Loading core/java/android/content/pm/ApplicationInfo.java +78 −5 Original line number Diff line number Diff line Loading @@ -1101,6 +1101,58 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable { /** @hide */ public String[] splitClassLoaderNames; /** * Represents the default policy. The actual policy used will depend on other properties of * the application, e.g. the target SDK version. * @hide */ public static final int HIDDEN_API_ENFORCEMENT_DEFAULT = -1; /** * No API enforcement; the app can access the entire internal private API. Only for use by * system apps. * @hide */ public static final int HIDDEN_API_ENFORCEMENT_NONE = 0; /** * Light grey list enforcement, the strictest option. Enforces the light grey, dark grey and * black lists. * @hide * */ public static final int HIDDEN_API_ENFORCEMENT_ALL_LISTS = 1; /** * Dark grey list enforcement. Enforces the dark grey and black lists * @hide */ public static final int HIDDEN_API_ENFORCEMENT_DARK_GREY_AND_BLACK = 2; /** * Blacklist enforcement only. * @hide */ public static final int HIDDEN_API_ENFORCEMENT_BLACK = 3; private static final int HIDDEN_API_ENFORCEMENT_MAX = HIDDEN_API_ENFORCEMENT_BLACK; /** * Values in this IntDef MUST be kept in sync with enum hiddenapi::EnforcementPolicy in * art/runtime/hidden_api.h * @hide */ @IntDef(prefix = { "HIDDEN_API_ENFORCEMENT_" }, value = { HIDDEN_API_ENFORCEMENT_DEFAULT, HIDDEN_API_ENFORCEMENT_NONE, HIDDEN_API_ENFORCEMENT_ALL_LISTS, HIDDEN_API_ENFORCEMENT_DARK_GREY_AND_BLACK, HIDDEN_API_ENFORCEMENT_BLACK, }) @Retention(RetentionPolicy.SOURCE) public @interface HiddenApiEnforcementPolicy {} private boolean isValidHiddenApiEnforcementPolicy(int policy) { return policy >= HIDDEN_API_ENFORCEMENT_DEFAULT && policy <= HIDDEN_API_ENFORCEMENT_MAX; } private int mHiddenApiPolicy = HIDDEN_API_ENFORCEMENT_DEFAULT; public void dump(Printer pw, String prefix) { dump(pw, prefix, DUMP_FLAG_ALL); } Loading Loading @@ -1188,7 +1240,7 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable { if (category != CATEGORY_UNDEFINED) { pw.println(prefix + "category=" + category); } pw.println(prefix + "isAllowedToUseHiddenApi=" + isAllowedToUseHiddenApi()); pw.println(prefix + "HiddenApiEnforcementPolicy=" + getHiddenApiEnforcementPolicy()); } super.dumpBack(pw, prefix); } Loading Loading @@ -1386,6 +1438,7 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable { appComponentFactory = orig.appComponentFactory; compileSdkVersion = orig.compileSdkVersion; compileSdkVersionCodename = orig.compileSdkVersionCodename; mHiddenApiPolicy = orig.mHiddenApiPolicy; } public String toString() { Loading Loading @@ -1459,6 +1512,7 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable { dest.writeInt(compileSdkVersion); dest.writeString(compileSdkVersionCodename); dest.writeString(appComponentFactory); dest.writeInt(mHiddenApiPolicy); } public static final Parcelable.Creator<ApplicationInfo> CREATOR Loading Loading @@ -1529,6 +1583,7 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable { compileSdkVersion = source.readInt(); compileSdkVersionCodename = source.readString(); appComponentFactory = source.readString(); mHiddenApiPolicy = source.readInt(); } /** Loading Loading @@ -1599,13 +1654,31 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable { } } private boolean isPackageWhitelistedForHiddenApis() { return SystemConfig.getInstance().getHiddenApiWhitelistedApps().contains(packageName); } /** * @hide */ public boolean isAllowedToUseHiddenApi() { boolean whitelisted = SystemConfig.getInstance().getHiddenApiWhitelistedApps().contains(packageName); return whitelisted && (isSystemApp() || isUpdatedSystemApp()); public @HiddenApiEnforcementPolicy int getHiddenApiEnforcementPolicy() { if (mHiddenApiPolicy != HIDDEN_API_ENFORCEMENT_DEFAULT) { return mHiddenApiPolicy; } if (isPackageWhitelistedForHiddenApis() && (isSystemApp() || isUpdatedSystemApp())) { return HIDDEN_API_ENFORCEMENT_NONE; } return HIDDEN_API_ENFORCEMENT_BLACK; } /** * @hide */ public void setHiddenApiEnforcementPolicy(@HiddenApiEnforcementPolicy int policy) { if (!isValidHiddenApiEnforcementPolicy(policy)) { throw