize from class loader and dex file (via dex cache).
David Brazdilf50ac102018-10-17 18:00:06 +010070 AccessContext(ObjPtr<mirror::ClassLoader> class_loader, ObjPtr<mirror::DexCache> dex_cache)
David Brazdile7681822018-12-14 16:25:33 +000071 REQUIRES_SHARED(Locks::mutator_lock_)
72 : klass_(nullptr),
73 dex_file_(GetDexFileFromDexCache(dex_cache)),
74 domain_(ComputeDomain(class_loader, dex_file_)) {}
David Brazdilf50ac102018-10-17 18:00:06 +010075
David Brazdila5c3a802019-03-08 14:59:41 +000076 // Initialize from class loader and dex file (only used by tests).
77 AccessContext(ObjPtr<mirror::ClassLoader> class_loader, const DexFile* dex_file)
78 : klass_(nullptr),
79 dex_file_(dex_file),
80 domain_(ComputeDomain(class_loader, dex_file_)) {}
81
David Brazdile7681822018-12-14 16:25:33 +000082 // Initialize from Class.
83 explicit AccessContext(ObjPtr<mirror::Class> klass)
84 REQUIRES_SHARED(Locks::mutator_lock_)
85 : klass_(klass),
86 dex_file_(GetDexFileFromDexCache(klass->GetDexCache())),
87 domain_(ComputeDomain(klass, dex_file_)) {}
88
89 ObjPtr<mirror::Class> GetClass() const { return klass_; }
90 const DexFile* GetDexFile() const { return dex_file_; }
91 Domain GetDomain() const { return domain_; }
David Brazdild51e5742019-02-28 14:47:32 +000092 bool IsApplicationDomain() const { return domain_ == Domain::kApplication; }
David Brazdile7681822018-12-14 16:25:33 +000093
94 // Returns true if this domain is always allowed to access the domain of `callee`.
95 bool CanAlwaysAccess(const AccessContext& callee) const {
96 return IsDomainMoreTrustedThan(domain_, callee.domain_);
97 }
David Brazdilf50ac102018-10-17 18:00:06 +010098
99 private:
David Brazdile7681822018-12-14 16:25:33 +0000100 static const DexFile* GetDexFileFromDexCache(ObjPtr<mirror::DexCache> dex_cache)
David Brazdilf50ac102018-10-17 18:00:06 +0100101 REQUIRES_SHARED(Locks::mutator_lock_) {
David Brazdile7681822018-12-14 16:25:33 +0000102 return dex_cache.IsNull() ? nullptr : dex_cache->GetDexFile();
David Brazdilf50ac102018-10-17 18:00:06 +0100103 }
104
David Brazdile7681822018-12-14 16:25:33 +0000105 static Domain ComputeDomain(bool is_trusted) {
106 return is_trusted ? Domain::kCorePlatform : Domain::kApplication;
107 }
David Brazdilf50ac102018-10-17 18:00:06 +0100108
David Brazdila5c3a802019-03-08 14:59:41 +0000109 static Domain ComputeDomain(ObjPtr<mirror::ClassLoader> class_loader, const DexFile* dex_file) {
David Brazdile7681822018-12-14 16:25:33 +0000110 if (dex_file == nullptr) {
111 return ComputeDomain(/* is_trusted= */ class_loader.IsNull());
David Brazdilf50ac102018-10-17 18:00:06 +0100112 }
113
David Brazdila5c3a802019-03-08 14:59:41 +0000114 return dex_file->GetHiddenapiDomain();
David Brazdile7681822018-12-14 16:25:33 +0000115 }
116
117 static Domain ComputeDomain(ObjPtr<mirror::Class> klass, const DexFile* dex_file)
118 REQUIRES_SHARED(Locks::mutator_lock_) {
David Brazdilf50ac102018-10-17 18:00:06 +0100119 // Check other aspects of the context.
David Brazdile7681822018-12-14 16:25:33 +0000120 Domain domain = ComputeDomain(klass->GetClassLoader(), dex_file);
121
122 if (domain == Domain::kApplication &&
123 klass->ShouldSkipHiddenApiChecks() &&
124 Runtime::Current()->IsJavaDebuggable()) {
125 // Class is known, it is marked trusted and we are in debuggable mode.
