derive_classpath/derive_classpath.cpp

/*
 * Copyright (C) 2021 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include "derive_classpath.h"
#include <android-base/file.h>
#include <android-base/logging.h>
#include <android-base/strings.h>
#include <android-modules-utils/sdk_level.h>
#include <android-modules-utils/unbounded_sdk_level.h>
#include <glob.h>
#include <regex>
#include <sstream>

#include "packages/modules/common/proto/classpaths.pb.h"

namespace android {
namespace derive_classpath {

using Filepaths = std::vector<std::string>;
using Classpaths = std::unordered_map<Classpath, Filepaths>;

// Matches path of format: /apex/<module-name>@<version-digits-only>/*
static const std::regex kBindMountedApex("/apex/[^/]+@[0-9]+/");
// Capture module name in following formats:
// - /apex/<module-name>/*
// - /apex/<module-name>@*/*
static const std::regex kApexPathRegex("(/apex/[^@/]+)(?:@[^@/]+)?/");

static const std::string kBootclasspathFragmentLocation = "/etc/classpaths/bootclasspath.pb";
static const std::string kSystemserverclasspathFragmentLocation =
    "/etc/classpaths/systemserverclasspath.pb";

std::vector<std::string> getBootclasspathFragmentGlobPatterns(const Args& args) {
  // Scan only specific directory for fragments if scan_dir is specified
  if (!args.scan_dirs.empty()) {
    std::vector<std::string> patterns;
    for (const auto& scan_dir : args.scan_dirs) {
      patterns.push_back(scan_dir + kBootclasspathFragmentLocation);
    }
    return patterns;
  }

  // Defines the order of individual fragments to be merged for BOOTCLASSPATH:
  // 1. Jars in ART module always come first;
  // 2. Jars defined as part of /system/etc/classpaths;
  // 3. Jars defined in all non-ART apexes that expose /apex/*/etc/classpaths fragments.
  //
  // Notes:
  // - Relative order in the individual fragment files is not changed when merging.
  // - If a fragment file is matched by multiple globs, the first one is used; i.e. ART module
  //   fragment is only parsed once, even if there is a "/apex/*/" pattern later.
  // - If there are multiple files matched for a glob pattern with wildcards, the results are sorted
  //   by pathname (default glob behaviour); i.e. all fragment files are sorted within a single
  //   "pattern block".
  std::vector<std::string> patterns = {
      // ART module is a special case and must come first before any other classpath entries.
      "/apex/com.android.art" + kBootclasspathFragmentLocation,
  };
  if (args.system_bootclasspath_fragment.empty()) {
    patterns.emplace_back("/system" + kBootclasspathFragmentLocation);
  } else {
    // TODO: Avoid applying glob(3) expansion later to this path. Although the caller should not
    // provide a path that contains '*', it can technically happen. Instead of checking the string
    // format, we should just avoid the glob(3) for this string.
    patterns.emplace_back(args.system_bootclasspath_fragment);
  }
  patterns.emplace_back("/apex/*" + kBootclasspathFragmentLocation);
  return patterns;
}

std::vector<std::string> getSystemserverclasspathFragmentGlobPatterns(const Args& args) {
  // Scan only specific directory for fragments if scan_dir is specified
  if (!args.scan_dirs.empty()) {
    std::vector<std::string> patterns;
    for (const auto& scan_dir : args.scan_dirs) {
      patterns.push_back(scan_dir + kSystemserverclasspathFragmentLocation);
    }
    return patterns;
  }

  // Defines the order of individual fragments to be merged for SYSTEMSERVERCLASSPATH.
  //
  // ART system server jars are not special in this case, and are considered to be part of all the
  // other apexes that may expose system server jars.
  //
  // All notes from getBootclasspathFragmentGlobPatterns apply here.
  std::vector<std::string> patterns;
  if (args.system_systemserverclasspath_fragment.empty()) {
    patterns.emplace_back("/system" + kSystemserverclasspathFragmentLocation);
  } else {
    // TODO: Avoid applying glob(3) expansion later to this path. See above.
    patterns.emplace_back(args.system_systemserverclasspath_fragment);
  }
  patterns.emplace_back("/apex/*" + kSystemserverclasspathFragmentLocation);
  return patterns;
};

// Finds all classpath fragment files that match the glob pattern and appends them to `fragments`.
//
// If a newly found fragment is already present in `fragments`, it is skipped to avoid duplicates.
// Note that appended fragment files are sorted by pathnames, which is a default behaviour for
// glob().
//
// glob_pattern_prefix is only populated for unit tests so that we can search for pattern in a test
// directory instead of from root.
bool GlobClasspathFragments(Filepaths* fragments, const std::string& glob_pattern_prefix,
                            const std::string& pattern) {
  glob_t glob_result;
  const int ret = glob((glob_pattern_prefix + pattern).c_str(), GLOB_MARK, nullptr, &glob_result);
  if (ret != 0 && ret != GLOB_NOMATCH) {
    globfree(&glob_result);
    LOG(ERROR) << "Failed to glob " << glob_pattern_prefix + pattern;
    return false;
  }

  for (size_t i = 0; i < glob_result.gl_pathc; i++) {
    std::string path = glob_result.gl_pathv[i];
    // Skip <name>@<ver> dirs, as they are bind-mounted to <name>
    // Remove glob_pattern_prefix first since kBindMountedAPex has prefix requirement
    if (std::regex_search(path.substr(glob_pattern_prefix.size()), kBindMountedApex)) {
      continue;
    }
    // Make sure we don't push duplicate fragments from previously processed patterns
    if (std::find(fragments->begin(), fragments->end(), path) == fragments->end()) {
      fragments->push_back(path);
    }
  }
  globfree(&glob_result);
  return true;
}

