2021-11-25 23:12:41 +01:00
|
|
|
# Copyright 2021 The Android Open Source Project
|
|
|
|
|
#
|
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
# you may not use this file except in compliance with the License.
|
|
|
|
|
# You may obtain a copy of the License at
|
|
|
|
|
#
|
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
#
|
|
|
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
# See the License for the specific language governing permissions and
|
|
|
|
|
# limitations under the License.
|
|
|
|
|
|
2017-09-26 21:58:29 +02:00
|
|
|
from optparse import OptionParser
|
|
|
|
|
from optparse import Option, OptionValueError
|
|
|
|
|
import os
|
2022-07-25 04:30:02 +02:00
|
|
|
import pkgutil
|
2017-09-26 21:58:29 +02:00
|
|
|
import policy
|
|
|
|
|
import re
|
2022-07-25 04:30:02 +02:00
|
|
|
import shutil
|
2017-09-26 21:58:29 +02:00
|
|
|
import sys
|
2022-07-25 04:30:02 +02:00
|
|
|
import tempfile
|
2022-07-19 07:27:36 +02:00
|
|
|
|
|
|
|
|
SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
|
2017-09-26 21:58:29 +02:00
|
|
|
|
|
|
|
|
#############################################################
|
|
|
|
|
# Tests
|
|
|
|
|
#############################################################
|
|
|
|
|
def TestDataTypeViolations(pol):
|
|
|
|
|
return pol.AssertPathTypesHaveAttr(["/data/"], [], "data_file_type")
|
|
|
|
|
|
2018-10-04 20:24:00 +02:00
|
|
|
def TestSystemTypeViolations(pol):
|
2020-04-28 00:54:54 +02:00
|
|
|
partitions = ["/system/", "/system_ext/", "/product/"]
|
|
|
|
|
exceptions = [
|
|
|
|
|
# devices before treble don't have a vendor partition
|
|
|
|
|
"/system/vendor/",
|
|
|
|
|
|
|
|
|
|
# overlay files are mounted over vendor
|
|
|
|
|
"/product/overlay/",
|
|
|
|
|
"/product/vendor_overlay/",
|
|
|
|
|
"/system/overlay/",
|
|
|
|
|
"/system/product/overlay/",
|
|
|
|
|
"/system/product/vendor_overlay/",
|
|
|
|
|
"/system/system_ext/overlay/",
|
|
|
|
|
"/system_ext/overlay/",
|
|
|
|
|
]
|
|
|
|
|
|
|
|
|
|
return pol.AssertPathTypesHaveAttr(partitions, exceptions, "system_file_type")
|
2018-09-27 19:21:37 +02:00
|
|
|
|
much more finegrained bpf selinux privs for networking mainline
Goal is to gain a better handle on who has access to which maps
and to allow (with bpfloader changes to create in one directory
and move into the target directory) per-map selection of
selinux context, while still having reasonable defaults for stuff
pinned directly into the target location.
BPFFS (ie. /sys/fs/bpf) labelling is as follows:
subdirectory selinux context mainline usecase / usable by
/ fs_bpf no (*) core operating system (ie. platform)
/net_private fs_bpf_net_private yes, T+ network_stack
/net_shared fs_bpf_net_shared yes, T+ network_stack & system_server
/netd_readonly fs_bpf_netd_readonly yes, T+ network_stack & system_server & r/o to netd
/netd_shared fs_bpf_netd_shared yes, T+ network_stack & system_server & netd [**]
/tethering fs_bpf_tethering yes, S+ network_stack
/vendor fs_bpf_vendor no, T+ vendor
* initial support for bpf was added back in P,
but things worked differently back then with no bpfloader,
and instead netd doing stuff by hand,
bpfloader with pinning into /sys/fs/bpf was (I believe) added in Q
(and was definitely there in R)
** additionally bpf programs are accesible to netutils_wrapper
for use by iptables xt_bpf extensions
'mainline yes' currently means shipped by the com.android.tethering apex,
but this is really another case of bad naming, as it's really
the 'networking/connectivity/tethering' apex / mainline module.
Long term the plan is to merge a few other networking mainline modules
into it (and maybe give it a saner name...).
The reason for splitting net_private vs tethering is that:
S+ must support 4.9+ kernels and S era bpfloader v0.2+
T+ must support 4.14+ kernels and T beta3 era bpfloader v0.13+
The kernel affects the intelligence of the in-kernel bpf verifier
and the available bpf helper functions. Older kernels have
a tendency to reject programs that newer kernels allow.
/ && /vendor are not shipped via mainline, so only need to work
with the bpfloader that's part of the core os.
