Recent work has been using Error Prone rules and annotations to
reflect the current state of permission enforcement across the
Bluetooth stack, and we're now in a position were we can add new
permission enforcement that had been missing.
We've currently standardized on saying that APIs that return device
or Bluetooth state information (without sharing details about any
particular remote Bluetooth device) do not need to be permission
protected.
Bug: 183626724
Test: ./build/soong/soong_ui.bash --make-mode Bluetooth RUN_ERROR_PRONE=true
Change-Id: I53ac7a4fe1dea57316048c3cac4fa237b6ba3d38
We've had @RequiresPermission annotations across public APIs for many
years, but we've never built out the tooling to validate that the
service implementations actually enforced those permissions.
This change adds an Error Prone checker that does bi-directional
validation of these annotations, confirming that AIDL implementations
enforce the permissions, and that AIDL callers carry those
annotations through any indirect call-paths.
Currently, enforcement validation is best-effort, since it assumes
that any enforcement referencing the annotated permissions is enough
to pass; it doesn't attempt any code flow analysis. It also doesn't
understand concepts like Binder.clearCallingIdentity().
To begin using this checker, simply begin annotating your AIDL files
using a strategy like this:
@JavaPassthrough(annotation="@android.annotation.RequiresPermission(android.Manifest.permission.BLUETOOTH_PRIVILEGED)")
void aidlMethod();
Bug: 183626724
Test: atest error_prone_android_framework_test:RequiresPermissionCheckerTest
Change-Id: I26a872f07ab13931c241cbb02ff7228edf7dc3b9
Related changes are introducing new TypedXmlSerializer and
TypedXmlPullParser interfaces which offer efficient access to
primitive attributes, and this Error Prone detector helps identify
code that should shift to using those new interfaces.
Bug: 171832118
Test: atest error_prone_android_framework_test
Change-Id: Ic3ca6b96d2b056e6178e407af886bb925a3471c8
Android offers several efficient alternatives to some upstream
String operations, such as the newly added TextUtils.formatSimple().
This checker also detects and discourages transparent StringBuilder
operations related to Preconditions, where we always pay the cost of
building the failure message string, even in the successful case.
Bug: 170978902
Test: atest error_prone_android_framework_test
Change-Id: I8cef4c50d8b0da3f1e66727dfa724ad44b88963b
Add a mutability flag check for all method calls that create a PendingIntent.
Bug: 160794467
Test: atest error_prone_android_framework_test:com.google.errorprone.bugpatterns.android.PendingIntentMutabilityCheckerTest
Change-Id: I26a51a6dddb2793e9a56e72876f3f9d2aea4e3fb
Binder maintains thread-local identity information about any remote
caller, which can be temporarily cleared while performing operations
that need to be handled as the current process. However, it's
important to restore the original remote calling identity after
carefully scoping this work inside a try/finally block, to avoid
obscure security vulnerabilities.
Bug: 155703208
Test: atest error_prone_android_framework_test
Change-Id: I568771a50af27637e4984950dcada2248ce16afe
Purposefully exclude telephony Binder interfaces, since we know they
always run under the separate AID_RADIO.
Bug: 155703208
Test: atest error_prone_android_framework_test
Change-Id: I3ce87caeb2abe3a7ca01ce10560d02b499ece07d
Because shifting newly written code over to using CompatChanges is
important, this change refines the recently added check and upgrades
it to become a fatal build error.
Bug: 169879376
Test: atest error_prone_android_framework_test
Change-Id: Ic3126518ebaac9995b8f649e44b839de30faa17f
Each SDK level often has dozens of different behavior changes, which
can be difficult for large app developers to adjust to during preview
or beta releases. For this reason, android.app.compat.CompatChanges
was introduced as a new best-practice for adding behavior changes.
During a preview or beta release, developers can temporarily opt-out
of each individual change to aid debugging. This opt-out is only
available during preview of beta releases, and cannot be adjusted on
finalized builds.
Bug: 169879376
Test: atest error_prone_android_framework_test
Change-Id: Ib3b2e2139e084b0fa1bcbb5e89dd55e7ca4bfa00
Parcelable data can be transported in many ways (some of which can be
very inefficient) so this checker guides developers towards using
high-performance best-practices.
Bug: 154436100, 155703208
Test: atest error_prone_android_framework_test
Change-Id: I253b5e1088c9bf9c3cf0d684cf73134f3bbf27ab
Several managers keep an "int mUserId" field which is assigned from
Context.getUserId(), so Binder calls referencing that field are okay.
Also shift to borrowing the "flavor" logic for detecting userId
parameters consistently.
Bug: 115654727, 159626156
Test: atest error_prone_android_framework_test
Change-Id: I9841fdf16f34c08b113e689e74b94f1ede839e2c
Many system internals pass around PID, UID and user ID arguments as a
single weakly-typed "int" value, which developers can accidentally
cross in method argument lists, resulting in obscure bugs.
Bug: 155703208
Test: atest error_prone_android_framework_test
Change-Id: I5e4d9b5a533071f94d82dff17faff5d52ae54564
We recently started writing custom Error Prone checkers, but it's
been painfully slow to develop against the giant source tree, so
this change adds tests to verify existing behavior and to enable TDD
for future checkers.
Bug: 155703208
Test: atest error_prone_android_framework_test
Change-Id: I7ea7484db5d19e812354703e561a499077329098