126 domain = ComputeDomain(/* is_trusted= */ true);
127 }
128
129 return domain;
David Brazdilf50ac102018-10-17 18:00:06 +0100130 }
131
David Brazdile7681822018-12-14 16:25:33 +0000132 // Pointer to declaring class of the caller/callee (null if not provided).
133 // This is not safe across GC but we're only using this class for passing
134 // information about the caller to the access check logic and never retain
135 // the AccessContext instance beyond that.
136 const ObjPtr<mirror::Class> klass_;
137
138 // DexFile of the caller/callee (null if not provided).
139 const DexFile* const dex_file_;
140
141 // Computed domain of the caller/callee.
142 const Domain domain_;
David Brazdil068d68d2018-02-12 13:04:17 -0800143};
144
David Brazdil32bde992018-05-14 15:24:34 +0100145class ScopedHiddenApiEnforcementPolicySetting {
146 public:
147 explicit ScopedHiddenApiEnforcementPolicySetting(EnforcementPolicy new_policy)
148 : initial_policy_(Runtime::Current()->GetHiddenApiEnforcementPolicy()) {
149 Runtime::Current()->SetHiddenApiEnforcementPolicy(new_policy);
150 }
151
152 ~ScopedHiddenApiEnforcementPolicySetting() {
153 Runtime::Current()->SetHiddenApiEnforcementPolicy(initial_policy_);
154 }
155
156 private:
157 const EnforcementPolicy initial_policy_;
158 DISALLOW_COPY_AND_ASSIGN(ScopedHiddenApiEnforcementPolicySetting);
159};
160
Orion Hodson814b9282020-02-19 16:37:11 +0000161void InitializeCorePlatformApiPrivateFields() REQUIRES(!Locks::mutator_lock_);
162
Andreas Gampeaa120012018-03-28 16:23:24 -0700163// Implementation details. DO NOT ACCESS DIRECTLY.
164namespace detail {
David Brazdilee7d2fd2018-01-20 17:25:23 +0000165
Mathew Inwood7d74ef52018-03-16 14:18:33 +0000166// Class to encapsulate the signature of a member (ArtField or ArtMethod). This
167// is used as a helper when matching prefixes, and when logging the signature.
168class MemberSignature {
169 private:
Mathew Inwood1fd97f22018-04-03 15:32:32 +0100170 enum MemberType {
171 kField,
172 kMethod,
173 };
174
175 std::string class_name_;
176 std::string member_name_;
177 std::string type_signature_;
Mathew Inwood7d74ef52018-03-16 14:18:33 +0000178 std::string tmp_;
Mathew Inwood1fd97f22018-04-03 15:32:32 +0100179 MemberType type_;
180
181 inline std::vector<const char*> GetSignatureParts() const;
Mathew Inwood7d74ef52018-03-16 14:18:33 +0000182
183 public:
Andreas Gampeaa120012018-03-28 16:23:24 -0700184 explicit MemberSignature(ArtField* field) REQUIRES_SHARED(Locks::mutator_lock_);
185 explicit MemberSignature(ArtMethod* method) REQUIRES_SHARED(Locks::mutator_lock_);
David Brazdil1a658632018-12-01 17:54:26 +0000186 explicit MemberSignature(const ClassAccessor::Field& field);
187 explicit MemberSignature(const ClassAccessor::Method& method);
Mathew Inwood7d74ef52018-03-16 14:18:33 +0000188
Andreas Gampeaa120012018-03-28 16:23:24 -0700189 void Dump(std::ostream& os) const;
Mathew Inwood7d74ef52018-03-16 14:18:33 +0000190
David Brazdil1a658632018-12-01 17:54:26 +0000191 bool Equals(const MemberSignature& other);
192 bool MemberNameAndTypeMatch(const MemberSignature& other);
193
Mathew Inwood7d74ef52018-03-16 14:18:33 +0000194 // Performs prefix match on this member. Since the full member signature is
195 // composed of several parts, we match each part in turn (rather than
196 // building the entire thing in memory and performing a simple prefix match)
Andreas Gampeaa120012018-03-28 16:23:24 -0700197 bool DoesPrefixMatch(const std::string& prefix) const;
Mathew Inwood7d74ef52018-03-16 14:18:33 +0000198
Artur Satayev4a1e4dd2020-04-23 22:28:59 +0100199 bool DoesPrefixMatchAny(const std::vector<std::string>& exemptions);
Mathew Inwood7d74ef52018-03-16 14:18:33 +0000200
David Brazdil4de9bb62019-04-03 13:06:17 +0100201 void WarnAboutAccess(AccessMethod access_method, ApiList list, bool access_denied);
Mathew Inwood1fd97f22018-04-03 15:32:32 +0100202
Andrei Onea6ad020d2019-02-18 12:15:51 +0000203 void LogAccessToEventLog(uint32_t sampled_value, AccessMethod access_method, bool access_denied);
David Brazdilf50ac102018-10-17 18:00:06 +0100204
205 // Calls back into managed code to notify VMRuntime.nonSdkApiUsageConsumer that
Andrei Onea02db0722020-08-07 14:56:59 +0100206 // |member| was accessed. This is usually called when an API is unsupported,
207 // conditionally or unconditionally blocked. Given that the callback can execute arbitrary
David Brazdilf50ac102018-10-17 18:00:06 +0100208 // code, a call to this method can result in thread suspension.