new IllegalArgumentException("Invalid API enforcement policy: " + policy); } mHiddenApiPolicy = policy; } /** Loading core/java/com/android/internal/os/Zygote.java +14 −3 Original line number Diff line number Diff line Loading @@ -53,10 +53,21 @@ public final class Zygote { public static final int DISABLE_VERIFIER = 1 << 9; /** Only use oat files located in /system. Otherwise use dex/jar/apk . */ public static final int ONLY_USE_SYSTEM_OAT_FILES = 1 << 10; /** Do enfore hidden API access restrictions. */ public static final int ENABLE_HIDDEN_API_CHECKS = 1 << 11; /** Force generation of native debugging information for backtraces. */ public static final int DEBUG_GENERATE_MINI_DEBUG_INFO = 1 << 12; public static final int DEBUG_GENERATE_MINI_DEBUG_INFO = 1 << 11; /** * Hidden API access restrictions. This is a mask for bits representing the API enforcement * policy, defined by {@code @ApplicationInfo.HiddenApiEnforcementPolicy}. */ public static final int API_ENFORCEMENT_POLICY_MASK = (1 << 12) | (1 << 13); /** * Bit shift for use with {@link #API_ENFORCEMENT_POLICY_MASK}. * * (flags & API_ENFORCEMENT_POLICY_MASK) >> API_ENFORCEMENT_POLICY_SHIFT gives * @ApplicationInfo.ApiEnforcementPolicy values. */ public static final int API_ENFORCEMENT_POLICY_SHIFT = Integer.numberOfTrailingZeros(API_ENFORCEMENT_POLICY_MASK); /** No external storage should be mounted. */ public static final int MOUNT_EXTERNAL_NONE = IVold.REMOUNT_MODE_NONE; Loading services/core/java/com/android/server/am/ActivityManagerService.java +9 −6 Original line number Diff line number Diff line Loading @@ -281,6 +281,7 @@ import android.content.Intent; import android.content.IntentFilter; import android.content.pm.ActivityInfo; import android.content.pm.ApplicationInfo; import android.content.pm.ApplicationInfo.HiddenApiEnforcementPolicy; import android.content.pm.ConfigurationInfo; import android.content.pm.IPackageDataObserver; import android.content.pm.IPackageManager; Loading Loading @@ -4185,12 +4186,14 @@ public class ActivityManagerService extends IActivityManager.Stub runtimeFlags |= Zygote.ONLY_USE_SYSTEM_OAT_FILES; } if (!app.info.isAllowedToUseHiddenApi() && !disableHiddenApiChecks && !mHiddenApiBlacklist.isDisabled()) { // This app is not allowed to use undocumented and private APIs, or blacklisting is // enabled. Set up its runtime with the appropriate flag. runtimeFlags |= Zygote.ENABLE_HIDDEN_API_CHECKS; if (!disableHiddenApiChecks && !mHiddenApiBlacklist.isDisabled()) { @HiddenApiEnforcementPolicy int policy = app.info.getHiddenApiEnforcementPolicy(); int policyBits = (policy << Zygote.API_ENFORCEMENT_POLICY_SHIFT); if ((policyBits & Zygote.API_ENFORCEMENT_POLICY_MASK) != policyBits) { throw new IllegalStateException("Invalid API policy: " + policy); } runtimeFlags |= policyBits; } String invokeWith = null; services/core/java/com/android/server/pm/PackageDexOptimizer.java +6 −1 Original line number Diff line number Diff line Loading @@ -47,6 +47,8 @@ import java.util.Map; import dalvik.system.DexFile; import static android.content.pm.ApplicationInfo.HIDDEN_API_ENFORCEMENT_NONE; import static com.android.server.pm.Installer.DEXOPT_BOOTCOMPLETE; import static com.android.server.pm.Installer.DEXOPT_DEBUGGABLE; import static com.android.server.pm.Installer.DEXOPT_PROFILE_GUIDED; Loading Loading @@ -532,7 +534,10 @@ public class PackageDexOptimizer { int profileFlag = isProfileGuidedFilter ? DEXOPT_PROFILE_GUIDED : 0; // Some apps are executed with restrictions on hidden API usage. If this app is one // of them, pass a flag to dexopt to enable the same restrictions during compilation. int hiddenApiFlag = info.isAllowedToUseHiddenApi() ? 0 : DEXOPT_ENABLE_HIDDEN_API_CHECKS; // TODO we should pass the actual flag value to dexopt, rather than assuming blacklist int hiddenApiFlag = info.getHiddenApiEnforcementPolicy() == HIDDEN_API_ENFORCEMENT_NONE ? 0 : DEXOPT_ENABLE_HIDDEN_API_CHECKS; // Avoid generating CompactDex for modes that are latency critical. final int compilationReason = options.getCompilationReason(); boolean generateCompactDex = true; Loading Loading
