New issue
Advanced search Search tips

Issue 846454 link

Starred by 4 users

Issue metadata

Status: Started
Owner:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Task
Proj-Servicification

Blocking:
issue 821021



Sign in to add a comment

Block non-service/non-network-internal/non-test includes from net/dns via BUILD rules

Project Member Reported by ericorth@chromium.org, May 24 2018

Issue description

Need to keep tighter control on external access to dns code as we servicify it.

Step 1 is to reorg the BUILD rules to only allow external access to HostResolver and related classes (the main meant-to-be-external API that is obviously going to be servicified) and whitelisted access to anything else.  This will help us keep track of what we need to support for servicification.

Step 2 is to remove whitelisting and direct access to HostResolver as things are servicified and no longer need direct external access.  The end goal is that only simple, non-logic stuff (eg the constants in dns_protocol.h) should be externally accessible.  Everything else will be in a single dns internal source_set rule whitelisted only to net, network service, and test-only stuff.
 
Is this only for //net/dns or do we want to do it for //net overall? I'm actually quite supportive of more restrictive views of //net overall, but didn't want to glom on if it's the wrong bug :)
This bug is specific to net/dns.  Let's leave this bug specific to dns, and create a blocking relationship if a similar overall //net bug gets created.

I would also be supportive of making similar changes for //net overall part of the overall servicification plan (or just as a general cleanup), but I have not yet shopped around for buy-in on that so no such plan or bug currently exists that I know of.
Project Member

Comment 3 by bugdroid1@chromium.org, May 25 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/24feb5bfd766a5067305ef30da9f23f8eca61e22

commit 24feb5bfd766a5067305ef30da9f23f8eca61e22
Author: Eric Orth <ericorth@chromium.org>
Date: Fri May 25 19:42:46 2018

Reorganize //net/dns BUILD rules.

Split everything in the net/dns directory off into its own BUILD.gn
file in that directory with separate source_sets depended on by the
main //net target.

Control access external to the network stack using public/private
headers with whitelisted access via friend lists.  The main
HostResolver API is public, and everything else is whitelisted to
just network (and network service) code and current external usage.
This will block most external code from adding new includes of anything
except HostResolver.  Note: There are some parts of chromium where the
restrictions are not enforced (eg //third_party/* and some large parts
of //chrome/*), but I checked that there are no current violations (by
enabling enforcement in src/.gn for everything and searching the
results for "net/dns").

Circular dependencies between //net and //net/dns were too ingrained to
be resolved.  Configured to allow such dependencies and locked the dns
build rules (via visibility) to only allow direct dependency through
the //net target.  Very reasonable since dns code should still live in
the net.dll component.

Bug: 846454
TBR: allenvic@chromium.org,thestig@chromium.org
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo
Change-Id: I0b6eb60741a7910013b0f7897127c5153cff3f15
Reviewed-on: https://chromium-review.googlesource.com/1060304
Commit-Queue: Eric Orth <ericorth@chromium.org>
Reviewed-by: Helen Li <xunjieli@chromium.org>
Cr-Commit-Position: refs/heads/master@{#561976}
[modify] https://crrev.com/24feb5bfd766a5067305ef30da9f23f8eca61e22/chrome/browser/BUILD.gn
[modify] https://crrev.com/24feb5bfd766a5067305ef30da9f23f8eca61e22/chrome/browser/chromeos/smb_client/discovery/mdns_host_locator.cc
[modify] https://crrev.com/24feb5bfd766a5067305ef30da9f23f8eca61e22/chrome/browser/intranet_redirect_detector.h
[modify] https://crrev.com/24feb5bfd766a5067305ef30da9f23f8eca61e22/components/certificate_transparency/tree_state_tracker.cc
[modify] https://crrev.com/24feb5bfd766a5067305ef30da9f23f8eca61e22/content/test/BUILD.gn
[modify] https://crrev.com/24feb5bfd766a5067305ef30da9f23f8eca61e22/net/BUILD.gn
[add] https://crrev.com/24feb5bfd766a5067305ef30da9f23f8eca61e22/net/dns/BUILD.gn
[modify] https://crrev.com/24feb5bfd766a5067305ef30da9f23f8eca61e22/services/network/BUILD.gn
[modify] https://crrev.com/24feb5bfd766a5067305ef30da9f23f8eca61e22/services/proxy_resolver/BUILD.gn

Comment 4 by dxie@chromium.org, May 29 2018

Labels: Hotlist-KnownIssue
Project Member

Comment 5 by bugdroid1@chromium.org, Aug 27

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/168a7e5b1972a780f6502b147084d9cc4342e4a0

commit 168a7e5b1972a780f6502b147084d9cc4342e4a0
Author: Eric Orth <ericorth@chromium.org>
Date: Mon Aug 27 19:11:32 2018

Whitelist access to HostResolver headers.