209 void NotifyHiddenApiListener(AccessMethod access_method);
Mathew Inwood7d74ef52018-03-16 14:18:33 +0000210};
David Brazdilee7d2fd2018-01-20 17:25:23 +0000211
David Brazdil85865692018-10-30 17:26:20 +0000212// Locates hiddenapi flags for `field` in the corresponding dex file.
213// NB: This is an O(N) operation, linear with the number of members in the class def.
David Brazdil1a658632018-12-01 17:54:26 +0000214template<typename T>
215uint32_t GetDexFlags(T* member) REQUIRES_SHARED(Locks::mutator_lock_);
David Brazdil85865692018-10-30 17:26:20 +0000216
David Brazdild51e5742019-02-28 14:47:32 +0000217// Handler of detected core platform API violations. Returns true if access to
218// `member` should be denied.
Andreas Gampeaa120012018-03-28 16:23:24 -0700219template<typename T>
David Brazdild51e5742019-02-28 14:47:32 +0000220bool HandleCorePlatformApiViolation(T* member,
221 const AccessContext& caller_context,
222 AccessMethod access_method,
223 EnforcementPolicy policy)
David Brazdile7681822018-12-14 16:25:33 +0000224 REQUIRES_SHARED(Locks::mutator_lock_);
225
226template<typename T>
David Brazdilf50ac102018-10-17 18:00:06 +0100227bool ShouldDenyAccessToMemberImpl(T* member, ApiList api_list, AccessMethod access_method)
Andreas Gampeaa120012018-03-28 16:23:24 -0700228 REQUIRES_SHARED(Locks::mutator_lock_);
229
David Brazdil6a1dab42019-02-28 18:45:15 +0000230inline ArtField* GetInterfaceMemberIfProxy(ArtField* field) { return field; }
231
232inline ArtMethod* GetInterfaceMemberIfProxy(ArtMethod* method)
233 REQUIRES_SHARED(Locks::mutator_lock_) {
234 return method->GetInterfaceMethodIfProxy(kRuntimePointerSize);
235}
236
David Brazdil85865692018-10-30 17:26:20 +0000237// Returns access flags for the runtime representation of a class member (ArtField/ArtMember).
David Brazdil31cc2792019-04-10 00:31:15 +0100238ALWAYS_INLINE inline uint32_t CreateRuntimeFlags_Impl(uint32_t dex_flags) {
David Brazdil85865692018-10-30 17:26:20 +0000239 uint32_t runtime_flags = 0u;
240
David Brazdil31cc2792019-04-10 00:31:15 +0100241 ApiList api_list(dex_flags);
David Brazdil90faceb2018-12-14 14:36:15 +0000242 DCHECK(api_list.IsValid());
David Brazdil85865692018-10-30 17:26:20 +0000243
Andrei Oneafc12a6c2020-07-29 19:52:34 +0100244 if (api_list.Contains(ApiList::Sdk())) {
David Brazdil85865692018-10-30 17:26:20 +0000245 runtime_flags |= kAccPublicApi;
David Brazdil90faceb2018-12-14 14:36:15 +0000246 } else {
247 // Only add domain-specific flags for non-public API members.
248 // This simplifies hardcoded values for intrinsics.