Bug: 218408035
Test: TreeHugger, manually on cuttlefish
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I674866ebe32aca4fc851818c1ffcbec12ac4f7d4
(cherry picked from commit 15715aea32b85c933778b97a46de6ccab42ca7fb)
2022-05-21 14:03:29 +02:00
|
|
|
def TestBpffsTypeViolations(pol):
|
|
|
|
|
return pol.AssertGenfsFilesystemTypesHaveAttr("bpf", "bpffs_type")
|
|
|
|
|
|
2018-03-29 05:42:47 +02:00
|
|
|
def TestProcTypeViolations(pol):
|
|
|
|
|
return pol.AssertGenfsFilesystemTypesHaveAttr("proc", "proc_type")
|
|
|
|
|
|
2017-09-26 21:58:29 +02:00
|
|
|
def TestSysfsTypeViolations(pol):
|
2018-03-22 01:27:20 +01:00
|
|
|
ret = pol.AssertGenfsFilesystemTypesHaveAttr("sysfs", "sysfs_type")
|
|
|
|
|
ret += pol.AssertPathTypesHaveAttr(["/sys/"], ["/sys/kernel/debug/",
|
2017-09-26 21:58:29 +02:00
|
|
|
"/sys/kernel/tracing"], "sysfs_type")
|
2018-03-22 01:27:20 +01:00
|
|
|
return ret
|
2017-09-26 21:58:29 +02:00
|
|
|
|
|
|
|
|
def TestDebugfsTypeViolations(pol):
|
2018-03-22 01:27:20 +01:00
|
|
|
ret = pol.AssertGenfsFilesystemTypesHaveAttr("debugfs", "debugfs_type")
|
|
|
|
|
ret += pol.AssertPathTypesHaveAttr(["/sys/kernel/debug/",
|
2017-09-26 21:58:29 +02:00
|
|
|
"/sys/kernel/tracing"], [], "debugfs_type")
|
2018-03-22 01:27:20 +01:00
|
|
|
return ret
|
2018-01-10 20:04:06 +01:00
|
|
|
|
2021-05-14 23:01:11 +02:00
|
|
|
def TestTracefsTypeViolations(pol):
|
|
|
|
|
ret = pol.AssertGenfsFilesystemTypesHaveAttr("tracefs", "tracefs_type")
|
|
|
|
|
ret += pol.AssertPathTypesHaveAttr(["/sys/kernel/tracing"], [], "tracefs_type")
|
|
|
|
|
ret += pol.AssertPathTypesDoNotHaveAttr(["/sys/kernel/debug"],
|
|
|
|
|
["/sys/kernel/debug/tracing"], "tracefs_type",
|
|
|
|
|
[])
|
|
|
|
|
return ret
|
|
|
|
|
|
2018-01-10 20:04:06 +01:00
|
|
|
def TestVendorTypeViolations(pol):
|
2020-04-28 00:54:54 +02:00
|
|
|
partitions = ["/vendor/", "/odm/"]
|
|
|
|
|
exceptions = [
|
|
|
|
|
"/vendor/etc/selinux/",
|
|
|
|
|
"/vendor/odm/etc/selinux/",
|
|
|
|
|
"/odm/etc/selinux/",
|
|
|
|
|
]
|
|
|
|
|
return pol.AssertPathTypesHaveAttr(partitions, exceptions, "vendor_file_type")
|
2018-01-10 20:04:06 +01:00
|
|
|
|
2018-01-24 16:01:13 +01:00
|
|
|
def TestCoreDataTypeViolations(pol):
|
2018-02-08 18:54:59 +01:00
|
|
|
return pol.AssertPathTypesHaveAttr(["/data/"], ["/data/vendor",
|
|
|
|
|
"/data/vendor_ce", "/data/vendor_de"], "core_data_file_type")
|
2018-01-24 16:01:13 +01:00
|
|
|
|
2020-10-23 08:16:11 +02:00
|
|
|
def TestPropertyTypeViolations(pol):
|
|
|
|
|
return pol.AssertPropertyOwnersAreExclusive()
|
|
|
|
|
|
2020-11-12 19:08:18 +01:00
|
|
|
def TestAppDataTypeViolations(pol):