core/java/android/content/pm/ApplicationInfo.java +78 −5 Original line number Diff line number Diff line Loading @@ -1101,6 +1101,58 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable { /** @hide */ public String[] splitClassLoaderNames; /** * Represents the default policy. The actual policy used will depend on other properties of * the application, e.g. the target SDK version. * @hide */ public static final int HIDDEN_API_ENFORCEMENT_DEFAULT = -1; /** * No API enforcement; the app can access the entire internal private API. Only for use by * system apps. * @hide */ public static final int HIDDEN_API_ENFORCEMENT_NONE = 0; /** * Light grey list enforcement, the strictest option. Enforces the light grey, dark grey and * black lists. * @hide * */ public static final int HIDDEN_API_ENFORCEMENT_ALL_LISTS = 1; /** * Dark grey list enforcement. Enforces the dark grey and black lists * @hide */ public static final int HIDDEN_API_ENFORCEMENT_DARK_GREY_AND_BLACK = 2; /** * Blacklist enforcement only. * @hide */ public static final int HIDDEN_API_ENFORCEMENT_BLACK = 3; private static final int HIDDEN_API_ENFORCEMENT_MAX = HIDDEN_API_ENFORCEMENT_BLACK; /** * Values in this IntDef MUST be kept in sync with enum hiddenapi::EnforcementPolicy in * art/runtime/hidden_api.h * @hide */ @IntDef(prefix = { "HIDDEN_API_ENFORCEMENT_" }, value = { HIDDEN_API_ENFORCEMENT_DEFAULT, HIDDEN_API_ENFORCEMENT_NONE, HIDDEN_API_ENFORCEMENT_ALL_LISTS, HIDDEN_API_ENFORCEMENT_DARK_GREY_AND_BLACK, HIDDEN_API_ENFORCEMENT_BLACK, }) @Retention(RetentionPolicy.SOURCE) public @interface HiddenApiEnforcementPolicy {} private boolean isValidHiddenApiEnforcementPolicy(int policy) { return policy >= HIDDEN_API_ENFORCEMENT_DEFAULT && policy <= HIDDEN_API_ENFORCEMENT_MAX; } private int mHiddenApiPolicy = HIDDEN_API_ENFORCEMENT_DEFAULT; public void dump(Printer pw, String prefix) { dump(pw, prefix, DUMP_FLAG_ALL); } Loading Loading @@ -1188,7 +1240,7 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable { if (category != CATEGORY_UNDEFINED) { pw.println(prefix + "category=" + category); } pw.println(prefix + "isAllowedToUseHiddenApi=" + isAllowedToUseHiddenApi()); pw.println(prefix + "HiddenApiEnforcementPolicy=" + getHiddenApiEnforcementPolicy()); } super.dumpBack(pw, prefix); } Loading Loading @@ -1386,6 +1438,7 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable { appComponentFactory = orig.appComponentFactory; compileSdkVersion = orig.compileSdkVersion; compileSdkVersionCodename = orig.compileSdkVersionCodename; mHiddenApiPolicy = orig.mHiddenApiPolicy; } public String toString() { Loading Loading @@ -1459,6 +1512,7 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable { dest.writeInt(compileSdkVersion); dest.writeString(compileSdkVersionCodename); dest.writeString(appComponentFactory); dest.writeInt(mHiddenApiPolicy); } public static final Parcelable.Creator<ApplicationInfo> CREATOR Loading Loading @@ -1529,6 +1583,7 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable { compileSdkVersion = source.readInt(); compileSdkVersionCodename = source.readString(); appComponentFactory = source.readString(); mHiddenApiPolicy = source.readInt(); } /** Loading Loading @@ -1599,13 +1654,31 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable { } } private boolean isPackageWhitelistedForHiddenApis() { return SystemConfig.getInstance().getHiddenApiWhitelistedApps().contains(packageName); } /** * @hide */ public boolean isAllowedToUseHiddenApi() { boolean whitelisted = SystemConfig.getInstance().getHiddenApiWhitelistedApps().contains(packageName); return whitelisted && (isSystemApp() || isUpdatedSystemApp()); public @HiddenApiEnforcementPolicy int getHiddenApiEnforcementPolicy() { if (mHiddenApiPolicy != HIDDEN_API_ENFORCEMENT_DEFAULT) { return mHiddenApiPolicy; } if (isPackageWhitelistedForHiddenApis() && (isSystemApp() || isUpdatedSystemApp())) { return HIDDEN_API_ENFORCEMENT_NONE; } return HIDDEN_API_ENFORCEMENT_BLACK; } /** * @hide */ public void setHiddenApiEnforcementPolicy(@HiddenApiEnforcementPolicy int policy) { if (!isValidHiddenApiEnforcementPolicy(policy)) { throw new IllegalArgumentException("Invalid API enforcement policy: " + policy); } mHiddenApiPolicy = policy; } /** Loading
