C++: Make permissions check optional in cc_shared_library

The cc_shared_library_permissions mechanism was introduced to add control over
which cc_shared_libraries can export a given cc_library. If the repo is big
enough, the owner of a cc_library might want to prevent someone else in a
different package making their library part of the ABI of a public shared
library because that makes it harder to change the cc_library. This does not
apply accross repositories because a dependant repository can overwrite
anything from a repository dependency anyway.

However, it is becoming more apparent than even though this mechanism should
exist, it should not be enabled by default since most people don't need it. To
enable it pass the flag --//examples:enable_permissions_check=True.

RELNOTES:none
PiperOrigin-RevId: 363171677
Change-Id: I8afb3294806bb3053ee1279c6e9c5355089bccbb

.bazelci/presubmit.yml

@@ -55,10 +55,12 @@ tasks:
     build_flags:
     - "--experimental_cc_shared_library"
     - "--//examples:incompatible_link_once=True"
+    - "--//examples:enable_permissions_check=True"
     test_flags:
     - "--test_timeout=120"
     - "--experimental_cc_shared_library"
     - "--//examples:incompatible_link_once=True"
+    - "--//examples:enable_permissions_check=True"
     test_targets:
     - "//examples/test_cc_shared_library/..."
     - "//examples/test_cc_shared_library/diamond_inheritance/..."

examples/BUILD

@@ -24,6 +24,12 @@ bool_flag(
     visibility = ["//visibility:public"],
 )
 
+bool_flag(
+    name = "enable_permissions_check",
+    build_setting_default = False,
+    visibility = ["//visibility:public"],
+)
+
 bool_flag(
     name = "experimental_debug",
     build_setting_default = False,

examples/experimental_cc_shared_library.bzl

@@ -162,6 +162,9 @@ def _check_if_target_under_path(value, pattern):
     return pattern.package == value.package and pattern.name == value.name
 
 def _check_if_target_can_be_exported(target, current_label, permissions):
+    if permissions == None:
+        return True
+
     if (target.workspace_name != current_label.workspace_name or
         _same_package_or_above(current_label, target)):
         return True
@@ -271,7 +274,7 @@ def _filter_inputs(
                     linker_input.owner,
                     ctx.label,
                     ctx.attr.exports_filter,
-                    ctx.attr.permissions,
+                    _get_permissions(ctx),
                 ):
                     exports[owner] = True
                     can_be_linked_statically = True
@@ -301,6 +304,11 @@ def _same_package_or_above(label_a, label_b):
 
     return True
 
+def _get_permissions(ctx):
+    if ctx.attr._enable_permissions_check[BuildSettingInfo].value:
+        return ctx.attr.permissions
+    return None
+
 def _cc_shared_library_impl(ctx):
     cc_common.check_experimental_cc_shared_library()
     cc_toolchain = find_cc_toolchain(ctx)
@@ -318,7 +326,7 @@ def _cc_shared_library_impl(ctx):
             fail("Trying to export a library already exported by a different shared library: " +
                  str(export.label))
 
-        _check_if_target_should_be_exported_without_filter(export.label, ctx.label, ctx.attr.permissions)
+        _check_if_target_should_be_exported_without_filter(export.label, ctx.label, _get_permissions(ctx))
 
     preloaded_deps_direct_labels = {}
     preloaded_dep_merged_cc_info = None
@@ -457,6 +465,7 @@ cc_shared_library = rule(
         "static_deps": attr.string_list(),
         "user_link_flags": attr.string_list(),
         "_cc_toolchain": attr.label(default = "@bazel_tools//tools/cpp:current_cc_toolchain"),
+        "_enable_permissions_check": attr.label(default = "//examples:enable_permissions_check"),
         "_experimental_debug": attr.label(default = "//examples:experimental_debug"),
         "_incompatible_link_once": attr.label(default = "//examples:incompatible_link_once"),
     },