|
|
|
|
|
# Types with the app_data_file_type should only be used for app data files
|
|
|
|
|
# (/data/data/package.name etc) via seapp_contexts, and never applied
|
|
|
|
|
# explicitly to other files.
|
|
|
|
|
partitions = [
|
|
|
|
|
"/data/",
|
|
|
|
|
"/vendor/",
|
|
|
|
|
"/odm/",
|
|
|
|
|
"/product/",
|
|
|
|
|
]
|
|
|
|
|
exceptions = [
|
|
|
|
|
# These are used for app data files for the corresponding user and
|
|
|
|
|
# assorted other files.
|
|
|
|
|
# TODO(b/172812577): Use different types for the different purposes
|
|
|
|
|
"shell_data_file",
|
|
|
|
|
"bluetooth_data_file",
|
|
|
|
|
"nfc_data_file",
|
|
|
|
|
"radio_data_file",
|
|
|
|
|
]
|
|
|
|
|
return pol.AssertPathTypesDoNotHaveAttr(partitions, [], "app_data_file_type",
|
|
|
|
|
exceptions)
|
2020-12-15 07:57:49 +01:00
|
|
|
def TestDmaHeapDevTypeViolations(pol):
|
|
|
|
|
return pol.AssertPathTypesHaveAttr(["/dev/dma_heap/"], [],
|
|
|
|
|
"dmabuf_heap_device_type")
|
|
|
|
|
|
2020-11-12 19:08:18 +01:00
|
|
|
|
2020-10-23 08:16:11 +02:00
|
|
|
|
2017-09-26 21:58:29 +02:00
|
|
|
###
|
|
|
|
|
# extend OptionParser to allow the same option flag to be used multiple times.
|
|
|
|
|
# This is used to allow multiple file_contexts files and tests to be
|
|
|
|
|
# specified.
|
|
|
|
|
#
|
|
|
|
|
class MultipleOption(Option):
|
|
|
|
|
ACTIONS = Option.ACTIONS + ("extend",)
|
|
|
|
|
STORE_ACTIONS = Option.STORE_ACTIONS + ("extend",)
|
|
|
|
|
TYPED_ACTIONS = Option.TYPED_ACTIONS + ("extend",)
|
|
|
|
|
ALWAYS_TYPED_ACTIONS = Option.ALWAYS_TYPED_ACTIONS + ("extend",)
|
|
|
|
|
|
|
|
|
|
def take_action(self, action, dest, opt, value, values, parser):
|
|
|
|
|
if action == "extend":
|
|
|
|
|
values.ensure_value(dest, []).append(value)
|
|
|
|
|
else:
|
|
|
|
|
Option.take_action(self, action, dest, opt, value, values, parser)
|
|
|
|
|
|
2018-03-29 05:42:47 +02:00
|
|
|
Tests = [
|
much more finegrained bpf selinux privs for networking mainline
Goal is to gain a better handle on who has access to which maps
and to allow (with bpfloader changes to create in one directory
and move into the target directory) per-map selection of
selinux context, while still having reasonable defaults for stuff
pinned directly into the target location.
BPFFS (ie. /sys/fs/bpf) labelling is as follows:
subdirectory selinux context mainline usecase / usable by
/ fs_bpf no (*) core operating system (ie. platform)
/net_private fs_bpf_net_private yes, T+ network_stack
/net_shared fs_bpf_net_shared yes, T+ network_stack & system_server
/netd_readonly fs_bpf_netd_readonly yes, T+ network_stack & system_server & r/o to netd
/netd_shared fs_bpf_netd_shared yes, T+ network_stack & system_server & netd [**]
/tethering fs_bpf_tethering yes, S+ network_stack
/vendor fs_bpf_vendor no, T+ vendor
* initial support for bpf was added back in P,
but things worked differently back then with no bpfloader,
and instead netd doing stuff by hand,
bpfloader with pinning into /sys/fs/bpf was (I believe) added in Q
(and was definitely there in R)
** additionally bpf programs are accesible to netutils_wrapper
for use by iptables xt_bpf extensions
'mainline yes' currently means shipped by the com.android.tethering apex,
but this is really another case of bad naming, as it's really
the 'networking/connectivity/tethering' apex / mainline module.
Long term the plan is to merge a few other networking mainline modules
into it (and maybe give it a saner name...).
The reason for splitting net_private vs tethering is that:
S+ must support 4.9+ kernels and S era bpfloader v0.2+
T+ must support 4.14+ kernels and T beta3 era bpfloader v0.13+
The kernel affects the intelligence of the in-kernel bpf verifier
and the available bpf helper functions. Older kernels have
a tendency to reject programs that newer kernels allow.
/ && /vendor are not shipped via mainline, so only need to work
with the bpfloader that's part of the core os.
