tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/tests/treble_sepolicy_tests.py

431 lines
15 KiB
Python
Raw Normal View History

Migrate tests/ to Python 3 In general, it appears that libselinux and libsepol interpret paths and contexts as bytes. For instance, selabel_file(5) mentions about the path field of file_contexts: Strings representing paths are processed as bytes (as opposed to Unicode), meaning that non-ASCII characters are not matched by a single wildcard. libsepol also uses primitives such as strchr[1], which explicitly operate at the byte level (see strchr(3)). However, practically, Android paths and contexts all uses ASCII characters. Use the str type (i.e., Unicode) for all Python code to avoid a larger refactoring. Ensure we convert to bytes for inputs and outputs of libsepolwrap.so. The encoding "ascii" is used, which will raise an error should a context or type contain non-ASCII characters. Update headers to match development/docs/copyright-templates. [1] https://cs.android.com/android/platform/superproject/+/master:external/selinux/libsepol/src/context_record.c;l=224;drc=454466e2e49fd99f36db78396e604962b8682cb4 Bug: 200119288 Test: lunch aosp_bramble-userdebug && m Test: atest --host fc_sort_test Test: manually run searchpolicy Change-Id: I72d41a35f90b2d4112e481cd8d7408764a6c8132
2021-11-25 23:12:41 +01:00
# Copyright 2021 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
Verify correct application of labels and attributes With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf14000da84e5350fff169346594639488)
2017-05-25 18:53:47 +02:00
from optparse import OptionParser
from optparse import Option, OptionValueError
import os
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
import mini_parser
Verify correct application of labels and attributes With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf14000da84e5350fff169346594639488)
2017-05-25 18:53:47 +02:00
import policy
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
from policy import MatchPathPrefix
Verify correct application of labels and attributes With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf14000da84e5350fff169346594639488)
2017-05-25 18:53:47 +02:00
import re
import sys
Use "data: libsepolwrap" in python binaries To avoid hard-coded paths in Android.mk rules. Test: m selinux_policy Change-Id: I7b464fa2953e01ccb6fff8daa3e219ae372313c5
2021-12-29 05:56:14 +01:00
import distutils.ccompiler
Verify correct application of labels and attributes With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf14000da84e5350fff169346594639488)
2017-05-25 18:53:47 +02:00
Run Treble sepolicy tests at build time Bug: 37008075 Test: build policy on Marlin Change-Id: I53748f94c5df66fa17a53e7d0bed1be6b8603544 (cherry picked from commit e1ddc6df75d61dd8dc9a1ea00e1da60389f55556)
2017-06-01 00:36:07 +02:00
DEBUG=False
Verify correct application of labels and attributes With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf14000da84e5350fff169346594639488)
2017-05-25 18:53:47 +02:00
'''
Use file_contexts and policy to verify Treble requirements
are not violated.
'''
Update sepolicy to use inclusive language See https://source.android.com/setup/contribute/respectful-code for reference #inclusivefixit Bug: 161896447 Test: Build Change-Id: If612f2270c8ba1d7fc2cbda3b2e8ca3818c0a1be
2020-07-27 18:30:34 +02:00
coredomainAllowlist = {
treble_sepolicy_tests.py: require recognized loc Before, we were silently ignoring unrecognized paths. Bug: 152813275 Test: m (runs this test) Test: reproduce every error I've added Change-Id: I4a0b8fb9fff070d16126caa1499590693a6d2895
2020-04-03 01:20:31 +02:00
# TODO: how do we make sure vendor_init doesn't have bad coupling with
# /vendor? It is the only system process which is not coredomain.
Remove vendor_init from coredomain vendor_init exists on the system partition, but it is meant to be an extention of init that runs with vendor permissions for executing vendor scripts, therefore it is not meant to be in coredomain. Bug: 62875318 Test: boot walleye Merged-In: I01af5c9f8b198674b15b90620d02725a6e7c1da6 Change-Id: I01af5c9f8b198674b15b90620d02725a6e7c1da6
2018-01-25 20:31:09 +01:00
'vendor_init',
Update sepolicy to use inclusive language See https://source.android.com/setup/contribute/respectful-code for reference #inclusivefixit Bug: 161896447 Test: Build Change-Id: If612f2270c8ba1d7fc2cbda3b2e8ca3818c0a1be
2020-07-27 18:30:34 +02:00
# TODO(b/152813275): need to avoid allowlist for rootdir
treble_sepolicy_tests.py: require recognized loc Before, we were silently ignoring unrecognized paths. Bug: 152813275 Test: m (runs this test) Test: reproduce every error I've added Change-Id: I4a0b8fb9fff070d16126caa1499590693a6d2895
2020-04-03 01:20:31 +02:00
"modprobe",
"slideshow",
Verify correct application of labels and attributes With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf14000da84e5350fff169346594639488)
2017-05-25 18:53:47 +02:00
}
class scontext:
def __init__(self):
self.fromSystem = False
self.fromVendor = False
self.coredomain = False
self.appdomain = False
self.attributes = set()
self.entrypoints = []
self.entrypointpaths = []
treble_sepolicy_tests.py: require recognized loc Before, we were silently ignoring unrecognized paths. Bug: 152813275 Test: m (runs this test) Test: reproduce every error I've added Change-Id: I4a0b8fb9fff070d16126caa1499590693a6d2895
2020-04-03 01:20:31 +02:00
self.error = ""
Verify correct application of labels and attributes With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf14000da84e5350fff169346594639488)
