Loading core/java/android/os/ZygoteProcess.java +21 −21 Original line number Diff line number Diff line Loading @@ -249,11 +249,11 @@ public class ZygoteProcess { private final Object mLock = new Object(); /** * List of exemptions to the API blacklist. These are prefix matches on the runtime format * List of exemptions to the API deny list. These are prefix matches on the runtime format * symbol signature. Any matching symbol is treated by the runtime as being on the light grey * list. */ private List<String> mApiBlacklistExemptions = Collections.emptyList(); private List<String> mApiDenylistExemptions = Collections.emptyList(); /** * Proportion of hidden API accesses that should be logged to the event log; 0 - 0x10000. Loading Loading @@ -545,7 +545,7 @@ public class ZygoteProcess { "--preload-package", "--preload-app", "--start-child-zygote", "--set-api-blacklist-exemptions", "--set-api-denylist-exemptions", "--hidden-api-log-sampling-rate", "--hidden-api-statslog-sampling-rate", "--invoke-with" Loading Loading @@ -857,20 +857,20 @@ public class ZygoteProcess { } /** * Push hidden API blacklisting exemptions into the zygote process(es). * Push hidden API denylisting exemptions into the zygote process(es). * * <p>The list of exemptions will take affect for all new processes forked from the zygote after * this call. * * @param exemptions List of hidden API exemption prefixes. Any matching members are treated as * whitelisted/public APIs (i.e. allowed, no logging of usage). * allowlisted/public APIs (i.e. allowed, no logging of usage). */ public boolean setApiBlacklistExemptions(List<String> exemptions) { public boolean setApiDenylistExemptions(List<String> exemptions) { synchronized (mLock) { mApiBlacklistExemptions = exemptions; boolean ok = maybeSetApiBlacklistExemptions(primaryZygoteState, true); mApiDenylistExemptions = exemptions; boolean ok = maybeSetApiDenylistExemptions(primaryZygoteState, true); if (ok) { ok = maybeSetApiBlacklistExemptions(secondaryZygoteState, true); ok = maybeSetApiDenylistExemptions(secondaryZygoteState, true); } return ok; } Loading Loading @@ -907,32 +907,32 @@ public class ZygoteProcess { } @GuardedBy("mLock") private boolean maybeSetApiBlacklistExemptions(ZygoteState state, boolean sendIfEmpty) { private boolean maybeSetApiDenylistExemptions(ZygoteState state, boolean sendIfEmpty) { if (state == null || state.isClosed()) { Slog.e(LOG_TAG, "Can't set API blacklist exemptions: no zygote connection"); Slog.e(LOG_TAG, "Can't set API denylist exemptions: no zygote connection"); return false; } else if (!sendIfEmpty && mApiBlacklistExemptions.isEmpty()) { } else if (!sendIfEmpty && mApiDenylistExemptions.isEmpty()) { return true; } try { state.mZygoteOutputWriter.write(Integer.toString(mApiBlacklistExemptions.size() + 1)); state.mZygoteOutputWriter.write(Integer.toString(mApiDenylistExemptions.size() + 1)); state.mZygoteOutputWriter.newLine(); state.mZygoteOutputWriter.write("--set-api-blacklist-exemptions"); state.mZygoteOutputWriter.write("--set-api-denylist-exemptions"); state.mZygoteOutputWriter.newLine(); for (int i = 0; i < mApiBlacklistExemptions.size(); ++i) { state.mZygoteOutputWriter.write(mApiBlacklistExemptions.get(i)); for (int i = 0; i < mApiDenylistExemptions.size(); ++i) { state.mZygoteOutputWriter.write(mApiDenylistExemptions.get(i)); state.mZygoteOutputWriter.newLine(); } state.mZygoteOutputWriter.flush(); int status = state.mZygoteInputStream.readInt(); if (status != 0) { Slog.e(LOG_TAG, "Failed to set API blacklist exemptions; status " + status); Slog.e(LOG_TAG, "Failed to set API denylist exemptions; status " + status); } return true; } catch (IOException ioe) { Slog.e(LOG_TAG, "Failed