• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2018 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include "hidden_api.h"
18 
19 #include <nativehelper/scoped_local_ref.h>
20 
21 #include "art_field-inl.h"
22 #include "art_method-inl.h"
23 #include "base/dumpable.h"
24 #include "base/file_utils.h"
25 #include "class_root.h"
26 #include "dex/class_accessor-inl.h"
27 #include "dex/dex_file_loader.h"
28 #include "mirror/class_ext.h"
29 #include "oat_file.h"
30 #include "scoped_thread_state_change.h"
31 #include "thread-inl.h"
32 #include "well_known_classes.h"
33 
34 namespace art {
35 namespace hiddenapi {
36 
37 // Set to true if we should always print a warning in logcat for all hidden API accesses, not just
38 // dark grey and black. This can be set to true for developer preview / beta builds, but should be
39 // false for public release builds.
40 // Note that when flipping this flag, you must also update the expectations of test 674-hiddenapi
41 // as it affects whether or not we warn for light grey APIs that have been added to the exemptions
42 // list.
43 static constexpr bool kLogAllAccesses = false;
44 
operator <<(std::ostream & os,AccessMethod value)45 static inline std::ostream& operator<<(std::ostream& os, AccessMethod value) {
46   switch (value) {
47     case AccessMethod::kNone:
48       LOG(FATAL) << "Internal access to hidden API should not be logged";
49       UNREACHABLE();
50     case AccessMethod::kReflection:
51       os << "reflection";
52       break;
53     case AccessMethod::kJNI:
54       os << "JNI";
55       break;
56     case AccessMethod::kLinking:
57       os << "linking";
58       break;
59   }
60   return os;
61 }
62 
operator <<(std::ostream & os,const AccessContext & value)63 static inline std::ostream& operator<<(std::ostream& os, const AccessContext& value)
64     REQUIRES_SHARED(Locks::mutator_lock_) {
65   if (!value.GetClass().IsNull()) {
66     std::string tmp;
67     os << value.GetClass()->GetDescriptor(&tmp);
68   } else if (value.GetDexFile() != nullptr) {
69     os << value.GetDexFile()->GetLocation();
70   } else {
71     os << "<unknown_caller>";
72   }
73   return os;
74 }
75 
DetermineDomainFromLocation(const std::string & dex_location,ObjPtr<mirror::ClassLoader> class_loader)76 static Domain DetermineDomainFromLocation(const std::string& dex_location,
77                                           ObjPtr<mirror::ClassLoader> class_loader) {
78   // If running with APEX, check `path` against known APEX locations.
79   // These checks will be skipped on target buildbots where ANDROID_RUNTIME_ROOT
80   // is set to "/system".
81   if (RuntimeModuleRootDistinctFromAndroidRoot()) {
82     if (LocationIsOnRuntimeModule(dex_location.c_str()) ||
83         LocationIsOnConscryptModule(dex_location.c_str())) {
84       return Domain::kCorePlatform;
85     }
86 
87     if (LocationIsOnApex(dex_location.c_str())) {
88       return Domain::kPlatform;
89     }
90   }
91 
92   if (LocationIsOnSystemFramework(dex_location.c_str())) {
93     return Domain::kPlatform;
94   }
95 
96   if (class_loader.IsNull()) {
97     LOG(WARNING) << "DexFile " << dex_location
98         << " is in boot class path but is not in a known location";
99     return Domain::kPlatform;
100   }
101 
102   return Domain::kApplication;
103 }
104 
InitializeDexFileDomain(const DexFile & dex_file,ObjPtr<mirror::ClassLoader> class_loader)105 void InitializeDexFileDomain(const DexFile& dex_file, ObjPtr<mirror::ClassLoader> class_loader) {
106   Domain dex_domain = DetermineDomainFromLocation(dex_file.GetLocation(), class_loader);
107 
108   // Assign the domain unless a more permissive domain has already been assigned.
109   // This may happen when DexFile is initialized as trusted.