2017-05-25 18:53:47 +02:00
Run Treble sepolicy tests at build time Bug: 37008075 Test: build policy on Marlin Change-Id: I53748f94c5df66fa17a53e7d0bed1be6b8603544 (cherry picked from commit e1ddc6df75d61dd8dc9a1ea00e1da60389f55556)
2017-06-01 00:36:07 +02:00
def PrintScontexts():
for d in sorted(alldomains.keys()):
sctx = alldomains[d]
Migrate tests/ to Python 3 In general, it appears that libselinux and libsepol interpret paths and contexts as bytes. For instance, selabel_file(5) mentions about the path field of file_contexts: Strings representing paths are processed as bytes (as opposed to Unicode), meaning that non-ASCII characters are not matched by a single wildcard. libsepol also uses primitives such as strchr[1], which explicitly operate at the byte level (see strchr(3)). However, practically, Android paths and contexts all uses ASCII characters. Use the str type (i.e., Unicode) for all Python code to avoid a larger refactoring. Ensure we convert to bytes for inputs and outputs of libsepolwrap.so. The encoding "ascii" is used, which will raise an error should a context or type contain non-ASCII characters. Update headers to match development/docs/copyright-templates. [1] https://cs.android.com/android/platform/superproject/+/master:external/selinux/libsepol/src/context_record.c;l=224;drc=454466e2e49fd99f36db78396e604962b8682cb4 Bug: 200119288 Test: lunch aosp_bramble-userdebug && m Test: atest --host fc_sort_test Test: manually run searchpolicy Change-Id: I72d41a35f90b2d4112e481cd8d7408764a6c8132
2021-11-25 23:12:41 +01:00
print(d)
print("\tcoredomain="+str(sctx.coredomain))
print("\tappdomain="+str(sctx.appdomain))
print("\tfromSystem="+str(sctx.fromSystem))
print("\tfromVendor="+str(sctx.fromVendor))
print("\tattributes="+str(sctx.attributes))
print("\tentrypoints="+str(sctx.entrypoints))
print("\tentrypointpaths=")
Run Treble sepolicy tests at build time Bug: 37008075 Test: build policy on Marlin Change-Id: I53748f94c5df66fa17a53e7d0bed1be6b8603544 (cherry picked from commit e1ddc6df75d61dd8dc9a1ea00e1da60389f55556)
2017-06-01 00:36:07 +02:00
if sctx.entrypointpaths is not None:
for path in sctx.entrypointpaths:
Migrate tests/ to Python 3 In general, it appears that libselinux and libsepol interpret paths and contexts as bytes. For instance, selabel_file(5) mentions about the path field of file_contexts: Strings representing paths are processed as bytes (as opposed to Unicode), meaning that non-ASCII characters are not matched by a single wildcard. libsepol also uses primitives such as strchr[1], which explicitly operate at the byte level (see strchr(3)). However, practically, Android paths and contexts all uses ASCII characters. Use the str type (i.e., Unicode) for all Python code to avoid a larger refactoring. Ensure we convert to bytes for inputs and outputs of libsepolwrap.so. The encoding "ascii" is used, which will raise an error should a context or type contain non-ASCII characters. Update headers to match development/docs/copyright-templates. [1] https://cs.android.com/android/platform/superproject/+/master:external/selinux/libsepol/src/context_record.c;l=224;drc=454466e2e49fd99f36db78396e604962b8682cb4 Bug: 200119288 Test: lunch aosp_bramble-userdebug && m Test: atest --host fc_sort_test Test: manually run searchpolicy Change-Id: I72d41a35f90b2d4112e481cd8d7408764a6c8132
2021-11-25 23:12:41 +01:00
print("\t\t"+str(path))
Verify correct application of labels and attributes With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf14000da84e5350fff169346594639488)
2017-05-25 18:53:47 +02:00
alldomains = {}
coredomains = set()
appdomains = set()
vendordomains = set()
Improve data separation test coverage Two areas need better coverage: 1. Tests are not verifying that files in /data/vendor do not have the core_data_file_type attribute. 2. No error is thrown if a type lives in both /data/vendor /data/<not vendor>. Bug: 72998741 Test: build all selinux policies on master (assert build time tests) Test: build and boot Marlin and Taimen, verify no selinux denials and everything works as expected. Change-Id: I133a068123139a599b9b81ddcc254616894621eb (cherry picked from commit 55d5e28472ad9cd87da0b451d78555d8aae43bb8)
2018-02-08 18:54:59 +01:00
pol = None
Verify correct application of labels and attributes With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf14000da84e5350fff169346594639488)
2017-05-25 18:53:47 +02:00
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
# compat vars
alltypes = set()
oldalltypes = set()
compatMapping = None
Don't require private types in mapping file. Private types are not visible to vendor/odm policy, so we don't need mapping entries for them. We build platform-only public policy .cil file and give it as input to treble_sepolicy_tests. Using this public policy the test can now figure out if the newly added type in public or private. Bug: 116344577 Test: adding public type triggers mapping test failure, adding private type does not. Change-Id: I421f335e37274b24aa73109e260653d7b73788b5
2018-09-29 02:21:08 +02:00
pubtypes = set()
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
# Distinguish between PRODUCT_FULL_TREBLE and PRODUCT_FULL_TREBLE_OVERRIDE
FakeTreble = False
Verify correct application of labels and attributes With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf14000da84e5350fff169346594639488)
2017-05-25 18:53:47 +02:00
def GetAllDomains(pol):
global alldomains
for result in pol.QueryTypeAttribute("domain", True):
alldomains[result] = scontext()
def GetAppDomains():
global appdomains
global alldomains
for d in alldomains:
