blob: c16e7f347e1d6532325b80d0d17df1dc42d77dd3 [file] [log] [blame]
David Brazdil5a61bb72018-01-19 16:59:46 +00001/*
2 * Copyright (C) 2018 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#ifndef ART_RUNTIME_HIDDEN_API_H_
18#define ART_RUNTIME_HIDDEN_API_H_
19
David Brazdil8ce3bfa2018-03-12 18:01:18 +000020#include "art_field-inl.h"
21#include "art_method-inl.h"
Andreas Gampeaa120012018-03-28 16:23:24 -070022#include "base/mutex.h"
David Sehr67bf42e2018-02-26 16:43:04 -080023#include "dex/hidden_api_access_flags.h"
David Brazdil8ce3bfa2018-03-12 18:01:18 +000024#include "mirror/class-inl.h"
David Brazdil5a61bb72018-01-19 16:59:46 +000025#include "reflection.h"
26#include "runtime.h"
27
28namespace art {
29namespace hiddenapi {
30
Mathew Inwood597d7f62018-03-22 11:36:47 +000031// Hidden API enforcement policy
32// This must be kept in sync with ApplicationInfo.ApiEnforcementPolicy in
33// frameworks/base/core/java/android/content/pm/ApplicationInfo.java
34enum class EnforcementPolicy {
35 kNoChecks = 0,
Mathew Inwooda8503d92018-04-05 16:10:25 +010036 kJustWarn = 1, // keep checks enabled, but allow everything (enables logging)
Mathew Inwood597d7f62018-03-22 11:36:47 +000037 kDarkGreyAndBlackList = 2, // ban dark grey & blacklist
38 kBlacklistOnly = 3, // ban blacklist violations only
39 kMax = kBlacklistOnly,
40};
41
42inline EnforcementPolicy EnforcementPolicyFromInt(int api_policy_int) {
43 DCHECK_GE(api_policy_int, 0);
44 DCHECK_LE(api_policy_int, static_cast<int>(EnforcementPolicy::kMax));
45 return static_cast<EnforcementPolicy>(api_policy_int);
46}
47
David Brazdila02cb112018-01-31 11:36:39 +000048enum Action {
49 kAllow,
50 kAllowButWarn,
David Brazdil92265222018-02-02 11:21:40 +000051 kAllowButWarnAndToast,
David Brazdila02cb112018-01-31 11:36:39 +000052 kDeny
53};
David Brazdil5a61bb72018-01-19 16:59:46 +000054
David Brazdil068d68d2018-02-12 13:04:17 -080055enum AccessMethod {
Mathew Inwood17245202018-04-12 13:56:37 +010056 kNone, // internal test that does not correspond to an actual access by app
57 kReflection,
58 kJNI,
59 kLinking,
Mathew Inwood1fd97f22018-04-03 15:32:32 +010060};
61
62// Do not change the values of items in this enum, as they are written to the
63// event log for offline analysis. Any changes will interfere with that analysis.
64enum AccessContextFlags {
65 // Accessed member is a field if this bit is set, else a method
66 kMemberIsField = 1 << 0,
67 // Indicates if access was denied to the member, instead of just printing a warning.
68 kAccessDenied = 1 << 1,
David Brazdil068d68d2018-02-12 13:04:17 -080069};
70
David Brazdil166546c2018-04-23 13:50:38 +010071inline Action GetActionFromAccessFlags(HiddenApiAccessFlags::ApiList api_list) {
72 if (api_list == HiddenApiAccessFlags::kWhitelist) {
73 return kAllow;
74 }
75
Mathew Inwood597d7f62018-03-22 11:36:47 +000076 EnforcementPolicy policy = Runtime::Current()->GetHiddenApiEnforcementPolicy();
77 if (policy == EnforcementPolicy::kNoChecks) {
78 // Exit early. Nothing to enforce.
79 return kAllow;
80 }
81
Mathew Inwooda8503d92018-04-05 16:10:25 +010082 // if policy is "just warn", always warn. We returned above for whitelist APIs.