110   if (IsDomainMoreTrustedThan(dex_domain, dex_file.GetHiddenapiDomain())) {
111     dex_file.SetHiddenapiDomain(dex_domain);
112   }
113 }
114 
115 namespace detail {
116 
117 // Do not change the values of items in this enum, as they are written to the
118 // event log for offline analysis. Any changes will interfere with that analysis.
119 enum AccessContextFlags {
120   // Accessed member is a field if this bit is set, else a method
121   kMemberIsField = 1 << 0,
122   // Indicates if access was denied to the member, instead of just printing a warning.
123   kAccessDenied  = 1 << 1,
124 };
125 
MemberSignature(ArtField * field)126 MemberSignature::MemberSignature(ArtField* field) {
127   class_name_ = field->GetDeclaringClass()->GetDescriptor(&tmp_);
128   member_name_ = field->GetName();
129   type_signature_ = field->GetTypeDescriptor();
130   type_ = kField;
131 }
132 
MemberSignature(ArtMethod * method)133 MemberSignature::MemberSignature(ArtMethod* method) {
134   DCHECK(method == method->GetInterfaceMethodIfProxy(kRuntimePointerSize))
135       << "Caller should have replaced proxy method with interface method";
136   class_name_ = method->GetDeclaringClass()->GetDescriptor(&tmp_);
137   member_name_ = method->GetName();
138   type_signature_ = method->GetSignature().ToString();
139   type_ = kMethod;
140 }
141 
MemberSignature(const ClassAccessor::Field & field)142 MemberSignature::MemberSignature(const ClassAccessor::Field& field) {
143   const DexFile& dex_file = field.GetDexFile();
144   const dex::FieldId& field_id = dex_file.GetFieldId(field.GetIndex());
145   class_name_ = dex_file.GetFieldDeclaringClassDescriptor(field_id);
146   member_name_ = dex_file.GetFieldName(field_id);
147   type_signature_ = dex_file.GetFieldTypeDescriptor(field_id);
148   type_ = kField;
149 }
150 
MemberSignature(const ClassAccessor::Method & method)151 MemberSignature::MemberSignature(const ClassAccessor::Method& method) {
152   const DexFile& dex_file = method.GetDexFile();
153   const dex::MethodId& method_id = dex_file.GetMethodId(method.GetIndex());
154   class_name_ = dex_file.GetMethodDeclaringClassDescriptor(method_id);
155   member_name_ = dex_file.GetMethodName(method_id);
156   type_signature_ = dex_file.GetMethodSignature(method_id).ToString();
157   type_ = kMethod;
158 }
159 
GetSignatureParts() const160 inline std::vector<const char*> MemberSignature::GetSignatureParts() const {
161   if (type_ == kField) {
162     return { class_name_.c_str(), "->", member_name_.c_str(), ":", type_signature_.c_str() };
163   } else {
164     DCHECK_EQ(type_, kMethod);
165     return { class_name_.c_str(), "->", member_name_.c_str(), type_signature_.c_str() };
166   }
167 }
168 
DoesPrefixMatch(const std::string & prefix) const169 bool MemberSignature::DoesPrefixMatch(const std::string& prefix) const {
170   size_t pos = 0;
171   for (const char* part : GetSignatureParts()) {
172     size_t count = std::min(prefix.length() - pos, strlen(part));
173     if (prefix.compare(pos, count, part, 0, count) == 0) {
174       pos += count;
175     } else {
176       return false;
177     }
178   }
179   // We have a complete match if all parts match (we exit the loop without
180   // returning) AND we've matched the whole prefix.