# The application of the "appdomain" attribute is trusted because core
# selinux policy contains neverallow rules that enforce that only zygote
# and runas spawned processes may transition to processes that have
# the appdomain attribute.
if "appdomain" in alldomains[d].attributes:
alldomains[d].appdomain = True
appdomains.add(d)
def GetCoreDomains():
global alldomains
global coredomains
for d in alldomains:
treble_sepolicy_tests.py: require recognized loc Before, we were silently ignoring unrecognized paths. Bug: 152813275 Test: m (runs this test) Test: reproduce every error I've added Change-Id: I4a0b8fb9fff070d16126caa1499590693a6d2895
2020-04-03 01:20:31 +02:00
domain = alldomains[d]
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
# TestCoredomainViolations will verify if coredomain was incorrectly
Verify correct application of labels and attributes With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf14000da84e5350fff169346594639488)
2017-05-25 18:53:47 +02:00
# applied.
treble_sepolicy_tests.py: require recognized loc Before, we were silently ignoring unrecognized paths. Bug: 152813275 Test: m (runs this test) Test: reproduce every error I've added Change-Id: I4a0b8fb9fff070d16126caa1499590693a6d2895
2020-04-03 01:20:31 +02:00
if "coredomain" in domain.attributes:
domain.coredomain = True
Verify correct application of labels and attributes With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf14000da84e5350fff169346594639488)
2017-05-25 18:53:47 +02:00
coredomains.add(d)
# check whether domains are executed off of /system or /vendor
Update sepolicy to use inclusive language See https://source.android.com/setup/contribute/respectful-code for reference #inclusivefixit Bug: 161896447 Test: Build Change-Id: If612f2270c8ba1d7fc2cbda3b2e8ca3818c0a1be
2020-07-27 18:30:34 +02:00
if d in coredomainAllowlist:
Verify correct application of labels and attributes With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf14000da84e5350fff169346594639488)
2017-05-25 18:53:47 +02:00
continue
treble_sepolicy_tests.py: require recognized loc Before, we were silently ignoring unrecognized paths. Bug: 152813275 Test: m (runs this test) Test: reproduce every error I've added Change-Id: I4a0b8fb9fff070d16126caa1499590693a6d2895
2020-04-03 01:20:31 +02:00
# TODO(b/153112003): add checks to prevent app domains from being
# incorrectly labeled as coredomain. Apps don't have entrypoints as
# they're always dynamically transitioned to by zygote.
Verify correct application of labels and attributes With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf14000da84e5350fff169346594639488)
2017-05-25 18:53:47 +02:00
if d in appdomains:
continue
treble_sepolicy_tests.py: require recognized loc Before, we were silently ignoring unrecognized paths. Bug: 152813275 Test: m (runs this test) Test: reproduce every error I've added Change-Id: I4a0b8fb9fff070d16126caa1499590693a6d2895
2020-04-03 01:20:31 +02:00
# TODO(b/153112747): need to handle cases where there is a dynamic
# transition OR there happens to be no context in AOSP files.
if not domain.entrypointpaths:
Verify correct application of labels and attributes With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf14000da84e5350fff169346594639488)
2017-05-25 18:53:47 +02:00
continue
treble_sepolicy_tests.py: require recognized loc Before, we were silently ignoring unrecognized paths. Bug: 152813275 Test: m (runs this test) Test: reproduce every error I've added Change-Id: I4a0b8fb9fff070d16126caa1499590693a6d2895
2020-04-03 01:20:31 +02:00
for path in domain.entrypointpaths:
vendor = any(MatchPathPrefix(path, prefix) for prefix in
["/vendor", "/odm"])
system = any(MatchPathPrefix(path, prefix) for prefix in
["/init", "/system_ext", "/product" ])
# only mark entrypoint as system if it is not in legacy /system/vendor
if MatchPathPrefix(path, "/system/vendor"):
vendor = True
elif MatchPathPrefix(path, "/system"):
system = True
if not vendor and not system:
domain.error += "Unrecognized entrypoint for " + d + " at " + path + "\n"
domain.fromSystem = domain.fromSystem or system
domain.fromVendor = domain.fromVendor or vendor
Verify correct application of labels and attributes With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf14000da84e5350fff169346594639488)