83 if (policy == EnforcementPolicy::kJustWarn) {
84 return kAllowButWarn;
85 }
86 DCHECK(policy >= EnforcementPolicy::kDarkGreyAndBlackList);
Mathew Inwood597d7f62018-03-22 11:36:47 +000087 // The logic below relies on equality of values in the enums EnforcementPolicy and
Andreas Gampeaa120012018-03-28 16:23:24 -070088 // HiddenApiAccessFlags::ApiList, and their ordering. Assertions are in hidden_api.cc.
Mathew Inwood597d7f62018-03-22 11:36:47 +000089 if (static_cast<int>(policy) > static_cast<int>(api_list)) {
90 return api_list == HiddenApiAccessFlags::kDarkGreylist
91 ? kAllowButWarnAndToast
92 : kAllowButWarn;
93 } else {
94 return kDeny;
David Brazdil5a61bb72018-01-19 16:59:46 +000095 }
96}
97
David Brazdil32bde992018-05-14 15:24:34 +010098class ScopedHiddenApiEnforcementPolicySetting {
99 public:
100 explicit ScopedHiddenApiEnforcementPolicySetting(EnforcementPolicy new_policy)
101 : initial_policy_(Runtime::Current()->GetHiddenApiEnforcementPolicy()) {
102 Runtime::Current()->SetHiddenApiEnforcementPolicy(new_policy);
103 }
104
105 ~ScopedHiddenApiEnforcementPolicySetting() {
106 Runtime::Current()->SetHiddenApiEnforcementPolicy(initial_policy_);
107 }
108
109 private:
110 const EnforcementPolicy initial_policy_;
111 DISALLOW_COPY_AND_ASSIGN(ScopedHiddenApiEnforcementPolicySetting);
112};
113
Andreas Gampeaa120012018-03-28 16:23:24 -0700114// Implementation details. DO NOT ACCESS DIRECTLY.
115namespace detail {
David Brazdilee7d2fd2018-01-20 17:25:23 +0000116
Mathew Inwood7d74ef52018-03-16 14:18:33 +0000117// Class to encapsulate the signature of a member (ArtField or ArtMethod). This
118// is used as a helper when matching prefixes, and when logging the signature.
119class MemberSignature {
120 private:
Mathew Inwood1fd97f22018-04-03 15:32:32 +0100121 enum MemberType {
122 kField,
123 kMethod,
124 };
125
126 std::string class_name_;
127 std::string member_name_;
128 std::string type_signature_;
Mathew Inwood7d74ef52018-03-16 14:18:33 +0000129 std::string tmp_;
Mathew Inwood1fd97f22018-04-03 15:32:32 +0100130 MemberType type_;
131
132 inline std::vector<const char*> GetSignatureParts() const;
Mathew Inwood7d74ef52018-03-16 14:18:33 +0000133
134 public:
Andreas Gampeaa120012018-03-28 16:23:24 -0700135 explicit MemberSignature(ArtField* field) REQUIRES_SHARED(Locks::mutator_lock_);
136 explicit MemberSignature(ArtMethod* method) REQUIRES_SHARED(Locks::mutator_lock_);
Mathew Inwood7d74ef52018-03-16 14:18:33 +0000137
Andreas Gampeaa120012018-03-28 16:23:24 -0700138 void Dump(std::ostream& os) const;
Mathew Inwood7d74ef52018-03-16 14:18:33 +0000139
Mathew Inwood7d74ef52018-03-16 14:18:33 +0000140 // Performs prefix match on this member. Since the full member signature is
141 // composed of several parts, we match each part in turn (rather than
142 // building the entire thing in memory and performing a simple prefix match)
Andreas Gampeaa120012018-03-28 16:23:24 -0700143 bool DoesPrefixMatch(const std::string& prefix) const;
Mathew Inwood7d74ef52018-03-16 14:18:33 +0000144
Andreas Gampeaa120012018-03-28 16:23:24 -0700145 bool IsExempted(const std::vector<std::string>& exemptions);
Mathew Inwood7d74ef52018-03-16 14:18:33 +0000146
Andreas Gampeaa120012018-03-28 16:23:24 -0700147 void WarnAboutAccess(AccessMethod access_method, HiddenApiAccessFlags::ApiList list);
Mathew Inwood1fd97f22018-04-03 15:32:32 +0100148
149 void LogAccessToEventLog(AccessMethod access_method, Action action_taken);
Mathew Inwood7d74ef52018-03-16 14:18:33 +0000150};
David Brazdilee7d2fd2018-01-20 17:25:23 +0000151
Andreas Gampeaa120012018-03-28 16:23:24 -0700152template<typename T>
David Brazdil39512f52018-04-23 13:51:16 +0100153Action GetMemberActionImpl(T* member,
154 HiddenApiAccessFlags::ApiList api_list,
155 Action action,
156 AccessMethod access_method)
Andreas Gampeaa120012018-03-28 16:23:24 -0700157 REQUIRES_SHARED(Locks::mutator_lock_);
158
159// Returns true if the caller is either loaded by the boot strap class loader or comes from
160// a dex file located in ${ANDROID_ROOT}/framework/.