181   return pos == prefix.length();
182 }
183 
IsExempted(const std::vector<std::string> & exemptions)184 bool MemberSignature::IsExempted(const std::vector<std::string>& exemptions) {
185   for (const std::string& exemption : exemptions) {
186     if (DoesPrefixMatch(exemption)) {
187       return true;
188     }
189   }
190   return false;
191 }
192 
Dump(std::ostream & os) const193 void MemberSignature::Dump(std::ostream& os) const {
194   for (const char* part : GetSignatureParts()) {
195     os << part;
196   }
197 }
198 
WarnAboutAccess(AccessMethod access_method,hiddenapi::ApiList list,bool access_denied)199 void MemberSignature::WarnAboutAccess(AccessMethod access_method,
200                                       hiddenapi::ApiList list,
201                                       bool access_denied) {
202   LOG(WARNING) << "Accessing hidden " << (type_ == kField ? "field " : "method ")
203                << Dumpable<MemberSignature>(*this) << " (" << list << ", " << access_method
204                << (access_denied ? ", denied)" : ", allowed)");
205 }
206 
Equals(const MemberSignature & other)207 bool MemberSignature::Equals(const MemberSignature& other) {
208   return type_ == other.type_ &&
209          class_name_ == other.class_name_ &&
210          member_name_ == other.member_name_ &&
211          type_signature_ == other.type_signature_;
212 }
213 
MemberNameAndTypeMatch(const MemberSignature & other)214 bool MemberSignature::MemberNameAndTypeMatch(const MemberSignature& other) {
215   return member_name_ == other.member_name_ && type_signature_ == other.type_signature_;
216 }
217 
LogAccessToEventLog(uint32_t sampled_value,AccessMethod access_method,bool access_denied)218 void MemberSignature::LogAccessToEventLog(uint32_t sampled_value,
219                                           AccessMethod access_method,
220                                           bool access_denied) {
221 #ifdef ART_TARGET_ANDROID
222   if (access_method == AccessMethod::kLinking || access_method == AccessMethod::kNone) {
223     // Linking warnings come from static analysis/compilation of the bytecode
224     // and can contain false positives (i.e. code that is never run). We choose
225     // not to log these in the event log.
226     // None does not correspond to actual access, so should also be ignored.
227     return;
228   }
229   Runtime* runtime = Runtime::Current();
230   if (runtime->IsAotCompiler()) {
231     return;
232   }
233   JNIEnvExt* env = Thread::Current()->GetJniEnv();
234   const std::string& package_name = Runtime::Current()->GetProcessPackageName();
235   ScopedLocalRef<jstring> package_str(env, env->NewStringUTF(package_name.c_str()));
236   if (env->ExceptionCheck()) {
237     env->ExceptionClear();
238     LOG(ERROR) << "Unable to allocate string for package name which called hidden api";
239   }
240   std::ostringstream signature_str;
241   Dump(signature_str);
242   ScopedLocalRef<jstring> signature_jstr(env,
243       env->NewStringUTF(signature_str.str().c_str()));
244   if (env->ExceptionCheck()) {
245     env->ExceptionClear();
246     LOG(ERROR) << "Unable to allocate string for hidden api method signature";
247   }
248   env->CallStaticVoidMethod(WellKnownClasses::dalvik_system_VMRuntime,
249       WellKnownClasses::dalvik_system_VMRuntime_hiddenApiUsed,
250       sampled_value,
251       package_str.get(),
252       signature_jstr.get(),
253       static_cast<jint>(access_method),
254       access_denied);
255   if (env->ExceptionCheck()) {
256     env->ExceptionClear();
257     LOG(ERROR) << "Unable to report hidden api usage";
258   }
259 #else
260   UNUSED(sampled_value);
261   UNUSED(access_method);
262   UNUSED(access_denied);
263 #endif
264 }
265 
NotifyHiddenApiListener(AccessMethod access_method)266 void MemberSignature::NotifyHiddenApiListener(AccessMethod access_method) {
267   if (access_method != AccessMethod::kReflection && access_method != AccessMethod::kJNI) {
268     // We can only up-call into Java during reflection and JNI down-calls.
269     return;
270   }
271 
272   Runtime* runtime = Runtime::Current();
273   if (!runtime->IsAotCompiler()) {
274     ScopedObjectAccessUnchecked soa(Thread::Current());
275 
276     ScopedLocalRef<jobject> consumer_object(soa.Env(),
277         soa.Env()->GetStaticObjectField(
278             WellKnownClasses::dalvik_system_VMRuntime,
279             WellKnownClasses::dalvik_system_VMRuntime_nonSdkApiUsageConsumer));
280     // If the consumer is non-null, we call back to it to let it know that we
281     // have encountered an API that's in one of our lists.