2017-05-25 18:53:47 +02:00
###
# Add the entrypoint type and path(s) to each domain.
#
def GetDomainEntrypoints(pol):
global alldomains
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
for x in pol.QueryExpandedTERule(tclass=set(["file"]), perms=set(["entrypoint"])):
Verify correct application of labels and attributes With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf14000da84e5350fff169346594639488)
2017-05-25 18:53:47 +02:00
if not x.sctx in alldomains:
continue
alldomains[x.sctx].entrypoints.append(str(x.tctx))
# postinstall_file represents a special case specific to A/B OTAs.
# Update_engine mounts a partition and relabels it postinstall_file.
# There is no file_contexts entry associated with postinstall_file
# so skip the lookup.
if x.tctx == "postinstall_file":
continue
Run Treble sepolicy tests at build time Bug: 37008075 Test: build policy on Marlin Change-Id: I53748f94c5df66fa17a53e7d0bed1be6b8603544 (cherry picked from commit e1ddc6df75d61dd8dc9a1ea00e1da60389f55556)
2017-06-01 00:36:07 +02:00
entrypointpath = pol.QueryFc(x.tctx)
if not entrypointpath:
continue
alldomains[x.sctx].entrypointpaths.extend(entrypointpath)
Verify correct application of labels and attributes With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf14000da84e5350fff169346594639488)
2017-05-25 18:53:47 +02:00
###
# Get attributes associated with each domain
#
def GetAttributes(pol):
global alldomains
for domain in alldomains:
for result in pol.QueryTypeAttribute(domain, False):
alldomains[domain].attributes.add(result)
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
def GetAllTypes(pol, oldpol):
global alltypes
global oldalltypes
alltypes = pol.GetAllTypes(False)
oldalltypes = oldpol.GetAllTypes(False)
Verify correct application of labels and attributes With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf14000da84e5350fff169346594639488)
2017-05-25 18:53:47 +02:00
def setup(pol):
GetAllDomains(pol)
GetAttributes(pol)
GetDomainEntrypoints(pol)
GetAppDomains()
GetCoreDomains()
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
# setup for the policy compatibility tests
Don't require private types in mapping file. Private types are not visible to vendor/odm policy, so we don't need mapping entries for them. We build platform-only public policy .cil file and give it as input to treble_sepolicy_tests. Using this public policy the test can now figure out if the newly added type in public or private. Bug: 116344577 Test: adding public type triggers mapping test failure, adding private type does not. Change-Id: I421f335e37274b24aa73109e260653d7b73788b5
2018-09-29 02:21:08 +02:00
def compatSetup(pol, oldpol, mapping, types):
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
global compatMapping
Don't require private types in mapping file. Private types are not visible to vendor/odm policy, so we don't need mapping entries for them. We build platform-only public policy .cil file and give it as input to treble_sepolicy_tests. Using this public policy the test can now figure out if the newly added type in public or private. Bug: 116344577 Test: adding public type triggers mapping test failure, adding private type does not. Change-Id: I421f335e37274b24aa73109e260653d7b73788b5
2018-09-29 02:21:08 +02:00
global pubtypes
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
GetAllTypes(pol, oldpol)
compatMapping = mapping
Don't require private types in mapping file. Private types are not visible to vendor/odm policy, so we don't need mapping entries for them. We build platform-only public policy .cil file and give it as input to treble_sepolicy_tests. Using this public policy the test can now figure out if the newly added type in public or private. Bug: 116344577 Test: adding public type triggers mapping test failure, adding private type does not. Change-Id: I421f335e37274b24aa73109e260653d7b73788b5
2018-09-29 02:21:08 +02:00
pubtypes = types
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
def DomainsWithAttribute(attr):
global alldomains
domains = []
for domain in alldomains:
if attr in alldomains[domain].attributes:
domains.append(domain)
return domains
Verify correct application of labels and attributes With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf14000da84e5350fff169346594639488)
2017-05-25 18:53:47 +02:00
#############################################################
# Tests
#############################################################
def TestCoredomainViolations():
global alldomains
# verify that all domains launched from /system have the coredomain
# attribute
ret = ""
treble_sepolicy_tests.py: require recognized loc Before, we were silently ignoring unrecognized paths. Bug: 152813275 Test: m (runs this test) Test: reproduce every error I've added Change-Id: I4a0b8fb9fff070d16126caa1499590693a6d2895
2020-04-03 01:20:31 +02:00
for d in alldomains:
domain = alldomains[d]
if domain.fromSystem and domain.fromVendor:
ret += "The following domain is system and vendor: " + d + "\n"
for domain in alldomains.values():
ret += domain.error
Verify correct application of labels and attributes With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf14000da84e5350fff169346594639488)
2017-05-25 18:53:47 +02:00
violators = []
for d in alldomains:
domain = alldomains[d]
if domain.fromSystem and "coredomain" not in domain.attributes:
violators.append(d);
if len(violators) > 0:
ret += "The following domain(s) must be associated with the "
ret += "\"coredomain\" attribute because they are executed off of "
ret += "/system:\n"
ret += " ".join(str(x) for x in sorted(violators)) + "\n"
# verify that all domains launched form /vendor do not have the coredomain
# attribute
violators = []
for d in alldomains:
domain = alldomains[d]
if domain.fromVendor and "coredomain" in domain.attributes:
violators.append(d)
if len(violators) > 0:
ret += "The following domains must not be associated with the "
ret += "\"coredomain\" attribute because they are executed off of "
ret += "/vendor or /system/vendor:\n"
ret += " ".join(str(x) for x in sorted(violators)) + "\n"
return ret
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
###
Don't require private types in mapping file. Private types are not visible to vendor/odm policy, so we don't need mapping entries for them. We build platform-only public policy .cil file and give it as input to treble_sepolicy_tests. Using this public policy the test can now figure out if the newly added type in public or private. Bug: 116344577 Test: adding public type triggers mapping test failure, adding private type does not. Change-Id: I421f335e37274b24aa73109e260653d7b73788b5