to set API blacklist exemptions", ioe); mApiBlacklistExemptions = Collections.emptyList(); Slog.e(LOG_TAG, "Failed to set API denylist exemptions", ioe); mApiDenylistExemptions = Collections.emptyList(); return false; } } Loading Loading @@ -989,7 +989,7 @@ public class ZygoteProcess { primaryZygoteState = ZygoteState.connect(mZygoteSocketAddress, mUsapPoolSocketAddress); maybeSetApiBlacklistExemptions(primaryZygoteState, false); maybeSetApiDenylistExemptions(primaryZygoteState, false); maybeSetHiddenApiAccessLogSampleRate(primaryZygoteState); maybeSetHiddenApiAccessStatslogSampleRate(primaryZygoteState); } Loading @@ -1005,7 +1005,7 @@ public class ZygoteProcess { ZygoteState.connect(mZygoteSecondarySocketAddress, mUsapPoolSecondarySocketAddress); maybeSetApiBlacklistExemptions(secondaryZygoteState, false); maybeSetApiDenylistExemptions(secondaryZygoteState, false); maybeSetHiddenApiAccessLogSampleRate(secondaryZygoteState); maybeSetHiddenApiAccessStatslogSampleRate(secondaryZygoteState); } Loading core/java/com/android/internal/os/ChildZygoteInit.java +1 −1 Original line number Diff line number Diff line Loading @@ -116,7 +116,7 @@ public class ChildZygoteInit { try { server.registerServerSocketAtAbstractName(socketName); // Add the abstract socket to the FD whitelist so that the native zygote code // Add the abstract socket to the FD allow list so that the native zygote code // can properly detach it after forking. Zygote.nativeAllowFileAcrossFork("ABSTRACT/" + socketName); Loading core/java/com/android/internal/os/Zygote.java +2 −2 Original line number Diff line number Diff line Loading @@ -743,9 +743,9 @@ public final class Zygote { throw new IllegalArgumentException(USAP_ERROR_PREFIX + "--preload-app"); } else if (args.mStartChildZygote) { throw new IllegalArgumentException(USAP_ERROR_PREFIX + "--start-child-zygote"); } else if (args.mApiBlacklistExemptions != null) { } else if (args.mApiDenylistExemptions != null) { throw new IllegalArgumentException( USAP_ERROR_PREFIX + "--set-api-blacklist-exemptions"); USAP_ERROR_PREFIX + "--set-api-denylist-exemptions"); } else if (args.mHiddenApiAccessLogSampleRate != -1) { throw new IllegalArgumentException( USAP_ERROR_PREFIX + "--hidden-api-log-sampling-rate="); Loading core/java/com/android/internal/os/ZygoteArguments.java +5 −5 Original line number Diff line number Diff line Loading @@ -192,10 +192,10 @@ class ZygoteArguments { boolean mBootCompleted; /** * Exemptions from API blacklisting. These are sent to the pre-forked zygote at boot time, or * when they change, via --set-api-blacklist-exemptions. * Exemptions from API deny-listing. These are sent to the pre-forked zygote at boot time, or * when they change, via --set-api-denylist-exemptions. */ String[] mApiBlacklistExemptions; String[] mApiDenylistExemptions; /** * Sampling rate for logging hidden API accesses to the event log. This is sent to the Loading Loading @@ -394,10 +394,10 @@ class ZygoteArguments { expectRuntimeArgs = false; } else if (arg.equals("--start-child-zygote")) { mStartChildZygote = true; } else if (arg.equals("--set-api-blacklist-exemptions")) { } else if (arg.equals("--set-api-denylist-exemptions")) { // consume all remaining args; this is a stand-alone command, never included // with the regular fork command. mApiBlacklistExemptions = Arrays.copyOfRange(args, curArg + 1, args.length); mApiDenylistExemptions = Arrays.copyOfRange(args, curArg + 1, args.length); curArg = args.length; expectRuntimeArgs = false; } else if (arg.startsWith("--hidden-api-log-sampling-rate=")) { Loading core/java/com/android/internal/os/ZygoteConnection.java +6 −6 Original line number Diff line number Diff