282     if (consumer_object != nullptr) {
283       std::ostringstream member_signature_str;
284       Dump(member_signature_str);
285 
286       ScopedLocalRef<jobject> signature_str(
287           soa.Env(),
288           soa.Env()->NewStringUTF(member_signature_str.str().c_str()));
289 
290       // Call through to Consumer.accept(String memberSignature);
291       soa.Env()->CallVoidMethod(consumer_object.get(),
292                                 WellKnownClasses::java_util_function_Consumer_accept,
293                                 signature_str.get());
294     }
295   }
296 }
297 
CanUpdateRuntimeFlags(ArtField *)298 static ALWAYS_INLINE bool CanUpdateRuntimeFlags(ArtField*) {
299   return true;
300 }
301 
CanUpdateRuntimeFlags(ArtMethod * method)302 static ALWAYS_INLINE bool CanUpdateRuntimeFlags(ArtMethod* method) {
303   return !method->IsIntrinsic();
304 }
305 
306 template<typename T>
MaybeUpdateAccessFlags(Runtime * runtime,T * member,uint32_t flag)307 static ALWAYS_INLINE void MaybeUpdateAccessFlags(Runtime* runtime, T* member, uint32_t flag)
308     REQUIRES_SHARED(Locks::mutator_lock_) {
309   // Update the access flags unless:
310   // (a) `member` is an intrinsic
311   // (b) this is AOT compiler, as we do not want the updated access flags in the boot/app image
312   // (c) deduping warnings has been explicitly switched off.
313   if (CanUpdateRuntimeFlags(member) &&
314       !runtime->IsAotCompiler() &&
315       runtime->ShouldDedupeHiddenApiWarnings()) {
316     member->SetAccessFlags(member->GetAccessFlags() | flag);
317   }
318 }
319 
GetMemberDexIndex(ArtField * field)320 static ALWAYS_INLINE uint32_t GetMemberDexIndex(ArtField* field) {
321   return field->GetDexFieldIndex();
322 }
323 
GetMemberDexIndex(ArtMethod * method)324 static ALWAYS_INLINE uint32_t GetMemberDexIndex(ArtMethod* method)
325     REQUIRES_SHARED(Locks::mutator_lock_) {
326   // Use the non-obsolete method to avoid DexFile mismatch between
327   // the method index and the declaring class.
328   return method->GetNonObsoleteMethod()->GetDexMethodIndex();
329 }
330 
VisitMembers(const DexFile & dex_file,const dex::ClassDef & class_def,const std::function<void (const ClassAccessor::Field &)> & fn_visit)331 static void VisitMembers(const DexFile& dex_file,
332                          const dex::ClassDef& class_def,
333                          const std::function<void(const ClassAccessor::Field&)>& fn_visit) {
334   ClassAccessor accessor(dex_file, class_def, /* parse_hiddenapi_class_data= */ true);
335   accessor.VisitFields(fn_visit, fn_visit);
336 }
337 
VisitMembers(const DexFile & dex_file,const dex::ClassDef & class_def,const std::function<void (const ClassAccessor::Method &)> & fn_visit)338 static void VisitMembers(const DexFile& dex_file,
339                          const dex::ClassDef& class_def,
340                          const std::function<void(const ClassAccessor::Method&)>& fn_visit) {
341   ClassAccessor accessor(dex_file, class_def, /* parse_hiddenapi_class_data= */ true);
342   accessor.VisitMethods(fn_visit, fn_visit);
343 }
344 
345 template<typename T>
GetDexFlags(T * member)346 uint32_t GetDexFlags(T* member) REQUIRES_SHARED(Locks::mutator_lock_) {
347   static_assert(std::is_same<T, ArtField>::value || std::is_same<T, ArtMethod>::value);
348   constexpr bool kMemberIsField = std::is_same<T, ArtField>::value;
349   using AccessorType = typename std::conditional<std::is_same<T, ArtField>::value,
350       ClassAccessor::Field, ClassAccessor::Method>::type;
351 
352   ObjPtr<mirror::Class> declaring_class = member->GetDeclaringClass();
353   DCHECK(!declaring_class.IsNull()) << "Attempting to access a runtime method";
354 
355   ApiList flags;
356   DCHECK(!flags.IsValid());
357 
358   // Check if the declaring class has ClassExt allocated. If it does, check if
359   // the pre-JVMTI redefine dex file has been set to determine if the declaring
360   // class has been JVMTI-redefined.