2018-09-29 02:21:08 +02:00
# Make sure that any new public type introduced in the new policy that was not
# present in the old policy has been recorded in the mapping file.
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
def TestNoUnmappedNewTypes():
global alltypes
global oldalltypes
global compatMapping
Don't require private types in mapping file. Private types are not visible to vendor/odm policy, so we don't need mapping entries for them. We build platform-only public policy .cil file and give it as input to treble_sepolicy_tests. Using this public policy the test can now figure out if the newly added type in public or private. Bug: 116344577 Test: adding public type triggers mapping test failure, adding private type does not. Change-Id: I421f335e37274b24aa73109e260653d7b73788b5
2018-09-29 02:21:08 +02:00
global pubtypes
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
newt = alltypes - oldalltypes
ret = ""
violators = []
for n in newt:
Don't require private types in mapping file. Private types are not visible to vendor/odm policy, so we don't need mapping entries for them. We build platform-only public policy .cil file and give it as input to treble_sepolicy_tests. Using this public policy the test can now figure out if the newly added type in public or private. Bug: 116344577 Test: adding public type triggers mapping test failure, adding private type does not. Change-Id: I421f335e37274b24aa73109e260653d7b73788b5
2018-09-29 02:21:08 +02:00
if n in pubtypes and compatMapping.rTypeattributesets.get(n) is None:
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
violators.append(n)
if len(violators) > 0:
Don't require private types in mapping file. Private types are not visible to vendor/odm policy, so we don't need mapping entries for them. We build platform-only public policy .cil file and give it as input to treble_sepolicy_tests. Using this public policy the test can now figure out if the newly added type in public or private. Bug: 116344577 Test: adding public type triggers mapping test failure, adding private type does not. Change-Id: I421f335e37274b24aa73109e260653d7b73788b5
2018-09-29 02:21:08 +02:00
ret += "SELinux: The following public types were found added to the "
ret += "policy without an entry into the compatibility mapping file(s) "
Only maintain maps between current and previous selinux versions. New maintenance scheme for mapping files: Say, V is the current SELinux platform version, then at any point in time we only maintain (V->V-1) mapping. (V->V-n) map is constructed from top (V->V-n+1) and bottom (V-n+1->V-n) without changes to previously maintained mapping files. Caveats: - 26.0.cil doesn't technically represent 27.0->26.0 map, but rather current->26.0. We'll fully migrate to the scheme with future releases. Bug: 67510052 Test: adding new public type only requires changing the latest compat map Change-Id: Iab5564e887ef2c8004cb493505dd56c6220c61f8
2018-09-30 02:47:10 +02:00
ret += "found in private/compat/V.v/V.v[.ignore].cil, where V.v is the "
ret += "latest API level.\n"
sepolicy: Improve treble test error message. Bug: 120080521 Test: removing a mapped type in the mapping file triggers new error message Change-Id: I04b21da7206777af8c281a843bd39ea5c4f0863a
2019-01-07 03:17:32 +01:00
ret += " ".join(str(x) for x in sorted(violators)) + "\n\n"
ret += "See examples of how to fix this:\n"
sepolicy: public links in error messages Bug: n/a Test: n/a Change-Id: Id449fe115fac8bf99c33bf4455a23dd29448f93d
2019-08-09 19:27:46 +02:00
ret += "https://android-review.googlesource.com/c/platform/system/sepolicy/+/781036\n"
ret += "https://android-review.googlesource.com/c/platform/system/sepolicy/+/852612\n"
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
return ret
###
# Make sure that any public type removed in the current policy has its
# declaration added to the mapping file for use in non-platform policy
def TestNoUnmappedRmTypes():
global alltypes
global oldalltypes
global compatMapping
rmt = oldalltypes - alltypes
ret = ""
violators = []
for o in rmt:
if o in compatMapping.pubtypes and not o in compatMapping.types:
violators.append(o)
if len(violators) > 0:
ret += "SELinux: The following formerly public types were removed from "
ret += "policy without a declaration in the compatibility mapping "
Only maintain maps between current and previous selinux versions. New maintenance scheme for mapping files: Say, V is the current SELinux platform version, then at any point in time we only maintain (V->V-1) mapping. (V->V-n) map is constructed from top (V->V-n+1) and bottom (V-n+1->V-n) without changes to previously maintained mapping files. Caveats: - 26.0.cil doesn't technically represent 27.0->26.0 map, but rather current->26.0. We'll fully migrate to the scheme with future releases. Bug: 67510052 Test: adding new public type only requires changing the latest compat map Change-Id: Iab5564e887ef2c8004cb493505dd56c6220c61f8
2018-09-30 02:47:10 +02:00
ret += "found in private/compat/V.v/V.v[.ignore].cil, where V.v is the "
ret += "latest API level.\n"
sepolicy: Improve treble test error message. Bug: 120080521 Test: removing a mapped type in the mapping file triggers new error message Change-Id: I04b21da7206777af8c281a843bd39ea5c4f0863a
