2023-04-04 11:03:07 +02:00
|
|
|
# Copyright 2023 The Android Open Source Project
|
|
|
|
|
#
|
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
# you may not use this file except in compliance with the License.
|
|
|
|
|
# You may obtain a copy of the License at
|
|
|
|
|
#
|
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
#
|
|
|
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
# See the License for the specific language governing permissions and
|
|
|
|
|
# limitations under the License.
|
|
|
|
|
"""Tests for apex_sepolicy_tests"""
|
|
|
|
|
|
|
|
|
|
import re
|
|
|
|
|
import shutil
|
|
|
|
|
import tempfile
|
|
|
|
|
import unittest
|
|
|
|
|
|
|
|
|
|
import apex_sepolicy_tests as apex
|
|
|
|
|
import policy
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# pylint: disable=missing-docstring
|
|
|
|
|
class ApexSepolicyTests(unittest.TestCase):
|
|
|
|
|
|
|
|
|
|
@classmethod
|
|
|
|
|
def setUpClass(cls) -> None:
|
|
|
|
|
cls.temp_dir = tempfile.mkdtemp()
|
|
|
|
|
lib_path = apex.extract_data(apex.LIBSEPOLWRAP, cls.temp_dir)
|
|
|
|
|
policy_path = apex.extract_data('precompiled_sepolicy', cls.temp_dir)
|
|
|
|
|
cls.pol = policy.Policy(policy_path, None, lib_path)
|
|
|
|
|
|
|
|
|
|
@classmethod
|
|
|
|
|
def tearDownClass(cls) -> None:
|
|
|
|
|
shutil.rmtree(cls.temp_dir)
|
|
|
|
|
|
|
|
|
|
# helpers
|
|
|
|
|
|
|
|
|
|
@property
|
|
|
|
|
def pol(self):
|
|
|
|
|
return self.__class__.pol
|
|
|
|
|
|
|
|
|
|
def assert_ok(self, line: str):
|
2023-09-08 07:28:40 +02:00
|
|
|
errors = apex.check_line(self.pol, line, apex.all_rules)
|
2023-04-04 11:03:07 +02:00
|
|
|
self.assertEqual(errors, [], "Should be no errors")
|
|
|
|
|
|
|
|
|
|
def assert_error(self, line: str, expected_error: str):
|
|
|
|
|
pattern = re.compile(expected_error)
|
2023-09-08 07:28:40 +02:00
|
|
|
errors = apex.check_line(self.pol, line, apex.all_rules)
|
2023-04-04 11:03:07 +02:00
|
|
|
for err in errors:
|
|
|
|
|
if re.search(pattern, err):
|
|
|
|
|
return
|
|
|
|
|
self.fail(f"Expected error '{expected_error}' is not found in {errors}")
|
|
|
|
|
|
|
|
|
|
# tests
|
|
|
|
|
|
|
|
|
|
def test_parse_lines(self):
|
|
|
|
|
self.assert_ok('# commented line')
|
|
|
|
|
self.assert_ok('') # empty line
|
|
|
|
|
self.assert_error('./path1 invalid_contexts',
|
|
|
|
|
r'Error: invalid file_contexts: .*')
|
|
|
|
|
self.assert_error('./path1 u:object_r:vendor_file',
|
|
|
|
|
r'Error: invalid file_contexts: .*')
|
|
|
|
|
self.assert_ok('./path1 u:object_r:vendor_file:s0')
|
|
|
|
|
|
|
|
|
|
def test_vintf(self):
|
|
|
|
|
self.assert_ok('./etc/vintf/fragment.xml u:object_r:vendor_configs_file:s0')
|
|
|
|
|
self.assert_error('./etc/vintf/fragment.xml u:object_r:vendor_file:s0',
|
|
|
|
|
r'Error: \./etc/vintf/fragment\.xml: .* can\'t read')
|
|
|
|
|
|
|
|
|
|
def test_permissions(self):
|
|
|
|
|
self.assert_ok('./etc/permissions/permisssion.xml u:object_r:vendor_configs_file:s0')
|
|
|
|
|
self.assert_error('./etc/permissions/permisssion.xml u:object_r:vendor_file:s0',
|
|
|
|
|
r'Error: \./etc/permissions/permisssion.xml: .* can\'t read')
|
|
|
|
|
|
|
|
|
|
def test_initscripts(self):
|
2023-09-08 07:28:40 +02:00
|
|
|
# here, netd_service is chosen randomly for invalid label for a file
|
|
|
|
|
|
2023-04-04 11:03:07 +02:00
|
|
|
# init reads .rc file
|
|
|
|
|
self.assert_ok('./etc/init.rc u:object_r:vendor_file:s0')
|
2023-09-08 07:28:40 +02:00
|
|
|
self.assert_error('./etc/init.rc u:object_r:netd_service:s0',
|
2023-04-04 11:03:07 +02:00
|
|
|
r'Error: .* can\'t read')
|
|
|
|
|
# init reads .#rc file
|
|
|
|
|
self.assert_ok('./etc/init.32rc u:object_r:vendor_file:s0')
|
2023-09-08 07:28:40 +02:00
|
|
|
self.assert_error('./etc/init.32rc u:object_r:netd_service:s0',
|
2023-04-04 11:03:07 +02:00
|
|
|
r'Error: .* can\'t read')
|
|
|
|
|
# init skips file with unknown extension => no errors
|
|
|
|
|
self.assert_ok('./etc/init.x32rc u:object_r:vendor_file:s0')
|
2023-09-08 07:28:40 +02:00
|
|
|
self.assert_ok('./etc/init.x32rc u:object_r:netd_service:s0')
|
2023-04-04 11:03:07 +02:00
|
|
|
|
2023-04-24 08:34:49 +02:00
|
|
|
def test_linkerconfig(self):
|
|
|
|
|
self.assert_ok('./etc/linker.config.pb u:object_r:system_file:s0')
|
|
|
|
|
self.assert_ok('./etc/linker.config.pb u:object_r:linkerconfig_file:s0')
|
|
|
|
|
self.assert_error('./etc/linker.config.pb u:object_r:vendor_file:s0',
|
|
|
|
|
r'Error: .*linkerconfig.* can\'t read')
|
2023-05-31 10:41:28 +02:00
|
|
|
self.assert_error('./ u:object_r:apex_data_file:s0',
|
2023-11-14 05:50:14 +01:00
|
|
|
r'Error: .*linkerconfig.* can\'t search')
|
2023-04-04 11:03:07 +02:00
|
|
|
|
2023-09-08 07:28:40 +02:00
|
|
|
def test_unknown_label(self):
|
|
|
|
|
self.assert_error('./bin/hw/foo u:object_r:foo_exec:s0',
|
|
|
|
|
r'Error: \./bin/hw/foo: tcontext\(foo_exec\) is unknown')
|
|
|
|
|
|
2024-02-07 07:41:25 +01:00
|
|
|
def test_binaries(self):
|
|
|
|
|
self.assert_ok('./bin/init u:object_r:init_exec:s0')
|
|
|
|
|
self.assert_ok('./bin/hw/svc u:object_r:init_exec:s0')
|
|
|
|
|
self.assert_error('./bin/hw/svc u:object_r:vendor_file:s0',
|
|
|
|
|
r"Error: .*svc: can\'t be labelled as \'vendor_file\'")
|
|
|
|
|
|
2023-04-04 11:03:07 +02:00
|
|
|
if __name__ == '__main__':
|
|
|
|
|
unittest.main(verbosity=2)
|