core/java/com/android/internal/os/Zygote.java +14 −3 Original line number Diff line number Diff line Loading @@ -53,10 +53,21 @@ public final class Zygote { public static final int DISABLE_VERIFIER = 1 << 9; /** Only use oat files located in /system. Otherwise use dex/jar/apk . */ public static final int ONLY_USE_SYSTEM_OAT_FILES = 1 << 10; /** Do enfore hidden API access restrictions. */ public static final int ENABLE_HIDDEN_API_CHECKS = 1 << 11; /** Force generation of native debugging information for backtraces. */ public static final int DEBUG_GENERATE_MINI_DEBUG_INFO = 1 << 12; public static final int DEBUG_GENERATE_MINI_DEBUG_INFO = 1 << 11; /** * Hidden API access restrictions. This is a mask for bits representing the API enforcement * policy, defined by {@code @ApplicationInfo.HiddenApiEnforcementPolicy}. */ public static final int API_ENFORCEMENT_POLICY_MASK = (1 << 12) | (1 << 13); /** * Bit shift for use with {@link #API_ENFORCEMENT_POLICY_MASK}. * * (flags & API_ENFORCEMENT_POLICY_MASK) >> API_ENFORCEMENT_POLICY_SHIFT gives * @ApplicationInfo.ApiEnforcementPolicy values. */ public static final int API_ENFORCEMENT_POLICY_SHIFT = Integer.numberOfTrailingZeros(API_ENFORCEMENT_POLICY_MASK); /** No external storage should be mounted. */ public static final int MOUNT_EXTERNAL_NONE = IVold.REMOUNT_MODE_NONE; Loading
services/core/java/com/android/server/am/ActivityManagerService.java +9 −6 Original line number Diff line number Diff line Loading @@ -281,6 +281,7 @@ import android.content.Intent; import android.content.IntentFilter; import android.content.pm.ActivityInfo; import android.content.pm.ApplicationInfo; import android.content.pm.ApplicationInfo.HiddenApiEnforcementPolicy; import android.content.pm.ConfigurationInfo; import android.content.pm.IPackageDataObserver; import android.content.pm.IPackageManager; Loading Loading @@ -4185,12 +4186,14 @@ public class ActivityManagerService extends IActivityManager.Stub runtimeFlags |= Zygote.ONLY_USE_SYSTEM_OAT_FILES; } if (!app.info.isAllowedToUseHiddenApi() && !disableHiddenApiChecks && !mHiddenApiBlacklist.isDisabled()) { // This app is not allowed to use undocumented and private APIs, or blacklisting is // enabled. Set up its runtime with the appropriate flag. runtimeFlags |= Zygote.ENABLE_HIDDEN_API_CHECKS; if (!disableHiddenApiChecks && !mHiddenApiBlacklist.isDisabled()) { @HiddenApiEnforcementPolicy int policy = app.info.getHiddenApiEnforcementPolicy(); int policyBits = (policy << Zygote.API_ENFORCEMENT_POLICY_SHIFT); if ((policyBits & Zygote.API_ENFORCEMENT_POLICY_MASK) != policyBits) { throw new IllegalStateException("Invalid API policy: " + policy); } runtimeFlags |= policyBits; } String invokeWith = null;
services/core/java/com/android/server/pm/PackageDexOptimizer.java +6 −1 Original line number Diff line number Diff line Loading @@ -47,6 +47,8 @@ import java.util.Map; import dalvik.system.DexFile; import static android.content.pm.ApplicationInfo.HIDDEN_API_ENFORCEMENT_NONE; import static com.android.server.pm.Installer.DEXOPT_BOOTCOMPLETE; import static com.android.server.pm.Installer.DEXOPT_DEBUGGABLE; import static com.android.server.pm.Installer.DEXOPT_PROFILE_GUIDED; Loading Loading @@ -532,7 +534,10 @@ public class PackageDexOptimizer { int profileFlag = isProfileGuidedFilter ? DEXOPT_PROFILE_GUIDED : 0; // Some apps are executed with restrictions on hidden API usage. If this app is one // of them, pass a flag to dexopt to enable the same restrictions during compilation. int hiddenApiFlag = info.isAllowedToUseHiddenApi() ? 0 : DEXOPT_ENABLE_HIDDEN_API_CHECKS; // TODO we should pass the actual flag value to dexopt, rather than assuming blacklist int hiddenApiFlag = info.getHiddenApiEnforcementPolicy() == HIDDEN_API_ENFORCEMENT_NONE ? 0 : DEXOPT_ENABLE_HIDDEN_API_CHECKS; // Avoid generating CompactDex for modes that are latency critical. final int compilationReason = options.getCompilationReason(); boolean generateCompactDex = true; Loading