161ALWAYS_INLINE
David Brazdil59a49a62018-05-09 10:58:27 +0100162inline bool IsCallerTrusted(ObjPtr<mirror::Class> caller,
163 ObjPtr<mirror::ClassLoader> caller_class_loader,
164 ObjPtr<mirror::DexCache> caller_dex_cache)
Andreas Gampeaa120012018-03-28 16:23:24 -0700165 REQUIRES_SHARED(Locks::mutator_lock_) {
166 if (caller_class_loader.IsNull()) {
David Brazdil59a49a62018-05-09 10:58:27 +0100167 // Boot class loader.
Andreas Gampeaa120012018-03-28 16:23:24 -0700168 return true;
Andreas Gampeaa120012018-03-28 16:23:24 -0700169 }
David Brazdil59a49a62018-05-09 10:58:27 +0100170
171 if (!caller_dex_cache.IsNull()) {
172 const DexFile* caller_dex_file = caller_dex_cache->GetDexFile();
173 if (caller_dex_file != nullptr && caller_dex_file->IsPlatformDexFile()) {
174 // Caller is in a platform dex file.
175 return true;
176 }
177 }
178
179 if (!caller.IsNull() &&
180 caller->ShouldSkipHiddenApiChecks() &&
181 Runtime::Current()->IsJavaDebuggable()) {
182 // We are in debuggable mode and this caller has been marked trusted.
183 return true;
184 }
185
186 return false;
Andreas Gampeaa120012018-03-28 16:23:24 -0700187}
188
189} // namespace detail
190
David Brazdila02cb112018-01-31 11:36:39 +0000191// Returns true if access to `member` should be denied to the caller of the
David Brazdil59a49a62018-05-09 10:58:27 +0100192// reflective query. The decision is based on whether the caller is trusted or
193// not. Because different users of this function determine this in a different
194// way, `fn_caller_is_trusted(self)` is called and should return true if the
195// caller is allowed to access the platform.
David Brazdil8ce3bfa2018-03-12 18:01:18 +0000196// This function might print warnings into the log if the member is hidden.
David Brazdilee7d2fd2018-01-20 17:25:23 +0000197template<typename T>
Narayan Kamathf5f1f802018-04-03 15:23:46 +0100198inline Action GetMemberAction(T* member,
199 Thread* self,
David Brazdil59a49a62018-05-09 10:58:27 +0100200 std::function<bool(Thread*)> fn_caller_is_trusted,
Narayan Kamathf5f1f802018-04-03 15:23:46 +0100201 AccessMethod access_method)
David Brazdilee7d2fd2018-01-20 17:25:23 +0000202 REQUIRES_SHARED(Locks::mutator_lock_) {
203 DCHECK(member != nullptr);
David Brazdilee7d2fd2018-01-20 17:25:23 +0000204
David Brazdil166546c2018-04-23 13:50:38 +0100205 // Decode hidden API access flags.
206 // NB Multiple threads might try to access (and overwrite) these simultaneously,
207 // causing a race. We only do that if access has not been denied, so the race
208 // cannot change Java semantics. We should, however, decode the access flags
209 // once and use it throughout this function, otherwise we may get inconsistent
210 // results, e.g. print whitelist warnings (b/78327881).