Bug: 218408035
Test: TreeHugger, manually on cuttlefish
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I674866ebe32aca4fc851818c1ffcbec12ac4f7d4
(cherry picked from commit 15715aea32b85c933778b97a46de6ccab42ca7fb)
2022-05-21 14:03:29 +02:00
|
|
|
"TestBpffsTypeViolations",
|
2018-03-29 05:42:47 +02:00
|
|
|
"TestDataTypeViolators",
|
|
|
|
|
"TestProcTypeViolations",
|
|
|
|
|
"TestSysfsTypeViolations",
|
2018-10-04 20:24:00 +02:00
|
|
|
"TestSystemTypeViolators",
|
2018-03-29 05:42:47 +02:00
|
|
|
"TestDebugfsTypeViolations",
|
2021-05-14 23:01:11 +02:00
|
|
|
"TestTracefsTypeViolations",
|
2018-03-29 05:42:47 +02:00
|
|
|
"TestVendorTypeViolations",
|
|
|
|
|
"TestCoreDataTypeViolations",
|
2020-11-12 19:08:18 +01:00
|
|
|
"TestPropertyTypeViolations",
|
|
|
|
|
"TestAppDataTypeViolations",
|
2020-12-15 07:57:49 +01:00
|
|
|
"TestDmaHeapDevTypeViolations",
|
2018-03-29 05:42:47 +02:00
|
|
|
]
|
2017-09-26 21:58:29 +02:00
|
|
|
|
2022-07-25 04:30:02 +02:00
|
|
|
def do_main(libpath):
|
|
|
|
|
"""
|
|
|
|
|
Args:
|
|
|
|
|
libpath: string, path to libsepolwrap.so
|
|
|
|
|
"""
|
2021-12-29 05:56:14 +01:00
|
|
|
usage = "sepolicy_tests -f vendor_file_contexts -f "
|
2017-09-26 21:58:29 +02:00
|
|
|
usage +="plat_file_contexts -p policy [--test test] [--help]"
|
|
|
|
|
parser = OptionParser(option_class=MultipleOption, usage=usage)
|
|
|
|
|
parser.add_option("-f", "--file_contexts", dest="file_contexts",
|
|
|
|
|
metavar="FILE", action="extend", type="string")
|
|
|
|
|
parser.add_option("-p", "--policy", dest="policy", metavar="FILE")
|
|
|
|
|
parser.add_option("-t", "--test", dest="test", action="extend",
|
|
|
|
|
help="Test options include "+str(Tests))
|
|
|
|
|
|
|
|
|
|
(options, args) = parser.parse_args()
|
|
|
|
|
|
|
|
|
|
if not options.policy:
|
|
|
|
|
sys.exit("Must specify monolithic policy file\n" + parser.usage)
|
|
|
|
|
if not os.path.exists(options.policy):
|
|
|
|
|
sys.exit("Error: policy file " + options.policy + " does not exist\n"
|
|
|
|
|
+ parser.usage)
|
|
|
|
|
|
|
|
|
|
if not options.file_contexts:
|
|
|
|
|
sys.exit("Error: Must specify file_contexts file(s)\n" + parser.usage)
|
|
|
|
|
for f in options.file_contexts:
|
|
|
|
|
if not os.path.exists(f):
|
|
|
|
|
sys.exit("Error: File_contexts file " + f + " does not exist\n" +
|
|
|
|
|
parser.usage)
|
|
|
|
|
|
2021-12-29 05:56:14 +01:00
|
|
|
pol = policy.Policy(options.policy, options.file_contexts, libpath)
|
2017-09-26 21:58:29 +02:00
|
|
|
|
|
|
|
|
results = ""
|
|
|
|
|
# If an individual test is not specified, run all tests.
|
much more finegrained bpf selinux privs for networking mainline
Goal is to gain a better handle on who has access to which maps
and to allow (with bpfloader changes to create in one directory
and move into the target directory) per-map selection of
selinux context, while still having reasonable defaults for stuff
pinned directly into the target location.
BPFFS (ie. /sys/fs/bpf) labelling is as follows:
subdirectory selinux context mainline usecase / usable by
/ fs_bpf no (*) core operating system (ie. platform)
/net_private fs_bpf_net_private yes, T+ network_stack
/net_shared fs_bpf_net_shared yes, T+ network_stack & system_server
/netd_readonly fs_bpf_netd_readonly yes, T+ network_stack & system_server & r/o to netd
/netd_shared fs_bpf_netd_shared yes, T+ network_stack & system_server & netd [**]
/tethering fs_bpf_tethering yes, S+ network_stack
/vendor fs_bpf_vendor no, T+ vendor
* initial support for bpf was added back in P,
but things worked differently back then with no bpfloader,
and instead netd doing stuff by hand,
bpfloader with pinning into /sys/fs/bpf was (I believe) added in Q
(and was definitely there in R)
** additionally bpf programs are accesible to netutils_wrapper
for use by iptables xt_bpf extensions
'mainline yes' currently means shipped by the com.android.tethering apex,
but this is really another case of bad naming, as it's really
the 'networking/connectivity/tethering' apex / mainline module.