line Loading @@ -185,8 +185,8 @@ class ZygoteConnection { return null; } if (parsedArgs.mApiBlacklistExemptions != null) { return handleApiBlacklistExemptions(zygoteServer, parsedArgs.mApiBlacklistExemptions); if (parsedArgs.mApiDenylistExemptions != null) { return handleApiDenylistExemptions(zygoteServer, parsedArgs.mApiDenylistExemptions); } if (parsedArgs.mHiddenApiAccessLogSampleRate != -1 Loading Loading @@ -365,11 +365,11 @@ class ZygoteConnection { } /** * Makes the necessary changes to implement a new API blacklist exemption policy, and then * Makes the necessary changes to implement a new API deny list exemption policy, and then * responds to the system server, letting it know that the task has been completed. * * This necessitates a change to the internal state of the Zygote. As such, if the USAP * pool is enabled all existing USAPs have an incorrect API blacklist exemption list. To * pool is enabled all existing USAPs have an incorrect API deny list exemption list. To * properly handle this request the pool must be emptied and refilled. This process can return * a Runnable object that must be returned to ZygoteServer.runSelectLoop to be invoked. * Loading @@ -378,9 +378,9 @@ class ZygoteConnection { * @return A Runnable object representing a new app in any USAPs spawned from here; the * zygote process will always receive a null value from this function. */ private Runnable handleApiBlacklistExemptions(ZygoteServer zygoteServer, String[] exemptions) { private Runnable handleApiDenylistExemptions(ZygoteServer zygoteServer, String[] exemptions) { return stateChangeWithUsapPoolReset(zygoteServer, () -> ZygoteInit.setApiBlacklistExemptions(exemptions)); () -> ZygoteInit.setApiDenylistExemptions(exemptions)); } private Runnable handleUsapPoolStatusChange(ZygoteServer zygoteServer, boolean newStatus) { Loading Loading
core/java/android/os/ZygoteProcess.java +21 −21 Original line number Diff line number Diff line Loading @@ -249,11 +249,11 @@ public class ZygoteProcess { private final Object mLock = new Object(); /** * List of exemptions to the API blacklist. These are prefix matches on the runtime format * List of exemptions to the API deny list. These are prefix matches on the runtime format * symbol signature. Any matching symbol is treated by the runtime as being on the light grey * list. */ private List<String> mApiBlacklistExemptions = Collections.emptyList(); private List<String> mApiDenylistExemptions = Collections.emptyList(); /** * Proportion of hidden API accesses that should be logged to the event log; 0 - 0x10000. Loading Loading @@ -545,7 +545,7 @@ public class ZygoteProcess { "--preload-package", "--preload-app", "--start-child-zygote", "--set-api-blacklist-exemptions", "--set-api-denylist-exemptions", "--hidden-api-log-sampling-rate", "--hidden-api-statslog-sampling-rate", "--invoke-with" Loading Loading @@ -857,20 +857,20 @@ public class ZygoteProcess { } /** * Push hidden API blacklisting exemptions into the zygote process(es). * Push hidden API denylisting exemptions into the zygote process(es). * * <p>The list of exemptions will take affect for all new processes forked from the zygote after * this call. * * @param exemptions List of hidden API exemption prefixes. Any matching members are treated as * whitelisted/public APIs (i.e. allowed, no logging of usage). * allowlisted/public APIs (i.e. allowed, no logging of usage). */ public boolean setApiBlacklistExemptions(List<String> exemptions) { public boolean setApiDenylistExemptions(List<String> exemptions) { synchronized (mLock) { mApiBlacklistExemptions = exemptions; boolean ok = maybeSetApiBlacklistExemptions(primaryZygoteState, true); mApiDenylistExemptions = exemptions; boolean ok = maybeSetApiDenylistExemptions(primaryZygoteState, true); if (ok) { ok = maybeSetApiBlacklistExemptions(secondaryZygoteState, true); ok = maybeSetApiDenylistExemptions(secondaryZygoteState, true); } return ok; } Loading Loading @@ -907,32 +907,32 @@ public class ZygoteProcess { } @GuardedBy("mLock") private boolean maybeSetApiBlacklistExemptions(ZygoteState state, boolean sendIfEmpty) { private boolean maybeSetApiDenylistExemptions(ZygoteState state, boolean sendIfEmpty) { if (state == null || state.isClosed()) { Slog.e(LOG_TAG, "Can't set API blacklist exemptions: no zygote connection"); Slog.e(LOG_TAG, "Can't set API denylist exemptions: no zygote connection"); return false; } else if (!sendIfEmpty && mApiBlacklistExemptions.isEmpty()) { } else if (!sendIfEmpty && mApiDenylistExemptions.isEmpty()) { return true; } try { state.mZygoteOutputWriter.write(Integer.toString(mApiBlacklistExemptions.size() + 1)); state.mZygoteOutputWriter.write(Integer.toString(mApiDenylistExemptions.size() + 1)); state.mZygoteOutputWriter.newLine(); state.mZygoteOutputWriter.write("--set-api-blacklist-exemptions"); state.mZygoteOutputWriter.write("--set-api-denylist-exemptions"); state.mZygoteOutputWriter.newLine(); for (int i = 0; i < mApiBlacklistExemptions.size(); ++i) { state.mZygoteOutputWriter.write(mApiBlacklistExemptions.get(i)); for (int i = 0; i < mApiDenylistExemptions.size(); ++i) { state.mZygoteOutputWriter.write(mApiDenylistExemptions.get(i)); state.mZygoteOutputWriter.newLine(); } state.mZygoteOutputWriter.flush(); int status = state.mZygoteInputStream.readInt(); if (status != 0) { Slog.e(LOG_TAG, "Failed to set API blacklist exemptions; status " + status); Slog.e(LOG_TAG, "Failed to set API denylist exemptions; status " + status); } return true; } catch (IOException ioe) { Slog.e(LOG_TAG, "Failed to set API blacklist exemptions", ioe); mApiBlacklistExemptions = Collections.emptyList(); Slog.e(LOG_TAG, "Failed to set API denylist exemptions", ioe); mApiDenylistExemptions = Collections.emptyList(); return false; } } Loading Loading @@ -989,7 +989,7 @@ public class ZygoteProcess { primaryZygoteState = ZygoteState.connect(mZygoteSocketAddress, mUsapPoolSocketAddress); maybeSetApiBlacklistExemptions(primaryZygoteState, false); maybeSetApiDenylistExemptions(primaryZygoteState, false); maybeSetHiddenApiAccessLogSampleRate(primaryZygoteState); maybeSetHiddenApiAccessStatslogSampleRate(primaryZygoteState); } Loading @@ -1005,7 +1005,7 @@ public class ZygoteProcess { ZygoteState.connect(mZygoteSecondarySocketAddress, mUsapPoolSecondarySocketAddress); maybeSetApiBlacklistExemptions(secondaryZygoteState, false); maybeSetApiDenylistExemptions(secondaryZygoteState, false); maybeSetHiddenApiAccessLogSampleRate(secondaryZygoteState); maybeSetHiddenApiAccessStatslogSampleRate(secondaryZygoteState); } Loading
core/java/com/android/internal/os/ChildZygoteInit.java +1 −1 Original line number Diff line number Diff line Loading @@ -116,7 +116,7 @@ public class ChildZygoteInit { try { server.registerServerSocketAtAbstractName(socketName); // Add the abstract socket to the FD whitelist so that the native zygote code // Add the abstract socket to the FD allow list so that the native zygote code // can properly detach it after forking. Zygote.nativeAllowFileAcrossFork("ABSTRACT/" + socketName); Loading