249 if (api_list.Contains(ApiList::CorePlatformApi())) {
250 runtime_flags |= kAccCorePlatformApi;
251 }
David Brazdil85865692018-10-30 17:26:20 +0000252 }
253
254 DCHECK_EQ(runtime_flags & kAccHiddenapiBits, runtime_flags)
255 << "Runtime flags not in reserved access flags bits";
256 return runtime_flags;
257}
258
David Brazdil31cc2792019-04-10 00:31:15 +0100259} // namespace detail
260
261// Returns access flags for the runtime representation of a class member (ArtField/ArtMember).
262ALWAYS_INLINE inline uint32_t CreateRuntimeFlags(const ClassAccessor::BaseItem& member) {
263 return detail::CreateRuntimeFlags_Impl(member.GetHiddenapiFlags());
264}
265
266// Returns access flags for the runtime representation of a class member (ArtField/ArtMember).
267template<typename T>
268ALWAYS_INLINE inline uint32_t CreateRuntimeFlags(T* member) REQUIRES_SHARED(Locks::mutator_lock_) {
269 return detail::CreateRuntimeFlags_Impl(detail::GetDexFlags(member));
270}
271
David Brazdil85865692018-10-30 17:26:20 +0000272// Extracts hiddenapi runtime flags from access flags of ArtField.
273ALWAYS_INLINE inline uint32_t GetRuntimeFlags(ArtField* field)
274 REQUIRES_SHARED(Locks::mutator_lock_) {
275 return field->GetAccessFlags() & kAccHiddenapiBits;
276}
277
278// Extracts hiddenapi runtime flags from access flags of ArtMethod.
279// Uses hardcoded values for intrinsics.
280ALWAYS_INLINE inline uint32_t GetRuntimeFlags(ArtMethod* method)
281 REQUIRES_SHARED(Locks::mutator_lock_) {
282 if (UNLIKELY(method->IsIntrinsic())) {
283 switch (static_cast<Intrinsics>(method->GetIntrinsic())) {
284 case Intrinsics::kSystemArrayCopyChar:
285 case Intrinsics::kStringGetCharsNoCheck:
286 case Intrinsics::kReferenceGetReferent:
Vladimir Markoac27ac02021-02-01 09:31:02 +0000287 case Intrinsics::kReferenceRefersTo:
David Brazdil85865692018-10-30 17:26:20 +0000288 case Intrinsics::kMemoryPeekByte:
289 case Intrinsics::kMemoryPokeByte:
David Brazdil85865692018-10-30 17:26:20 +0000290 case Intrinsics::kCRC32Update:
Evgeny Astigeevich15c5b972018-11-20 13:41:40 +0000291 case Intrinsics::kCRC32UpdateBytes:
Evgeny Astigeevich776a7c22018-12-17 11:40:34 +0000292 case Intrinsics::kCRC32UpdateByteBuffer:
David Brazdil85865692018-10-30 17:26:20 +0000293 case Intrinsics::kStringNewStringFromBytes:
294 case Intrinsics::kStringNewStringFromChars:
295 case Intrinsics::kStringNewStringFromString:
296 case Intrinsics::kMemoryPeekIntNative:
297 case Intrinsics::kMemoryPeekLongNative:
298 case Intrinsics::kMemoryPeekShortNative:
299 case Intrinsics::kMemoryPokeIntNative:
300 case Intrinsics::kMemoryPokeLongNative:
301 case Intrinsics::kMemoryPokeShortNative:
Orion Hodson53f9e652020-02-26 10:27:05 +0000302 case Intrinsics::kUnsafeCASInt:
303 case Intrinsics::kUnsafeCASLong:
304 case Intrinsics::kUnsafeCASObject:
305 case Intrinsics::kUnsafeGetAndAddInt:
306 case Intrinsics::kUnsafeGetAndAddLong:
307 case Intrinsics::kUnsafeGetAndSetInt:
308 case Intrinsics::kUnsafeGetAndSetLong:
309 case Intrinsics::kUnsafeGetAndSetObject:
310 case Intrinsics::kUnsafeGetLongVolatile:
311 case Intrinsics::kUnsafeGetObjectVolatile:
312 case Intrinsics::kUnsafeGetVolatile:
313 case Intrinsics::kUnsafePutLongOrdered:
314 case Intrinsics::kUnsafePutLongVolatile:
315 case Intrinsics::kUnsafePutObjectOrdered:
316 case Intrinsics::kUnsafePutObjectVolatile:
317 case Intrinsics::kUnsafePutOrdered:
318 case Intrinsics::kUnsafePutVolatile:
319 case Intrinsics::kUnsafeLoadFence:
320 case Intrinsics::kUnsafeStoreFence:
321 case Intrinsics::kUnsafeFullFence:
David Brazdil85865692018-10-30 17:26:20 +0000322 case Intrinsics::kVarHandleFullFence:
323 case Intrinsics::kVarHandleAcquireFence:
324 case Intrinsics::kVarHandleReleaseFence:
325 case Intrinsics::kVarHandleLoadLoadFence:
326 case Intrinsics::kVarHandleStoreStoreFence:
327 case Intrinsics::kVarHandleCompareAndExchange:
328 case Intrinsics::kVarHandleCompareAndExchangeAcquire:
329 case Intrinsics::kVarHandleCompareAndExchangeRelease:
330 case Intrinsics::kVarHandleCompareAndSet:
331 case Intrinsics::kVarHandleGet:
332 case Intrinsics::kVarHandleGetAcquire:
333 case Intrinsics::kVarHandleGetAndAdd:
334 case Intrinsics::kVarHandleGetAndAddAcquire:
335 case Intrinsics::kVarHandleGetAndAddRelease:
336 case Intrinsics::kVarHandleGetAndBitwiseAnd:
337 case Intrinsics::kVarHandleGetAndBitwiseAndAcquire:
338 case Intrinsics::kVarHandleGetAndBitwiseAndRelease:
339 case Intrinsics::kVarHandleGetAndBitwiseOr:
340 case Intrinsics::kVarHandleGetAndBitwiseOrAcquire:
341 case Intrinsics::kVarHandleGetAndBitwiseOrRelease:
342 case Intrinsics::kVarHandleGetAndBitwiseXor:
343 case Intrinsics::kVarHandleGetAndBitwiseXorAcquire:
344 case Intrinsics::kVarHandleGetAndBitwiseXorRelease:
345 case Intrinsics::kVarHandleGetAndSet:
346 case Intrinsics::kVarHandleGetAndSetAcquire:
347 case Intrinsics::kVarHandleGetAndSetRelease:
348 case Intrinsics::kVarHandleGetOpaque:
349 case Intrinsics::kVarHandleGetVolatile:
350 case Intrinsics::kVarHandleSet:
351 case Intrinsics::kVarHandleSetOpaque:
352 case Intrinsics::kVarHandleSetRelease:
353 case Intrinsics::kVarHandleSetVolatile:
354 case Intrinsics::kVarHandleWeakCompareAndSet:
355 case Intrinsics::kVarHandleWeakCompareAndSetAcquire:
356 case Intrinsics::kVarHandleWeakCompareAndSetPlain:
357 case Intrinsics::kVarHandleWeakCompareAndSetRelease:
358 return 0u;
Usama Arif665aac42019-10-29 11:13:18 +0000359 case Intrinsics::kFP16Ceil:
Usama Arifb9f02c22019-10-25 17:37:33 +0100360 case Intrinsics::kFP16Floor:
Usama Arif457e9fa2019-11-11 15:29:59 +0000361 case Intrinsics::kFP16Greater:
362 case Intrinsics::kFP16GreaterEquals:
363 case Intrinsics::kFP16Less:
364 case Intrinsics::kFP16LessEquals:
xueliang.zhong9ce340f2019-01-22 17:46:09 +0000365 case Intrinsics::kFP16ToFloat:
Vladimir Marko7f958e32019-10-24 09:03:58 +0000366 case Intrinsics::kFP16ToHalf:
Usama Arif681692b2019-10-30 16:23:26 +0000367 case Intrinsics::kFP16Rint:
Orion Hodson53f9e652020-02-26 10:27:05 +0000368 case Intrinsics::kUnsafeGet:
369 case Intrinsics::kUnsafeGetLong:
370 case Intrinsics::kUnsafeGetObject:
371 case Intrinsics::kUnsafePutLong:
372 case Intrinsics::kUnsafePut:
373 case Intrinsics::kUnsafePutObject:
David Brazdilc63d5662019-04-10 00:31:46 +0100374 return kAccCorePlatformApi;
David Brazdil85865692018-10-30 17:26:20 +0000375 default:
376 // Remaining intrinsics are public API. We DCHECK that in SetIntrinsic().