211 HiddenApiAccessFlags::ApiList api_list = member->GetHiddenApiAccessFlags();
212
213 Action action = GetActionFromAccessFlags(member->GetHiddenApiAccessFlags());
David Brazdila02cb112018-01-31 11:36:39 +0000214 if (action == kAllow) {
215 // Nothing to do.
Narayan Kamathf5f1f802018-04-03 15:23:46 +0100216 return action;
David Brazdila02cb112018-01-31 11:36:39 +0000217 }
218
David Brazdil8e1a7cb2018-03-27 08:14:25 +0000219 // Member is hidden. Invoke `fn_caller_in_platform` and find the origin of the access.
David Brazdila02cb112018-01-31 11:36:39 +0000220 // This can be *very* expensive. Save it for last.
David Brazdil59a49a62018-05-09 10:58:27 +0100221 if (fn_caller_is_trusted(self)) {
222 // Caller is trusted. Exit.
Narayan Kamathf5f1f802018-04-03 15:23:46 +0100223 return kAllow;
David Brazdila02cb112018-01-31 11:36:39 +0000224 }
225
David Brazdil8e1a7cb2018-03-27 08:14:25 +0000226 // Member is hidden and caller is not in the platform.
David Brazdil39512f52018-04-23 13:51:16 +0100227 return detail::GetMemberActionImpl(member, api_list, action, access_method);
David Brazdil8e1a7cb2018-03-27 08:14:25 +0000228}
229
David Brazdil59a49a62018-05-09 10:58:27 +0100230inline bool IsCallerTrusted(ObjPtr<mirror::Class> caller) REQUIRES_SHARED(Locks::mutator_lock_) {
Andreas Gampeaa120012018-03-28 16:23:24 -0700231 return !caller.IsNull() &&
David Brazdil59a49a62018-05-09 10:58:27 +0100232 detail::IsCallerTrusted(caller, caller->GetClassLoader(), caller->GetDexCache());
David Brazdil8e1a7cb2018-03-27 08:14:25 +0000233}
234
David Brazdil8ce3bfa2018-03-12 18:01:18 +0000235// Returns true if access to `member` should be denied to a caller loaded with
236// `caller_class_loader`.
237// This function might print warnings into the log if the member is hidden.
238template<typename T>
Narayan Kamathf5f1f802018-04-03 15:23:46 +0100239inline Action GetMemberAction(T* member,
240 ObjPtr<mirror::ClassLoader> caller_class_loader,
241 ObjPtr<mirror::DexCache> caller_dex_cache,
242 AccessMethod access_method)
David Brazdilee7d2fd2018-01-20 17:25:23 +0000243 REQUIRES_SHARED(Locks::mutator_lock_) {
David Brazdil59a49a62018-05-09 10:58:27 +0100244 bool is_caller_trusted =
Andreas Gampe98ea9d92018-10-19 14:06:15 -0700245 detail::IsCallerTrusted(/* caller= */ nullptr, caller_class_loader, caller_dex_cache);
Narayan Kamathf5f1f802018-04-03 15:23:46 +0100246 return GetMemberAction(member,
Andreas Gampe98ea9d92018-10-19 14:06:15 -0700247 /* thread= */ nullptr,
David Brazdil59a49a62018-05-09 10:58:27 +0100248 [is_caller_trusted] (Thread*) { return is_caller_trusted; },
Narayan Kamathf5f1f802018-04-03 15:23:46 +0100249 access_method);
David Brazdilee7d2fd2018-01-20 17:25:23 +0000250}
251
Narayan Kamathf5f1f802018-04-03 15:23:46 +0100252// Calls back into managed code to notify VMRuntime.nonSdkApiUsageConsumer that
253// |member| was accessed. This is usually called when an API is on the black,
254// dark grey or light grey lists. Given that the callback can execute arbitrary
255// code, a call to this method can result in thread suspension.
256template<typename T> void NotifyHiddenApiListener(T* member)
257 REQUIRES_SHARED(Locks::mutator_lock_);
258
259
David Brazdil5a61bb72018-01-19 16:59:46 +0000260} // namespace hiddenapi
261} // namespace art
262
263#endif // ART_RUNTIME_HIDDEN_API_H_