// Writes the contents of *CLASSPATH variables to /data in the format expected by `load_exports`
// action from init.rc. See platform/system/core/init/README.md.
bool WriteClasspathExports(Classpaths classpaths, std::string_view output_path) {
  LOG(INFO) << "WriteClasspathExports " << output_path;

  std::stringstream out;
  out << "export BOOTCLASSPATH " << android::base::Join(classpaths[BOOTCLASSPATH], ':') << '\n';
  out << "export DEX2OATBOOTCLASSPATH "
      << android::base::Join(classpaths[DEX2OATBOOTCLASSPATH], ':') << '\n';
  out << "export SYSTEMSERVERCLASSPATH "
      << android::base::Join(classpaths[SYSTEMSERVERCLASSPATH], ':') << '\n';

  const std::string& content = out.str();
  LOG(INFO) << "WriteClasspathExports content\n" << content;

  const std::string path_str(output_path);
  if (android::base::StartsWith(path_str, "/data/")) {
    // When writing to /data, write to a temp file first to make sure the partition is not full.
    const std::string temp_str(path_str + ".tmp");
    if (!android::base::WriteStringToFile(content, temp_str, /*follow_symlinks=*/true)) {
      return false;
    }
    return rename(temp_str.c_str(), path_str.c_str()) == 0;
  } else {
    return android::base::WriteStringToFile(content, path_str, /*follow_symlinks=*/true);
  }
}

bool ReadClasspathFragment(ExportedClasspathsJars* fragment, const std::string& filepath) {
  LOG(INFO) << "ReadClasspathFragment " << filepath;
  std::string contents;
  if (!android::base::ReadFileToString(filepath, &contents)) {
    PLOG(ERROR) << "Failed to read " << filepath;
    return false;
  }
  if (!fragment->ParseFromString(contents)) {
    LOG(ERROR) << "Failed to parse " << filepath;
    return false;
  }
  return true;
}

// Returns an allowed prefix for a jar filepaths declared in a given fragment.
// For a given apex fragment, it returns the apex path - "/apex/com.android.foo" - as an allowed
// prefix for jars. This can be used to enforce that an apex fragment only exports jars located in
// that apex. For system fragment, it returns an empty string to allow any jars to be exported by
// the platform.
std::string GetAllowedJarPathPrefix(const std::string& fragment_path) {
  std::smatch match;
  if (std::regex_search(fragment_path, match, kApexPathRegex)) {
    return match[1];
  }
  return "";
}

// Finds and parses all classpath fragments on device matching given glob patterns.
bool ParseFragments(const Args& args, Classpaths& classpaths, bool boot_jars) {
  LOG(INFO) << "ParseFragments for " << (boot_jars ? "bootclasspath" : "systemserverclasspath");

  auto glob_patterns = boot_jars ? getBootclasspathFragmentGlobPatterns(args)
                                 : getSystemserverclasspathFragmentGlobPatterns(args);

  Filepaths fragments;
  for (const auto& pattern : glob_patterns) {
    if (!GlobClasspathFragments(&fragments, args.glob_pattern_prefix, pattern)) {
      return false;
    }
  }

  for (const auto& fragment_path : fragments) {
    ExportedClasspathsJars exportedJars;
    if (!ReadClasspathFragment(&exportedJars, fragment_path)) {
      return false;
    }

    // Either a path to the apex, or an empty string
    const std::string& allowed_jar_prefix = GetAllowedJarPathPrefix(fragment_path);

    for (const Jar& jar : exportedJars.jars()) {
      const std::string& jar_path = jar.path();
      CHECK(android::base::StartsWith(jar_path, allowed_jar_prefix))
          << fragment_path << " must not export a jar from outside of the apex: " << jar_path;

      const Classpath classpath = jar.classpath();
      CHECK(boot_jars ^ (classpath == SYSTEMSERVERCLASSPATH))
          << fragment_path << " must not export a jar for " << Classpath_Name(classpath);

      if (!jar.min_sdk_version().empty()) {
        const auto& min_sdk_version = jar.min_sdk_version();
        if (!android::modules::sdklevel::unbounded::IsAtLeast(min_sdk_version)) {
          LOG(INFO) << "not installing " << jar_path << " with min_sdk_version " << min_sdk_version;
          continue;
        }
      }

      if (!jar.max_sdk_version().empty()) {
        const auto& max_sdk_version = jar.max_sdk_version();
        if (!android::modules::sdklevel::unbounded::IsAtMost(max_sdk_version)) {
          LOG(INFO) << "not installing " << jar_path << " with max_sdk_version " << max_sdk_version;
          continue;
        }
      }

      classpaths[classpath].push_back(jar_path);
    }
  }
  return true;
}

// Generates /data/system/environ/classpath exports file by globing and merging individual
// classpaths.proto config fragments. The exports file is read by init.rc to setenv *CLASSPATH
// environ variables at runtime.
bool GenerateClasspathExports(const Args& args) {
  // Parse all known classpath fragments
  CHECK(android::modules::sdklevel::IsAtLeastS())
      << "derive_classpath must only be run on Android 12 or above";

  Classpaths classpaths;
  if (!ParseFragments(args, classpaths, /*boot_jars=*/true)) {
    LOG(ERROR) << "Failed to parse BOOTCLASSPATH fragments";
    return false;
  }
  if (!ParseFragments(args, classpaths, /*boot_jars=*/false)) {
    LOG(ERROR) << "Failed to parse SYSTEMSERVERCLASSPATH fragments";
    return false;
  }

  // Write export actions for init.rc
  if (!WriteClasspathExports(classpaths, args.output_path)) {
    PLOG(ERROR) << "Failed to write " << args.output_path;
    return false;
  }
  return true;
}

}  // namespace derive_classpath
}  // namespace android