Convert the //net/dns:public source_set into :host_resolver and move all
public headers to source.  Access to these previously-public headers
will now only be allowed for BUILD.gn rules listed in the friend list.

Added friend entries with explanation comments for all remaining usage.
Some with TODOs to remove, eg because they'll be migrated to network
service.  Confirmed that there are no other remaining usage in code
where private headers are or are not enforced (checking unenforced by
searching for "net/dns" in the error output).

Removed a couple includes that were no longer needed.

TBR=jochen@chromium.org

Bug: 846454
Change-Id: I7bb633088689dc896f9fc27e1dec87ae699410db
Reviewed-on: https://chromium-review.googlesource.com/1183981
Commit-Queue: Eric Orth <ericorth@chromium.org>
Reviewed-by: Maks Orlovich <morlovich@chromium.org>
Cr-Commit-Position: refs/heads/master@{#586362}
[modify] https://crrev.com/168a7e5b1972a780f6502b147084d9cc4342e4a0/chrome/service/net/service_url_request_context_getter.h
[modify] https://crrev.com/168a7e5b1972a780f6502b147084d9cc4342e4a0/content/browser/renderer_host/pepper/pepper_tcp_socket_message_filter.h
[modify] https://crrev.com/168a7e5b1972a780f6502b147084d9cc4342e4a0/extensions/browser/api/dns/dns_api.h
[modify] https://crrev.com/168a7e5b1972a780f6502b147084d9cc4342e4a0/extensions/browser/api/socket/socket_api.h
[modify] https://crrev.com/168a7e5b1972a780f6502b147084d9cc4342e4a0/net/BUILD.gn
[modify] https://crrev.com/168a7e5b1972a780f6502b147084d9cc4342e4a0/net/dns/BUILD.gn

Project Member

Comment 6 by bugdroid1@chromium.org, Nov 7

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8afaf15c355c4242a5f744e448d92fb090388e52

commit 8afaf15c355c4242a5f744e448d92fb090388e52
Author: Eric Orth <ericorth@chromium.org>
Date: Wed Nov 07 21:01:26 2018

Create new //net/dns/public directory/target

This will hold all the simple host resolution code intended long-term
(post-servicification) for direct non-test access outside the network
stack and service.  For now, moving over dns_protocol.h and
dns_util::IsValidDoHTemplate(), two items currently used externally
that do not make sense to servicify. Will likely move over more in
subsequent CLs.

Similar to when //net/dns targets were split off from //net, no attempt
was made to detangle circular dependencies with //net.

Bug: 846454
Change-Id: I7cc209240f1c6f5ae2789c56faefb20662366230
Reviewed-on: https://chromium-review.googlesource.com/c/1320516
Reviewed-by: Bailey Berro <baileyberro@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
Reviewed-by: Matt Menke <mmenke@chromium.org>
Commit-Queue: Eric Orth <ericorth@chromium.org>
Cr-Commit-Position: refs/heads/master@{#606155}
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/chrome/browser/chromeos/smb_client/discovery/mdns_host_locator.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/chrome/browser/local_discovery/service_discovery_client_impl.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/chrome/browser/local_discovery/service_discovery_client_unittest.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/chrome/browser/net/dns_probe_runner.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/chrome/browser/net/dns_probe_service.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/chrome/browser/net/dns_probe_test_util.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/chrome/browser/net/system_network_context_manager.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/chrome/browser/printing/cloud_print/privet_traffic_detector.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/components/certificate_transparency/log_dns_client.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/components/certificate_transparency/log_dns_client_unittest.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/components/certificate_transparency/mock_log_dns_traffic.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/BUILD.gn
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/android/network_library.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/dns/BUILD.gn
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/dns/dns_config_service_posix.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/dns/dns_config_service_posix_unittest.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/dns/dns_config_service_unittest.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/dns/dns_config_service_win.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/dns/dns_config_service_win_unittest.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/dns/dns_query.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/dns/dns_query_unittest.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/dns/dns_response.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/dns/dns_response_fuzzer.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/dns/dns_response_unittest.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/dns/dns_session_unittest.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/dns/dns_test_util.h
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/dns/dns_transaction.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/dns/dns_transaction_unittest.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/dns/dns_util.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/dns/dns_util_unittest.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/dns/host_resolver_impl.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/dns/host_resolver_mdns_task.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/dns/mdns_cache.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/dns/mdns_client.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/dns/mdns_client_impl.cc
[add] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/dns/public/BUILD.gn
[add] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/dns/public/README.md
[rename] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/dns/public/dns_protocol.h
[add] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/dns/public/util.cc
[add] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/dns/public/util.h
[add] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/dns/public/util_unittest.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/dns/record_parsed_unittest.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/dns/record_rdata.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/dns/record_rdata.h
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/net/tools/dns_fuzz_stub/dns_fuzz_stub.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/services/network/mdns_responder.cc
[modify] https://crrev.com/8afaf15c355c4242a5f744e448d92fb090388e52/services/network/mdns_responder_unittest.cc