2019-01-07 03:17:32 +01:00
ret += " ".join(str(x) for x in sorted(violators)) + "\n\n"
ret += "See examples of how to fix this:\n"
sepolicy: public links in error messages Bug: n/a Test: n/a Change-Id: Id449fe115fac8bf99c33bf4455a23dd29448f93d
2019-08-09 19:27:46 +02:00
ret += "https://android-review.googlesource.com/c/platform/system/sepolicy/+/822743\n"
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
return ret
def TestTrebleCompatMapping():
ret = TestNoUnmappedNewTypes()
ret += TestNoUnmappedRmTypes()
return ret
def TestViolatorAttribute(attribute):
global FakeTreble
ret = ""
if FakeTreble:
return ret
violators = DomainsWithAttribute(attribute)
if len(violators) > 0:
ret += "SELinux: The following domains violate the Treble ban "
ret += "against use of the " + attribute + " attribute: "
ret += " ".join(str(x) for x in sorted(violators)) + "\n"
return ret
def TestViolatorAttributes():
Remove binder_in_vendor_violators. It's release blocking if devices specify it. Since none are used in-tree anymore, no reason to every use this again. Bug: 131617943 Test: grepping source/build (which validates this isn't used) Change-Id: I6f98ab9baed93e11403a10f3a0497c855d3a8695
2019-05-14 02:06:50 +02:00
ret = ""
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
ret += TestViolatorAttribute("socket_between_core_and_vendor_violators")
ret += TestViolatorAttribute("vendor_executes_system_violators")
return ret
Improve data separation test coverage Two areas need better coverage: 1. Tests are not verifying that files in /data/vendor do not have the core_data_file_type attribute. 2. No error is thrown if a type lives in both /data/vendor /data/<not vendor>. Bug: 72998741 Test: build all selinux policies on master (assert build time tests) Test: build and boot Marlin and Taimen, verify no selinux denials and everything works as expected. Change-Id: I133a068123139a599b9b81ddcc254616894621eb (cherry picked from commit 55d5e28472ad9cd87da0b451d78555d8aae43bb8)
2018-02-08 18:54:59 +01:00
# TODO move this to sepolicy_tests
def TestCoreDataTypeViolations():
global pol
return pol.AssertPathTypesDoNotHaveAttr(["/data/vendor/", "/data/vendor_ce/",
"/data/vendor_de/"], [], "core_data_file_type")
Verify correct application of labels and attributes With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf14000da84e5350fff169346594639488)
2017-05-25 18:53:47 +02:00
###
# extend OptionParser to allow the same option flag to be used multiple times.
# This is used to allow multiple file_contexts files and tests to be
# specified.
#
class MultipleOption(Option):
ACTIONS = Option.ACTIONS + ("extend",)
STORE_ACTIONS = Option.STORE_ACTIONS + ("extend",)
TYPED_ACTIONS = Option.TYPED_ACTIONS + ("extend",)
ALWAYS_TYPED_ACTIONS = Option.ALWAYS_TYPED_ACTIONS + ("extend",)
def take_action(self, action, dest, opt, value, values, parser):
if action == "extend":
values.ensure_value(dest, []).append(value)
else:
Option.take_action(self, action, dest, opt, value, values, parser)
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
Tests = {"CoredomainViolations": TestCoredomainViolations,
Improve data separation test coverage Two areas need better coverage: 1. Tests are not verifying that files in /data/vendor do not have the core_data_file_type attribute. 2. No error is thrown if a type lives in both /data/vendor /data/<not vendor>. Bug: 72998741 Test: build all selinux policies on master (assert build time tests) Test: build and boot Marlin and Taimen, verify no selinux denials and everything works as expected. Change-Id: I133a068123139a599b9b81ddcc254616894621eb (cherry picked from commit 55d5e28472ad9cd87da0b451d78555d8aae43bb8)
2018-02-08 18:54:59 +01:00
"CoreDatatypeViolations": TestCoreDataTypeViolations,
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
"TrebleCompatMapping": TestTrebleCompatMapping,
"ViolatorAttributes": TestViolatorAttributes}
Verify correct application of labels and attributes With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf14000da84e5350fff169346594639488)
2017-05-25 18:53:47 +02:00
if __name__ == '__main__':
Use "data: libsepolwrap" in python binaries To avoid hard-coded paths in Android.mk rules. Test: m selinux_policy Change-Id: I7b464fa2953e01ccb6fff8daa3e219ae372313c5
2021-12-29 05:56:14 +01:00
usage = "treble_sepolicy_tests "
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
usage += "-f nonplat_file_contexts -f plat_file_contexts "
usage += "-p curr_policy -b base_policy -o old_policy "
usage +="-m mapping file [--test test] [--help]"
Verify correct application of labels and attributes With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf14000da84e5350fff169346594639488)
2017-05-25 18:53:47 +02:00
parser = OptionParser(option_class=MultipleOption, usage=usage)
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
parser.add_option("-b", "--basepolicy", dest="basepolicy", metavar="FILE")
Don't require private types in mapping file. Private types are not visible to vendor/odm policy, so we don't need mapping entries for them. We build platform-only public policy .cil file and give it as input to treble_sepolicy_tests. Using this public policy the test can now figure out if the newly added type in public or private. Bug: 116344577 Test: adding public type triggers mapping test failure, adding private type does not. Change-Id: I421f335e37274b24aa73109e260653d7b73788b5