361   ObjPtr<mirror::ClassExt> ext(declaring_class->GetExtData());
362   const DexFile* original_dex = ext.IsNull() ? nullptr : ext->GetPreRedefineDexFile();
363   if (LIKELY(original_dex == nullptr)) {
364     // Class is not redefined. Find the class def, iterate over its members and
365     // find the entry corresponding to this `member`.
366     const dex::ClassDef* class_def = declaring_class->GetClassDef();
367     if (class_def == nullptr) {
368       // ClassDef is not set for proxy classes. Only their fields can ever be inspected.
369       DCHECK(declaring_class->IsProxyClass())
370           << "Only proxy classes are expected not to have a class def";
371       DCHECK(kMemberIsField)
372           << "Interface methods should be inspected instead of proxy class methods";
373       flags = ApiList::Greylist();
374     } else {
375       uint32_t member_index = GetMemberDexIndex(member);
376       auto fn_visit = [&](const AccessorType& dex_member) {
377         if (dex_member.GetIndex() == member_index) {
378           flags = ApiList(dex_member.GetHiddenapiFlags());
379         }
380       };
381       VisitMembers(declaring_class->GetDexFile(), *class_def, fn_visit);
382     }
383   } else {
384     // Class was redefined using JVMTI. We have a pointer to the original dex file
385     // and the class def index of this class in that dex file, but the field/method
386     // indices are lost. Iterate over all members of the class def and find the one
387     // corresponding to this `member` by name and type string comparison.
388     // This is obviously very slow, but it is only used when non-exempt code tries
389     // to access a hidden member of a JVMTI-redefined class.
390     uint16_t class_def_idx = ext->GetPreRedefineClassDefIndex();
391     DCHECK_NE(class_def_idx, DexFile::kDexNoIndex16);
392     const dex::ClassDef& original_class_def = original_dex->GetClassDef(class_def_idx);
393     MemberSignature member_signature(member);
394     auto fn_visit = [&](const AccessorType& dex_member) {
395       MemberSignature cur_signature(dex_member);
396       if (member_signature.MemberNameAndTypeMatch(cur_signature)) {
397         DCHECK(member_signature.Equals(cur_signature));
398         flags = ApiList(dex_member.GetHiddenapiFlags());
399       }
400     };
401     VisitMembers(*original_dex, original_class_def, fn_visit);
402   }
403 
404   CHECK(flags.IsValid()) << "Could not find hiddenapi flags for "
405       << Dumpable<MemberSignature>(MemberSignature(member));
406   return flags.GetDexFlags();
407 }
408 
409 template<typename T>
HandleCorePlatformApiViolation(T * member,const AccessContext & caller_context,AccessMethod access_method,EnforcementPolicy policy)410 bool HandleCorePlatformApiViolation(T* member,
411                                     const AccessContext& caller_context,
412                                     AccessMethod access_method,
413                                     EnforcementPolicy policy) {
414   DCHECK(policy != EnforcementPolicy::kDisabled)
415       << "Should never enter this function when access checks are completely disabled";
416 
417   if (access_method != AccessMethod::kNone) {
418     LOG(WARNING) << "Core platform API violation: "
419         << Dumpable<MemberSignature>(MemberSignature(member))
420         << " from " << caller_context << " using " << access_method;
421 
422     // If policy is set to just warn, add kAccCorePlatformApi to access flags of
423     // `member` to avoid reporting the violation again next time.
