diff options
| author | TreeHugger Robot <treehugger-gerrit@google.com> | 2018-05-25 07:15:45 +0000 |
|---|---|---|
| committer | Android (Google) Code Review <android-gerrit@google.com> | 2018-05-25 07:15:45 +0000 |
| commit | d002e4950143dc24e247f5a1a3aea69776c22046 (patch) | |
| tree | 42c0e8e2a4d923e348c304eb9248f8e3aea7e57b | |
| parent | bd03c1513f3828355124f02d6bb68ec78b26a1bc (diff) | |
| parent | 6106a4ead530549c3570f682846ba731b97f81ab (diff) | |
| download | build-d002e4950143dc24e247f5a1a3aea69776c22046.tar.gz | |
Merge "Enable CFI by default but restrict CFI_INCLUDE_PATHS" into pi-dev
| -rw-r--r-- | core/config_sanitizers.mk | 18 | ||||
| -rw-r--r-- | target/product/core_64_bit.mk | 4 | ||||
| -rw-r--r-- | target/product/core_64_bit_only.mk | 4 |
3 files changed, 18 insertions, 8 deletions
diff --git a/core/config_sanitizers.mk b/core/config_sanitizers.mk index e0f8aca6c4..d570ccda8e 100644 --- a/core/config_sanitizers.mk +++ b/core/config_sanitizers.mk @@ -96,15 +96,17 @@ ifeq ($(LOCAL_SANITIZE),never) my_sanitize_diag := endif -# Enable CFI in included paths. +# Enable CFI in included paths (for Arm64 only). ifeq ($(filter cfi, $(my_sanitize)),) - combined_include_paths := $(CFI_INCLUDE_PATHS) \ - $(PRODUCT_CFI_INCLUDE_PATHS) - - ifneq ($(strip $(foreach dir,$(subst $(comma),$(space),$(combined_include_paths)),\ - $(filter $(dir)%,$(LOCAL_PATH)))),) - my_sanitize := cfi $(my_sanitize) - my_sanitize_diag := cfi $(my_sanitize_diag) + ifneq ($(filter arm64,$(TARGET_$(LOCAL_2ND_ARCH_VAR_PREFIX)ARCH)),) + combined_include_paths := $(CFI_INCLUDE_PATHS) \ + $(PRODUCT_CFI_INCLUDE_PATHS) + + ifneq ($(strip $(foreach dir,$(subst $(comma),$(space),$(combined_include_paths)),\ + $(filter $(dir)%,$(LOCAL_PATH)))),) + my_sanitize := cfi $(my_sanitize) + my_sanitize_diag := cfi $(my_sanitize_diag) + endif endif endif diff --git a/target/product/core_64_bit.mk b/target/product/core_64_bit.mk index 76e2a36a38..e6fd97c24a 100644 --- a/target/product/core_64_bit.mk +++ b/target/product/core_64_bit.mk @@ -31,3 +31,7 @@ PRODUCT_DEFAULT_PROPERTY_OVERRIDES += ro.zygote=zygote64_32 TARGET_SUPPORTS_32_BIT_APPS := true TARGET_SUPPORTS_64_BIT_APPS := true + +# Enable CFI for security-sensitive components +$(call inherit-product, $(SRC_TARGET_DIR)/product/cfi-common.mk) +$(call inherit-product-if-exists, vendor/google/products/cfi-vendor.mk) diff --git a/target/product/core_64_bit_only.mk b/target/product/core_64_bit_only.mk index 72d30f52bb..06907131d1 100644 --- a/target/product/core_64_bit_only.mk +++ b/target/product/core_64_bit_only.mk @@ -28,3 +28,7 @@ PRODUCT_DEFAULT_PROPERTY_OVERRIDES += ro.zygote=zygote64 TARGET_SUPPORTS_32_BIT_APPS := false TARGET_SUPPORTS_64_BIT_APPS := true + +# Enable CFI for security-sensitive components +$(call inherit-product, $(SRC_TARGET_DIR)/product/cfi-common.mk) +$(call inherit-product-if-exists, vendor/google/products/cfi-vendor.mk) |