commit 597d7f650b0656fcb3985b01f53284717b41e5cc
author Mathew Inwood <mathewi@google.com> Thu Mar 22 11:36:47 2018 +0000
committer Mathew Inwood <mathewi@google.com> Fri Mar 23 11:43:35 2018 +0000
tree 59ba9853104427b19f2449ce547301764d22756b
parent 753ce1bcf458ad6c6fbb41689901943d44e7738e

More flexible API enforcement policy support.

This CL adds the ability to configure which banned API lists to enforce,
defined by new enum hiddenapi::ApiEnforcementPolicy. Currently, the policy
can be set at zygote fork time, but not at dex optimization time where
blacklist enforcement is still assumed. As such, making the policy more
strict will not work as expected yet. This will be improved in a follow up
CL.

Test: art tests pass
Test: Device boots

BUG: 73337509

(cherry-picked from commit 159f596eec01adbb5a1c9654402c137cdb943131)

Change-Id: I6c319bb8a3000cb1d3c4693b4fb196e749c36d96
Merged-In: I33f9afce628a86727e400052f4d5979d3536da8c

runtime/hidden_api.h

diff --git a/runtime/hidden_api.h b/runtime/hidden_api.h
index f2ea2fd..321d55d 100644
--- a/runtime/hidden_api.h
+++ b/runtime/hidden_api.h
@@ -27,6 +27,23 @@
 namespace art {
 namespace hiddenapi {
 
+// Hidden API enforcement policy
+// This must be kept in sync with ApplicationInfo.ApiEnforcementPolicy in
+// frameworks/base/core/java/android/content/pm/ApplicationInfo.java
+enum class EnforcementPolicy {
+  kNoChecks             = 0,
+  kAllLists             = 1,  // ban anything but whitelist
+  kDarkGreyAndBlackList = 2,  // ban dark grey & blacklist
+  kBlacklistOnly        = 3,  // ban blacklist violations only
+  kMax = kBlacklistOnly,
+};
+
+inline EnforcementPolicy EnforcementPolicyFromInt(int api_policy_int) {
+  DCHECK_GE(api_policy_int, 0);
+  DCHECK_LE(api_policy_int, static_cast<int>(EnforcementPolicy::kMax));
+  return static_cast<EnforcementPolicy>(api_policy_int);
+}
+
 enum Action {
   kAllow,
   kAllowButWarn,
@@ -59,16 +76,38 @@
   return os;
 }
 
+static constexpr bool EnumsEqual(EnforcementPolicy policy, HiddenApiAccessFlags::ApiList apiList) {
+  return static_cast<int>(policy) == static_cast<int>(apiList);
+}
+
 inline Action GetMemberAction(uint32_t access_flags) {
-  switch (HiddenApiAccessFlags::DecodeFromRuntime(access_flags)) {
-    case HiddenApiAccessFlags::kWhitelist:
-      return kAllow;
-    case HiddenApiAccessFlags::kLightGreylist:
-      return kAllowButWarn;
-    case HiddenApiAccessFlags::kDarkGreylist:
-      return kAllowButWarnAndToast;
-    case HiddenApiAccessFlags::kBlacklist:
-      return kDeny;
+  EnforcementPolicy policy = Runtime::Current()->GetHiddenApiEnforcementPolicy();
+  if (policy == EnforcementPolicy::kNoChecks) {
+    // Exit early. Nothing to enforce.
+    return kAllow;
+  }
+
+  HiddenApiAccessFlags::ApiList api_list = HiddenApiAccessFlags::DecodeFromRuntime(access_flags);
+  if (api_list == HiddenApiAccessFlags::kWhitelist) {
+    return kAllow;
+  }
+  // The logic below relies on equality of values in the enums EnforcementPolicy and
+  // HiddenApiAccessFlags::ApiList, and their ordering. Assert that this is as expected.
+  static_assert(
+      EnumsEqual(EnforcementPolicy::kAllLists, HiddenApiAccessFlags::kLightGreylist) &&
+      EnumsEqual(EnforcementPolicy::kDarkGreyAndBlackList, HiddenApiAccessFlags::kDarkGreylist) &&
+      EnumsEqual(EnforcementPolicy::kBlacklistOnly, HiddenApiAccessFlags::kBlacklist),
+      "Mismatch between EnforcementPolicy and ApiList enums");
+  static_assert(
+      EnforcementPolicy::kAllLists < EnforcementPolicy::kDarkGreyAndBlackList &&
+      EnforcementPolicy::kDarkGreyAndBlackList < EnforcementPolicy::kBlacklistOnly,
+      "EnforcementPolicy values ordering not correct");
+  if (static_cast<int>(policy) > static_cast<int>(api_list)) {
+    return api_list == HiddenApiAccessFlags::kDarkGreylist
+        ? kAllowButWarnAndToast
+        : kAllowButWarn;
+  } else {
+    return kDeny;
   }
 }
 
@@ -107,12 +146,6 @@
                                       AccessMethod access_method)
     REQUIRES_SHARED(Locks::mutator_lock_) {
   DCHECK(member != nullptr);
-  Runtime* runtime = Runtime::Current();
-
-  if (!runtime->AreHiddenApiChecksEnabled()) {
-    // Exit early. Nothing to enforce.
-    return false;
-  }
 
   Action action = GetMemberAction(member->GetAccessFlags());
   if (action == kAllow) {
@@ -133,14 +166,16 @@
   // We do this regardless of whether we block the access or not.
   WarnAboutMemberAccess(member, access_method);
 
-  // Block access if on blacklist.
   if (action == kDeny) {
+    // Block access
     return true;
   }
 
   // Allow access to this member but print a warning.
   DCHECK(action == kAllowButWarn || action == kAllowButWarnAndToast);
 
+  Runtime* runtime = Runtime::Current();
+
   // Depending on a runtime flag, we might move the member into whitelist and
   // skip the warning the next time the member is accessed.
   if (runtime->ShouldDedupeHiddenApiWarnings()) {
@@ -150,7 +185,7 @@
 
   // If this action requires a UI warning, set the appropriate flag.
   if (action == kAllowButWarnAndToast || runtime->ShouldAlwaysSetHiddenApiWarningFlag()) {
-    Runtime::Current()->SetPendingHiddenApiWarning(true);
+    runtime->SetPendingHiddenApiWarning(true);
   }
 
   return false;