core/java/com/android/internal/os/Zygote.java +2 −2 Original line number Diff line number Diff line Loading @@ -743,9 +743,9 @@ public final class Zygote { throw new IllegalArgumentException(USAP_ERROR_PREFIX + "--preload-app"); } else if (args.mStartChildZygote) { throw new IllegalArgumentException(USAP_ERROR_PREFIX + "--start-child-zygote"); } else if (args.mApiBlacklistExemptions != null) { } else if (args.mApiDenylistExemptions != null) { throw new IllegalArgumentException( USAP_ERROR_PREFIX + "--set-api-blacklist-exemptions"); USAP_ERROR_PREFIX + "--set-api-denylist-exemptions"); } else if (args.mHiddenApiAccessLogSampleRate != -1) { throw new IllegalArgumentException( USAP_ERROR_PREFIX + "--hidden-api-log-sampling-rate="); Loading
core/java/com/android/internal/os/ZygoteArguments.java +5 −5 Original line number Diff line number Diff line Loading @@ -192,10 +192,10 @@ class ZygoteArguments { boolean mBootCompleted; /** * Exemptions from API blacklisting. These are sent to the pre-forked zygote at boot time, or * when they change, via --set-api-blacklist-exemptions. * Exemptions from API deny-listing. These are sent to the pre-forked zygote at boot time, or * when they change, via --set-api-denylist-exemptions. */ String[] mApiBlacklistExemptions; String[] mApiDenylistExemptions; /** * Sampling rate for logging hidden API accesses to the event log. This is sent to the Loading Loading @@ -394,10 +394,10 @@ class ZygoteArguments { expectRuntimeArgs = false; } else if (arg.equals("--start-child-zygote")) { mStartChildZygote = true; } else if (arg.equals("--set-api-blacklist-exemptions")) { } else if (arg.equals("--set-api-denylist-exemptions")) { // consume all remaining args; this is a stand-alone command, never included // with the regular fork command. mApiBlacklistExemptions = Arrays.copyOfRange(args, curArg + 1, args.length); mApiDenylistExemptions = Arrays.copyOfRange(args, curArg + 1, args.length); curArg = args.length; expectRuntimeArgs = false; } else if (arg.startsWith("--hidden-api-log-sampling-rate=")) { Loading
core/java/com/android/internal/os/ZygoteConnection.java +6 −6 Original line number Diff line number Diff line Loading @@ -185,8 +185,8 @@ class ZygoteConnection { return null; } if (parsedArgs.mApiBlacklistExemptions != null) { return handleApiBlacklistExemptions(zygoteServer, parsedArgs.mApiBlacklistExemptions); if (parsedArgs.mApiDenylistExemptions != null) { return handleApiDenylistExemptions(zygoteServer, parsedArgs.mApiDenylistExemptions); } if (parsedArgs.mHiddenApiAccessLogSampleRate != -1 Loading Loading @@ -365,11 +365,11 @@ class ZygoteConnection { } /** * Makes the necessary changes to implement a new API blacklist exemption policy, and then * Makes the necessary changes to implement a new API deny list exemption policy, and then * responds to the system server, letting it know that the task has been completed. * * This necessitates a change to the internal state of the Zygote. As such, if the USAP * pool is enabled all existing USAPs have an incorrect API blacklist exemption list. To * pool is enabled all existing USAPs have an incorrect API deny list exemption list. To * properly handle this request the pool must be emptied and refilled. This process can return * a Runnable object that must be returned to ZygoteServer.runSelectLoop to be invoked. * Loading @@ -378,9 +378,9 @@ class ZygoteConnection { * @return A Runnable object representing a new app in any USAPs spawned from here; the * zygote process will always receive a null value from this function. */ private Runnable handleApiBlacklistExemptions(ZygoteServer zygoteServer, String[] exemptions) { private Runnable handleApiDenylistExemptions(ZygoteServer zygoteServer, String[] exemptions) { return stateChangeWithUsapPoolReset(zygoteServer, () -> ZygoteInit.setApiBlacklistExemptions(exemptions)); () -> ZygoteInit.setApiDenylistExemptions(exemptions)); } private Runnable handleUsapPoolStatusChange(ZygoteServer zygoteServer, boolean newStatus) { Loading