Long term the plan is to merge a few other networking mainline modules
into it (and maybe give it a saner name...).
The reason for splitting net_private vs tethering is that:
S+ must support 4.9+ kernels and S era bpfloader v0.2+
T+ must support 4.14+ kernels and T beta3 era bpfloader v0.13+
The kernel affects the intelligence of the in-kernel bpf verifier
and the available bpf helper functions. Older kernels have
a tendency to reject programs that newer kernels allow.
/ && /vendor are not shipped via mainline, so only need to work
with the bpfloader that's part of the core os.
Bug: 218408035
Test: TreeHugger, manually on cuttlefish
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I674866ebe32aca4fc851818c1ffcbec12ac4f7d4
(cherry picked from commit 15715aea32b85c933778b97a46de6ccab42ca7fb)
2022-05-21 14:03:29 +02:00
|
|
|
if options.test is None or "TestBpffsTypeViolations" in options.test:
|
|
|
|
|
results += TestBpffsTypeViolations(pol)
|
2017-10-04 18:42:29 +02:00
|
|
|
if options.test is None or "TestDataTypeViolations" in options.test:
|
2017-09-26 21:58:29 +02:00
|
|
|
results += TestDataTypeViolations(pol)
|
2018-03-29 05:42:47 +02:00
|
|
|
if options.test is None or "TestProcTypeViolations" in options.test:
|
|
|
|
|
results += TestProcTypeViolations(pol)
|
2017-10-04 18:42:29 +02:00
|
|
|
if options.test is None or "TestSysfsTypeViolations" in options.test:
|
2017-09-26 21:58:29 +02:00
|
|
|
results += TestSysfsTypeViolations(pol)
|
2018-10-04 20:24:00 +02:00
|
|
|
if options.test is None or "TestSystemTypeViolations" in options.test:
|
|
|
|
|
results += TestSystemTypeViolations(pol)
|
2017-10-04 18:42:29 +02:00
|
|
|
if options.test is None or "TestDebugfsTypeViolations" in options.test:
|
2017-09-26 21:58:29 +02:00
|
|
|
results += TestDebugfsTypeViolations(pol)
|
2021-05-14 23:01:11 +02:00
|
|
|
if options.test is None or "TestTracefsTypeViolations" in options.test:
|
|
|
|
|
results += TestTracefsTypeViolations(pol)
|
2018-01-10 20:04:06 +01:00
|
|
|
if options.test is None or "TestVendorTypeViolations" in options.test:
|
|
|
|
|
results += TestVendorTypeViolations(pol)
|
2018-01-24 16:01:13 +01:00
|
|
|
if options.test is None or "TestCoreDataTypeViolations" in options.test:
|
|
|
|
|
results += TestCoreDataTypeViolations(pol)
|
2020-10-23 08:16:11 +02:00
|
|
|
if options.test is None or "TestPropertyTypeViolations" in options.test:
|
|
|
|
|
results += TestPropertyTypeViolations(pol)
|
2020-11-12 19:08:18 +01:00
|
|
|
if options.test is None or "TestAppDataTypeViolations" in options.test:
|
|
|
|
|
results += TestAppDataTypeViolations(pol)
|
2020-12-15 07:57:49 +01:00
|
|
|
if options.test is None or "TestDmaHeapDevTypeViolations" in options.test:
|
|
|
|
|
results += TestDmaHeapDevTypeViolations(pol)
|
2017-09-26 21:58:29 +02:00
|
|
|
|
|
|
|
|
if len(results) > 0:
|
|
|
|
|
sys.exit(results)
|
2022-07-25 04:30:02 +02:00
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
|
|
|
temp_dir = tempfile.mkdtemp()
|
|
|
|
|
try:
|
|
|
|
|
libname = "libsepolwrap" + SHARED_LIB_EXTENSION
|
|
|
|
|
libpath = os.path.join(temp_dir, libname)
|
|
|
|
|
with open(libpath, "wb") as f:
|
|
|
|
|
blob = pkgutil.get_data("sepolicy_tests", libname)
|
|
|
|
|
if not blob:
|
|
|
|
|
sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
|
|
|
|
|
f.write(blob)
|
|
|
|
|
do_main(libpath)
|
|
|
|
|
finally:
|
|
|
|
|
shutil.rmtree(temp_dir)
|