377 return kAccPublicApi;
378 }
379 } else {
380 return method->GetAccessFlags() & kAccHiddenapiBits;
381 }
382}
383
David Brazdila5c3a802019-03-08 14:59:41 +0000384// Called by class linker when a new dex file has been registered. Assigns
385// the AccessContext domain to the newly-registered dex file based on its
386// location and class loader.
387void InitializeDexFileDomain(const DexFile& dex_file, ObjPtr<mirror::ClassLoader> class_loader);
388
David Brazdilf50ac102018-10-17 18:00:06 +0100389// Returns true if access to `member` should be denied in the given context.
390// The decision is based on whether the caller is in a trusted context or not.
391// Because determining the access context can be expensive, a lambda function
392// "fn_get_access_context" is lazily invoked after other criteria have been
393// considered.
David Brazdil8ce3bfa2018-03-12 18:01:18 +0000394// This function might print warnings into the log if the member is hidden.
David Brazdilee7d2fd2018-01-20 17:25:23 +0000395template<typename T>
David Brazdilf50ac102018-10-17 18:00:06 +0100396inline bool ShouldDenyAccessToMember(T* member,
David Brazdil4bcd6572019-02-02 20:08:44 +0000397 const std::function<AccessContext()>& fn_get_access_context,
David Brazdilf50ac102018-10-17 18:00:06 +0100398 AccessMethod access_method)
David Brazdilee7d2fd2018-01-20 17:25:23 +0000399 REQUIRES_SHARED(Locks::mutator_lock_) {
400 DCHECK(member != nullptr);
David Brazdil6a1dab42019-02-28 18:45:15 +0000401
Calin Juravle33787682019-07-26 14:27:18 -0700402 // First check if we have an explicit sdk checker installed that should be used to
403 // verify access. If so, make the decision based on it.
404 //
405 // This is used during off-device AOT compilation which may want to generate verification
406 // metadata only for a specific list of public SDKs. Note that the check here is made
407 // based on descriptor equality and it's aim to further restrict a symbol that would
408 // otherwise be resolved.
409 //
410 // The check only applies to boot classpaths dex files.
411 Runtime* runtime = Runtime::Current();
412 if (UNLIKELY(runtime->IsAotCompiler())) {
413 if (member->GetDeclaringClass()->GetClassLoader() == nullptr &&
414 runtime->GetClassLinker()->DenyAccessBasedOnPublicSdk(member)) {
415 return true;
416 }
417 }
418
David Brazdil6a1dab42019-02-28 18:45:15 +0000419 // Get the runtime flags encoded in member's access flags.
420 // Note: this works for proxy methods because they inherit access flags from their
421 // respective interface methods.
David Brazdile7681822018-12-14 16:25:33 +0000422 const uint32_t runtime_flags = GetRuntimeFlags(member);
David Brazdilee7d2fd2018-01-20 17:25:23 +0000423
David Brazdil85865692018-10-30 17:26:20 +0000424 // Exit early if member is public API. This flag is also set for non-boot class
425 // path fields/methods.
David Brazdile7681822018-12-14 16:25:33 +0000426 if ((runtime_flags & kAccPublicApi) != 0) {
David Brazdilf50ac102018-10-17 18:00:06 +0100427 return false;
David Brazdila02cb112018-01-31 11:36:39 +0000428 }
429
David Brazdile7681822018-12-14 16:25:33 +0000430 // Determine which domain the caller and callee belong to.
431 // This can be *very* expensive. This is why ShouldDenyAccessToMember
432 // should not be called on every individual access.
433 const AccessContext caller_context = fn_get_access_context();
434 const AccessContext callee_context(member->GetDeclaringClass());
435
436 // Non-boot classpath callers should have exited early.
David Brazdild51e5742019-02-28 14:47:32 +0000437 DCHECK(!callee_context.IsApplicationDomain());
David Brazdile7681822018-12-14 16:25:33 +0000438
439 // Check if the caller is always allowed to access members in the callee context.