2018-09-29 02:21:08 +02:00
parser.add_option("-u", "--base-pub-policy", dest="base_pub_policy",
metavar="FILE")
Verify correct application of labels and attributes With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf14000da84e5350fff169346594639488)
2017-05-25 18:53:47 +02:00
parser.add_option("-f", "--file_contexts", dest="file_contexts",
metavar="FILE", action="extend", type="string")
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
parser.add_option("-m", "--mapping", dest="mapping", metavar="FILE")
parser.add_option("-o", "--oldpolicy", dest="oldpolicy", metavar="FILE")
parser.add_option("-p", "--policy", dest="policy", metavar="FILE")
parser.add_option("-t", "--test", dest="tests", action="extend",
Verify correct application of labels and attributes With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf14000da84e5350fff169346594639488)
2017-05-25 18:53:47 +02:00
help="Test options include "+str(Tests))
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
parser.add_option("--fake-treble", action="store_true", dest="faketreble",
default=False)
Verify correct application of labels and attributes With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf14000da84e5350fff169346594639488)
2017-05-25 18:53:47 +02:00
(options, args) = parser.parse_args()
if not options.policy:
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
sys.exit("Must specify current monolithic policy file\n" + parser.usage)
Verify correct application of labels and attributes With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf14000da84e5350fff169346594639488)
2017-05-25 18:53:47 +02:00
if not os.path.exists(options.policy):
sys.exit("Error: policy file " + options.policy + " does not exist\n"
+ parser.usage)
if not options.file_contexts:
sys.exit("Error: Must specify file_contexts file(s)\n" + parser.usage)
for f in options.file_contexts:
if not os.path.exists(f):
sys.exit("Error: File_contexts file " + f + " does not exist\n" +
parser.usage)
Use "data: libsepolwrap" in python binaries To avoid hard-coded paths in Android.mk rules. Test: m selinux_policy Change-Id: I7b464fa2953e01ccb6fff8daa3e219ae372313c5
2021-12-29 05:56:14 +01:00
libpath = os.path.join(os.path.dirname(os.path.realpath(__file__)),
"libsepolwrap" + distutils.ccompiler.new_compiler().shared_lib_extension)
if not os.path.exists(libpath):
sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
Don't require private types in mapping file. Private types are not visible to vendor/odm policy, so we don't need mapping entries for them. We build platform-only public policy .cil file and give it as input to treble_sepolicy_tests. Using this public policy the test can now figure out if the newly added type in public or private. Bug: 116344577 Test: adding public type triggers mapping test failure, adding private type does not. Change-Id: I421f335e37274b24aa73109e260653d7b73788b5
2018-09-29 02:21:08 +02:00
# Mapping files and public platform policy are only necessary for the
# TrebleCompatMapping test.
Migrate tests/ to Python 3 In general, it appears that libselinux and libsepol interpret paths and contexts as bytes. For instance, selabel_file(5) mentions about the path field of file_contexts: Strings representing paths are processed as bytes (as opposed to Unicode), meaning that non-ASCII characters are not matched by a single wildcard. libsepol also uses primitives such as strchr[1], which explicitly operate at the byte level (see strchr(3)). However, practically, Android paths and contexts all uses ASCII characters. Use the str type (i.e., Unicode) for all Python code to avoid a larger refactoring. Ensure we convert to bytes for inputs and outputs of libsepolwrap.so. The encoding "ascii" is used, which will raise an error should a context or type contain non-ASCII characters. Update headers to match development/docs/copyright-templates. [1] https://cs.android.com/android/platform/superproject/+/master:external/selinux/libsepol/src/context_record.c;l=224;drc=454466e2e49fd99f36db78396e604962b8682cb4 Bug: 200119288 Test: lunch aosp_bramble-userdebug && m Test: atest --host fc_sort_test Test: manually run searchpolicy Change-Id: I72d41a35f90b2d4112e481cd8d7408764a6c8132
2021-11-25 23:12:41 +01:00
if options.tests is None or options.tests == "TrebleCompatMapping":
Prepare treble_sepolicy_tests for inclusion in CTS Unconditionally compile treble_sepolicy_tests. Make compat files conditional on running the compat tests. Bug: 37008075 Test: build Change-Id: Ib3aee6e93d285ca141803a13958fbcb38b891b68
2017-11-20 22:25:47 +01:00
if not options.basepolicy:
Don't require private types in mapping file. Private types are not visible to vendor/odm policy, so we don't need mapping entries for them. We build platform-only public policy .cil file and give it as input to treble_sepolicy_tests. Using this public policy the test can now figure out if the newly added type in public or private. Bug: 116344577 Test: adding public type triggers mapping test failure, adding private type does not. Change-Id: I421f335e37274b24aa73109e260653d7b73788b5
