commit f14e254a28f13c50c3ea9360721ae444618a25ca
author Spandan Das <spandandas@google.com> Fri Nov 12 00:01:37 2021 +0000
committer Spandan Das <spandandas@google.com> Mon Apr 04 17:42:00 2022 +0000
tree 154f994d10521ceeb639402cce49331f64a19130
parent e1b18369398db4c36c5b599625b3836260763ae5

Change permitted_packages check to be per-jar rather than per-apex

(cherry-pick of ag/17524387 into aosp)

Summary:
- updates the Q and R maps, the new keys are the bcp jars and not the
apexes. neverallow build rules ensure that these bcp jars have a
restricted set of permitted_packages
- remove BootclasspathJar from the neverallow rule. This is no longer
necessary since the keys in the maps are the bootjars themselves, and
not apexes

Bug: 205289292
Test: In build/soong, go test ./apex
Change-Id: Icb91de934181a8b6f085e03a0ce8c5e08504ff94
Merged-In: Icb91de934181a8b6f085e03a0ce8c5e08504ff94
(cherry picked from commit 440ff9672846ecbc6d607ae65ea6826c49552756)

apex/apex_test.go

diff --git a/apex/apex_test.go b/apex/apex_test.go
index 99bed94..5706a2c 100644
--- a/apex/apex_test.go
+++ b/apex/apex_test.go
@@ -7580,7 +7580,7 @@
 	})
 }
 
-func testApexPermittedPackagesRules(t *testing.T, errmsg, bp string, bootJars []string, rules []android.Rule) {
+func testBootJarPermittedPackagesRules(t *testing.T, errmsg, bp string, bootJars []string, rules []android.Rule) {
 	t.Helper()
 	bp += `
 	apex_key {
@@ -7619,11 +7619,11 @@
 
 func TestApexPermittedPackagesRules(t *testing.T) {
 	testcases := []struct {
-		name            string
-		expectedError   string
-		bp              string
-		bootJars        []string
-		modulesPackages map[string][]string
+		name                 string
+		expectedError        string
+		bp                   string
+		bootJars             []string
+		bcpPermittedPackages map[string][]string
 	}{
 
 		{
@@ -7653,15 +7653,15 @@
 					updatable: false,
 				}`,
 			bootJars: []string{"bcp_lib1"},
-			modulesPackages: map[string][]string{
-				"myapex": []string{
+			bcpPermittedPackages: map[string][]string{
+				"bcp_lib1": []string{
 					"foo.bar",
 				},
 			},
 		},
 		{
 			name:          "Bootclasspath apex jar not satisfying allowed module packages.",
-			expectedError: `(?s)module "bcp_lib2" .* which is restricted because jars that are part of the myapex module may only use these package prefixes: foo.bar. Please consider the following alternatives:\n    1. If the offending code is from a statically linked library, consider removing that dependency and using an alternative already in the bootclasspath, or perhaps a shared library.    2. Move the offending code into an allowed package.\n    3. Jarjar the offending code. Please be mindful of the potential system health implications of bundling that code, particularly if the offending jar is part of the bootclasspath.`,
+			expectedError: `(?s)module "bcp_lib2" .* which is restricted because bcp_lib2 bootjar may only use these package prefixes: foo.bar. Please consider the following alternatives:\n    1. If the offending code is from a statically linked library, consider removing that dependency and using an alternative already in the bootclasspath, or perhaps a shared library.    2. Move the offending code into an allowed package.\n    3. Jarjar the offending code. Please be mindful of the potential system health implications of bundling that code, particularly if the offending jar is part of the bootclasspath.`,
 			bp: `
 				java_library {
 					name: "bcp_lib1",
@@ -7687,17 +7687,58 @@
 				}
 			`,
 			bootJars: []string{"bcp_lib1", "bcp_lib2"},
-			modulesPackages: map[string][]string{
-				"myapex": []string{
+			bcpPermittedPackages: map[string][]string{
+				"bcp_lib1": []string{
 					"foo.bar",
 				},
+				"bcp_lib2": []string{
+					"foo.bar",
+				},
+			},
+		},
+		{
+			name:          "Updateable Bootclasspath apex jar not satisfying allowed module packages.",
+			expectedError: "",
+			bp: `
+				java_library {
+					name: "bcp_lib_restricted",
+					srcs: ["lib1/src/*.java"],
+					apex_available: ["myapex"],
+					permitted_packages: ["foo.bar"],
+					sdk_version: "none",
+					min_sdk_version: "29",
+					system_modules: "none",
+				}
+				java_library {
+					name: "bcp_lib_unrestricted",
+					srcs: ["lib2/src/*.java"],
+					apex_available: ["myapex"],
+					permitted_packages: ["foo.bar", "bar.baz"],
+					sdk_version: "none",
+					min_sdk_version: "29",
+					system_modules: "none",
+				}
+				apex {
+					name: "myapex",
+					key: "myapex.key",
+					java_libs: ["bcp_lib_restricted", "bcp_lib_unrestricted"],
+					updatable: true,
+					min_sdk_version: "29",
+				}
+			`,
+			bootJars: []string{"bcp_lib1", "bcp_lib2"},
+			bcpPermittedPackages: map[string][]string{
+				"bcp_lib1_non_updateable": []string{
+					"foo.bar",
+				},
+				// bcp_lib2_updateable has no entry here since updateable bcp can contain new packages - tracking via an allowlist is not necessary
 			},
 		},
 	}
 	for _, tc := range testcases {
 		t.Run(tc.name, func(t *testing.T) {
-			rules := createApexPermittedPackagesRules(tc.modulesPackages)
-			testApexPermittedPackagesRules(t, tc.expectedError, tc.bp, tc.bootJars, rules)
+			rules := createBcpPermittedPackagesRules(tc.bcpPermittedPackages)
+			testBootJarPermittedPackagesRules(t, tc.expectedError, tc.bp, tc.bootJars, rules)
 		})
 	}
 }