440 if (caller_context.CanAlwaysAccess(callee_context)) {
David Brazdilc5a96e42019-01-09 10:04:45 +0000441 return false;
442 }
443
David Brazdile7681822018-12-14 16:25:33 +0000444 // Check if this is platform accessing core platform. We may warn if `member` is
445 // not part of core platform API.
446 switch (caller_context.GetDomain()) {
447 case Domain::kApplication: {
David Brazdild51e5742019-02-28 14:47:32 +0000448 DCHECK(!callee_context.IsApplicationDomain());
David Brazdile7681822018-12-14 16:25:33 +0000449
450 // Exit early if access checks are completely disabled.
Calin Juravle33787682019-07-26 14:27:18 -0700451 EnforcementPolicy policy = runtime->GetHiddenApiEnforcementPolicy();
David Brazdile7681822018-12-14 16:25:33 +0000452 if (policy == EnforcementPolicy::kDisabled) {
453 return false;
454 }
455
David Brazdil6a1dab42019-02-28 18:45:15 +0000456 // If this is a proxy method, look at the interface method instead.
457 member = detail::GetInterfaceMemberIfProxy(member);
458
David Brazdile7681822018-12-14 16:25:33 +0000459 // Decode hidden API access flags from the dex file.
460 // This is an O(N) operation scaling with the number of fields/methods
461 // in the class. Only do this on slow path and only do it once.
462 ApiList api_list(detail::GetDexFlags(member));
463 DCHECK(api_list.IsValid());
464
465 // Member is hidden and caller is not exempted. Enter slow path.
466 return detail::ShouldDenyAccessToMemberImpl(member, api_list, access_method);
467 }
468
469 case Domain::kPlatform: {
470 DCHECK(callee_context.GetDomain() == Domain::kCorePlatform);
471
472 // Member is part of core platform API. Accessing it is allowed.
473 if ((runtime_flags & kAccCorePlatformApi) != 0) {
474 return false;
475 }
476
477 // Allow access if access checks are disabled.
478 EnforcementPolicy policy = Runtime::Current()->GetCorePlatformApiEnforcementPolicy();
479 if (policy == EnforcementPolicy::kDisabled) {
480 return false;
481 }
482
David Brazdil6a1dab42019-02-28 18:45:15 +0000483 // If this is a proxy method, look at the interface method instead.
484 member = detail::GetInterfaceMemberIfProxy(member);
485
David Brazdile7681822018-12-14 16:25:33 +0000486 // Access checks are not disabled, report the violation.
David Brazdild51e5742019-02-28 14:47:32 +0000487 // This may also add kAccCorePlatformApi to the access flags of `member`
488 // so as to not warn again on next access.
489 return detail::HandleCorePlatformApiViolation(member,
490 caller_context,
491 access_method,
492 policy);
David Brazdile7681822018-12-14 16:25:33 +0000493 }
494
495 case Domain::kCorePlatform: {
496 LOG(FATAL) << "CorePlatform domain should be allowed to access all domains";
497 UNREACHABLE();
498 }
David Brazdila02cb112018-01-31 11:36:39 +0000499 }
David Brazdil8e1a7cb2018-03-27 08:14:25 +0000500}
501
David Brazdilf50ac102018-10-17 18:00:06 +0100502// Helper method for callers where access context can be determined beforehand.
503// Wraps AccessContext in a lambda and passes it to the real ShouldDenyAccessToMember.
David Brazdil8ce3bfa2018-03-12 18:01:18 +0000504template<typename T>
David Brazdilf50ac102018-10-17 18:00:06 +0100505inline bool ShouldDenyAccessToMember(T* member,
David Brazdile7681822018-12-14 16:25:33 +0000506 const AccessContext& access_context,
David Brazdilf50ac102018-10-17 18:00:06 +0100507 AccessMethod access_method)
David Brazdilee7d2fd2018-01-20 17:25:23 +0000508 REQUIRES_SHARED(Locks::mutator_lock_) {
David Brazdile7681822018-12-14 16:25:33 +0000509 return ShouldDenyAccessToMember(member, [&]() { return access_context; }, access_method);
David Brazdilee7d2fd2018-01-20 17:25:23 +0000510}
511
David Brazdil5a61bb72018-01-19 16:59:46 +0000512} // namespace hiddenapi
513} // namespace art
514
515#endif // ART_RUNTIME_HIDDEN_API_H_