2018-09-29 02:21:08 +02:00
sys.exit("Must specify the current platform-only policy file\n"
+ parser.usage)
Prepare treble_sepolicy_tests for inclusion in CTS Unconditionally compile treble_sepolicy_tests. Make compat files conditional on running the compat tests. Bug: 37008075 Test: build Change-Id: Ib3aee6e93d285ca141803a13958fbcb38b891b68
2017-11-20 22:25:47 +01:00
if not options.mapping:
Don't require private types in mapping file. Private types are not visible to vendor/odm policy, so we don't need mapping entries for them. We build platform-only public policy .cil file and give it as input to treble_sepolicy_tests. Using this public policy the test can now figure out if the newly added type in public or private. Bug: 116344577 Test: adding public type triggers mapping test failure, adding private type does not. Change-Id: I421f335e37274b24aa73109e260653d7b73788b5
2018-09-29 02:21:08 +02:00
sys.exit("Must specify a compatibility mapping file\n"
+ parser.usage)
Prepare treble_sepolicy_tests for inclusion in CTS Unconditionally compile treble_sepolicy_tests. Make compat files conditional on running the compat tests. Bug: 37008075 Test: build Change-Id: Ib3aee6e93d285ca141803a13958fbcb38b891b68
2017-11-20 22:25:47 +01:00
if not options.oldpolicy:
Don't require private types in mapping file. Private types are not visible to vendor/odm policy, so we don't need mapping entries for them. We build platform-only public policy .cil file and give it as input to treble_sepolicy_tests. Using this public policy the test can now figure out if the newly added type in public or private. Bug: 116344577 Test: adding public type triggers mapping test failure, adding private type does not. Change-Id: I421f335e37274b24aa73109e260653d7b73788b5
2018-09-29 02:21:08 +02:00
sys.exit("Must specify the previous monolithic policy file\n"
+ parser.usage)
if not options.base_pub_policy:
sys.exit("Must specify the current platform-only public policy "
+ ".cil file\n" + parser.usage)
Use "data: libsepolwrap" in python binaries To avoid hard-coded paths in Android.mk rules. Test: m selinux_policy Change-Id: I7b464fa2953e01ccb6fff8daa3e219ae372313c5
2021-12-29 05:56:14 +01:00
basepol = policy.Policy(options.basepolicy, None, libpath)
oldpol = policy.Policy(options.oldpolicy, None, libpath)
Prepare treble_sepolicy_tests for inclusion in CTS Unconditionally compile treble_sepolicy_tests. Make compat files conditional on running the compat tests. Bug: 37008075 Test: build Change-Id: Ib3aee6e93d285ca141803a13958fbcb38b891b68
2017-11-20 22:25:47 +01:00
mapping = mini_parser.MiniCilParser(options.mapping)
Don't require private types in mapping file. Private types are not visible to vendor/odm policy, so we don't need mapping entries for them. We build platform-only public policy .cil file and give it as input to treble_sepolicy_tests. Using this public policy the test can now figure out if the newly added type in public or private. Bug: 116344577 Test: adding public type triggers mapping test failure, adding private type does not. Change-Id: I421f335e37274b24aa73109e260653d7b73788b5
2018-09-29 02:21:08 +02:00
pubpol = mini_parser.MiniCilParser(options.base_pub_policy)
compatSetup(basepol, oldpol, mapping, pubpol.types)
Prepare treble_sepolicy_tests for inclusion in CTS Unconditionally compile treble_sepolicy_tests. Make compat files conditional on running the compat tests. Bug: 37008075 Test: build Change-Id: Ib3aee6e93d285ca141803a13958fbcb38b891b68
2017-11-20 22:25:47 +01:00
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
if options.faketreble:
FakeTreble = True
Use "data: libsepolwrap" in python binaries To avoid hard-coded paths in Android.mk rules. Test: m selinux_policy Change-Id: I7b464fa2953e01ccb6fff8daa3e219ae372313c5
2021-12-29 05:56:14 +01:00
pol = policy.Policy(options.policy, options.file_contexts, libpath)
Verify correct application of labels and attributes With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf14000da84e5350fff169346594639488)
2017-05-25 18:53:47 +02:00
setup(pol)
Run Treble sepolicy tests at build time Bug: 37008075 Test: build policy on Marlin Change-Id: I53748f94c5df66fa17a53e7d0bed1be6b8603544 (cherry picked from commit e1ddc6df75d61dd8dc9a1ea00e1da60389f55556)
2017-06-01 00:36:07 +02:00
if DEBUG:
PrintScontexts()
Verify correct application of labels and attributes With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf14000da84e5350fff169346594639488)
2017-05-25 18:53:47 +02:00
results = ""
# If an individual test is not specified, run all tests.
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
if options.tests is None:
for t in Tests.values():
results += t()
else:
for tn in options.tests:
t = Tests.get(tn)
if t:
results += t()
else:
err = "Error: unknown test: " + tn + "\n"
err += "Available tests:\n"
for tn in Tests.keys():
err += tn + "\n"
sys.exit(err)
Verify correct application of labels and attributes With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf14000da84e5350fff169346594639488)
2017-05-25 18:53:47 +02:00
if len(results) > 0:
sys.exit(results)
Reference in a new issue Copy permalink