424     if (policy == EnforcementPolicy::kJustWarn) {
425       MaybeUpdateAccessFlags(Runtime::Current(), member, kAccCorePlatformApi);
426     }
427   }
428 
429   // Deny access if enforcement is enabled.
430   return policy == EnforcementPolicy::kEnabled;
431 }
432 
433 template<typename T>
ShouldDenyAccessToMemberImpl(T * member,ApiList api_list,AccessMethod access_method)434 bool ShouldDenyAccessToMemberImpl(T* member, ApiList api_list, AccessMethod access_method) {
435   DCHECK(member != nullptr);
436   Runtime* runtime = Runtime::Current();
437 
438   EnforcementPolicy policy = runtime->GetHiddenApiEnforcementPolicy();
439   DCHECK(policy != EnforcementPolicy::kDisabled)
440       << "Should never enter this function when access checks are completely disabled";
441 
442   const bool deny_access =
443       (policy == EnforcementPolicy::kEnabled) &&
444       IsSdkVersionSetAndMoreThan(runtime->GetTargetSdkVersion(),
445                                  api_list.GetMaxAllowedSdkVersion());
446 
447   MemberSignature member_signature(member);
448 
449   // Check for an exemption first. Exempted APIs are treated as white list.
450   if (member_signature.IsExempted(runtime->GetHiddenApiExemptions())) {
451     // Avoid re-examining the exemption list next time.
452     // Note this results in no warning for the member, which seems like what one would expect.
453     // Exemptions effectively adds new members to the whitelist.
454     MaybeUpdateAccessFlags(runtime, member, kAccPublicApi);
455     return false;
456   }
457 
458   if (access_method != AccessMethod::kNone) {
459     // Print a log message with information about this class member access.
460     // We do this if we're about to deny access, or the app is debuggable.
461     if (kLogAllAccesses || deny_access || runtime->IsJavaDebuggable()) {
462       member_signature.WarnAboutAccess(access_method, api_list, deny_access);
463     }
464 
465     // If there is a StrictMode listener, notify it about this violation.
466     member_signature.NotifyHiddenApiListener(access_method);
467 
468     // If event log sampling is enabled, report this violation.
469     if (kIsTargetBuild && !kIsTargetLinux) {
470       uint32_t eventLogSampleRate = runtime->GetHiddenApiEventLogSampleRate();
471       // Assert that RAND_MAX is big enough, to ensure sampling below works as expected.
472       static_assert(RAND_MAX >= 0xffff, "RAND_MAX too small");
473       if (eventLogSampleRate != 0) {
474         const uint32_t sampled_value = static_cast<uint32_t>(std::rand()) & 0xffff;
475         if (sampled_value < eventLogSampleRate) {
476           member_signature.LogAccessToEventLog(sampled_value, access_method, deny_access);
477         }
478       }
479     }
480 
481     // If this access was not denied, move the member into whitelist and skip
482     // the warning the next time the member is accessed.
483     if (!deny_access) {
484       MaybeUpdateAccessFlags(runtime, member, kAccPublicApi);
485     }
486   }
487 
488   return deny_access;
489 }
490 
491 // Need to instantiate these.
492 template uint32_t GetDexFlags<ArtField>(ArtField* member);
493 template uint32_t GetDexFlags<ArtMethod>(ArtMethod* member);
494 template bool HandleCorePlatformApiViolation(ArtField* member,
495                                              const AccessContext& caller_context,
496                                              AccessMethod access_method,
497                                              EnforcementPolicy policy);
498 template bool HandleCorePlatformApiViolation(ArtMethod* member,
499                                              const AccessContext& caller_context,
500                                              AccessMethod access_method,
501                                              EnforcementPolicy policy);
502 template bool ShouldDenyAccessToMemberImpl<ArtField>(ArtField* member,
503                                                      ApiList api_list,
504                                                      AccessMethod access_method);
505 template bool ShouldDenyAccessToMemberImpl<ArtMethod>(ArtMethod* member,
506                                                       ApiList api_list,
507                                                       AccessMethod access_method);
508 }  // namespace detail
509 
510 }  // namespace hiddenapi
511 }  // namespace art
512