Project Member

Comment 7 by bugdroid1@chromium.org, Nov 8

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1556c38fc8dc7d6dd9d2da4762e9458a106753e0

commit 1556c38fc8dc7d6dd9d2da4762e9458a106753e0
Author: Eric Orth <ericorth@chromium.org>
Date: Thu Nov 08 06:05:02 2018

Cleanup/whitelist remaining //net/dns usage

Removed a bunch of whitelist entries that were no longer needed, mostly
due to completed servicification migrations.  Some usage was
no-longer-needed includes that I removed, and all of UrlInfo appeared
to be no longer used or present in build files so I removed the whole
class and tests.

Some usage of MDnsClient was just accessing the Get...Endpoint()
methods that could easily be moved to net/dns/public and thus no longer
require whitelisting.

Ensured all remaining whitelist entries were commented with why usage
is appropriate or with a TODO and bug for anything still requiring
servicification migration.

Bug: 846454
Change-Id: I39aeeaa437bd8fe2899e78189ca7ef0adbffd1f6
Reviewed-on: https://chromium-review.googlesource.com/c/1320511
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
Reviewed-by: Matt Menke <mmenke@chromium.org>
Cr-Commit-Position: refs/heads/master@{#606365}
[modify] https://crrev.com/1556c38fc8dc7d6dd9d2da4762e9458a106753e0/chrome/browser/devtools/device/tcp_device_provider.cc
[modify] https://crrev.com/1556c38fc8dc7d6dd9d2da4762e9458a106753e0/chrome/browser/local_discovery/service_discovery_client_mdns.cc
[modify] https://crrev.com/1556c38fc8dc7d6dd9d2da4762e9458a106753e0/chrome/browser/net/system_network_context_manager.cc
[delete] https://crrev.com/cd52a866ba1007824b4afa95eaf266e6b5a8eb94/chrome/browser/net/url_info.cc
[delete] https://crrev.com/cd52a866ba1007824b4afa95eaf266e6b5a8eb94/chrome/browser/net/url_info.h
[delete] https://crrev.com/cd52a866ba1007824b4afa95eaf266e6b5a8eb94/chrome/browser/net/url_info_unittest.cc
[modify] https://crrev.com/1556c38fc8dc7d6dd9d2da4762e9458a106753e0/chrome/browser/net_benchmarking.cc
[modify] https://crrev.com/1556c38fc8dc7d6dd9d2da4762e9458a106753e0/chrome/browser/printing/cloud_print/privet_traffic_detector.cc
[modify] https://crrev.com/1556c38fc8dc7d6dd9d2da4762e9458a106753e0/net/dns/BUILD.gn
[modify] https://crrev.com/1556c38fc8dc7d6dd9d2da4762e9458a106753e0/net/dns/dns_util.cc
[modify] https://crrev.com/1556c38fc8dc7d6dd9d2da4762e9458a106753e0/net/dns/dns_util.h
[modify] https://crrev.com/1556c38fc8dc7d6dd9d2da4762e9458a106753e0/net/dns/mdns_client.cc
[modify] https://crrev.com/1556c38fc8dc7d6dd9d2da4762e9458a106753e0/net/dns/mdns_client_impl.cc
[modify] https://crrev.com/1556c38fc8dc7d6dd9d2da4762e9458a106753e0/net/dns/mock_mdns_socket_factory.cc
[modify] https://crrev.com/1556c38fc8dc7d6dd9d2da4762e9458a106753e0/net/dns/public/dns_protocol.h
[modify] https://crrev.com/1556c38fc8dc7d6dd9d2da4762e9458a106753e0/net/dns/public/util.cc
[modify] https://crrev.com/1556c38fc8dc7d6dd9d2da4762e9458a106753e0/net/dns/public/util.h
[modify] https://crrev.com/1556c38fc8dc7d6dd9d2da4762e9458a106753e0/services/network/mdns_responder.cc

Sign in to add a comment