platform_system_sepolicy/tests/mini_parser.py

# Copyright 2021 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

from os.path import basename
import re
import sys

# A very limited parser whose job is to process the compatibility mapping
# files and retrieve type and attribute information until proper support is
# built into libsepol

class MiniCilParser:
    def __init__(self, policyFile):
        self.types = set() # types declared in mapping
        self.pubtypes = set()
        self.expandtypeattributes = {}
        self.typeattributes = set() # attributes declared in mapping
        self.typeattributesets = {} # sets defined in mapping
        self.rTypeattributesets = {} # reverse mapping of above sets
        self.apiLevel = None

        with open(policyFile, 'r') as infile:
            s = self._getNextStmt(infile)
            while s:
                self._parseStmt(s)
                s = self._getNextStmt(infile)
        fn = basename(policyFile)
        m = re.match(r"(\d+\.\d+).+\.cil", fn)
        if m:
            self.apiLevel = m.group(1)

    def unparse(self):
        def wrapParens(stmt):
            return "(" + stmt + ")"

        def joinWrapParens(entries):
            return wrapParens(" ".join(entries))

        result = ""
        for ty in sorted(self.types):
            result += joinWrapParens(["type", ty]) + "\n"

        for ta in sorted(self.typeattributes):
            result += joinWrapParens(["typeattribute", ta]) + "\n"

        for eta in sorted(self.expandtypeattributes.items(),
                          key=lambda x: x[0]):
            result += joinWrapParens(
                    ["expandtypeattribute", wrapParens(eta[0]), eta[1]]) + "\n"

        for tas in sorted(self.typeattributesets.items(), key=lambda x: x[0]):
            result += joinWrapParens(
                    ["typeattributeset", tas[0],
                     joinWrapParens(sorted(tas[1]))]) + "\n"

        return result

    def _getNextStmt(self, infile):
        parens = 0
        s = ""
        c = infile.read(1)
        # get to first statement
        while c and c != "(":
            c = infile.read(1)

        parens += 1
        c = infile.read(1)
        while c and parens != 0:
            s += c
            c = infile.read(1)
            if c == ';':
                # comment, get rid of rest of the line
                while c != '\n':
                    c = infile.read(1)
            elif c == '(':
                parens += 1
            elif c == ')':
                parens -= 1
        return s

    def _parseType(self, stmt):
        m = re.match(r"type\s+(.+)", stmt)
        self.types.add(m.group(1))
        return

    def _parseExpandtypeattribute(self, stmt):
        m = re.match(r"expandtypeattribute\s+\((.+)\)\s+(true|false)", stmt)
        self.expandtypeattributes[m.group(1)] = m.group(2)
        return

    def _parseTypeattribute(self, stmt):
        m = re.match(r"typeattribute\s+(.+)", stmt)
        self.typeattributes.add(m.group(1))
        return

    def _parseTypeattributeset(self, stmt):
        m = re.match(r"typeattributeset\s+(.+?)\s+\((.+?)\)", stmt, flags = re.M |re.S)
        ta = m.group(1)
        # this isn't proper expression parsing, but will do for our
        # current use
        tas = m.group(2).split()

        if self.typeattributesets.get(ta) is None:
            self.typeattributesets[ta] = set()
        self.typeattributesets[ta].update(set(tas))
        for t in tas:
            if self.rTypeattributesets.get(t) is None:
                self.rTypeattributesets[t] = set()
            self.rTypeattributesets[t].update([ta])

        # check to see if this typeattributeset is a versioned public type
        pub = re.match(r"(\w+)_\d+_\d+", ta)
        if pub is not None:
            self.pubtypes.add(pub.group(1))
        return

    def _parseStmt(self, stmt):
        if re.match(r"type\s+.+", stmt):
            self._parseType(stmt)
        elif re.match(r"typeattribute\s+.+", stmt):
            self._parseTypeattribute(stmt)
        elif re.match(r"typeattributeset\s+.+", stmt):
            self._parseTypeattributeset(stmt)
        elif re.match(r"expandtypeattribute\s+.+", stmt):
            self._parseExpandtypeattribute(stmt)
        return

if __name__ == '__main__':
    f = sys.argv[1]
    p = MiniCilParser(f)
Migrate tests/ to Python 3 In general, it appears that libselinux and libsepol interpret paths and contexts as bytes. For instance, selabel_file(5) mentions about the path field of file_contexts: Strings representing paths are processed as bytes (as opposed to Unicode), meaning that non-ASCII characters are not matched by a single wildcard. libsepol also uses primitives such as strchr[1], which explicitly operate at the byte level (see strchr(3)). However, practically, Android paths and contexts all uses ASCII characters. Use the str type (i.e., Unicode) for all Python code to avoid a larger refactoring. Ensure we convert to bytes for inputs and outputs of libsepolwrap.so. The encoding "ascii" is used, which will raise an error should a context or type contain non-ASCII characters. Update headers to match development/docs/copyright-templates. [1] https://cs.android.com/android/platform/superproject/+/master:external/selinux/libsepol/src/context_record.c;l=224;drc=454466e2e49fd99f36db78396e604962b8682cb4 Bug: 200119288 Test: lunch aosp_bramble-userdebug && m Test: atest --host fc_sort_test Test: manually run searchpolicy Change-Id: I72d41a35f90b2d4112e481cd8d7408764a6c8132 2021-11-25 23:12:41 +01:00			`# Copyright 2021 The Android Open Source Project`
			`#`
			`# Licensed under the Apache License, Version 2.0 (the "License");`
			`# you may not use this file except in compliance with the License.`
			`# You may obtain a copy of the License at`
			`#`
			`# http://www.apache.org/licenses/LICENSE-2.0`
			`#`
			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`# See the License for the specific language governing permissions and`
			`# limitations under the License.`

Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb 2017-09-26 21:58:29 +02:00			`from os.path import basename`
			`import re`
			`import sys`

			`# A very limited parser whose job is to process the compatibility mapping`
			`# files and retrieve type and attribute information until proper support is`
			`# built into libsepol`

			`class MiniCilParser:`
Don't require private types in mapping file. Private types are not visible to vendor/odm policy, so we don't need mapping entries for them. We build platform-only public policy .cil file and give it as input to treble_sepolicy_tests. Using this public policy the test can now figure out if the newly added type in public or private. Bug: 116344577 Test: adding public type triggers mapping test failure, adding private type does not. Change-Id: I421f335e37274b24aa73109e260653d7b73788b5 2018-09-29 02:21:08 +02:00			`def __init__(self, policyFile):`
			`self.types = set() # types declared in mapping`
			`self.pubtypes = set()`
Only maintain maps between current and previous selinux versions. New maintenance scheme for mapping files: Say, V is the current SELinux platform version, then at any point in time we only maintain (V->V-1) mapping. (V->V-n) map is constructed from top (V->V-n+1) and bottom (V-n+1->V-n) without changes to previously maintained mapping files. Caveats: - 26.0.cil doesn't technically represent 27.0->26.0 map, but rather current->26.0. We'll fully migrate to the scheme with future releases. Bug: 67510052 Test: adding new public type only requires changing the latest compat map Change-Id: Iab5564e887ef2c8004cb493505dd56c6220c61f8 2018-09-30 02:47:10 +02:00			`self.expandtypeattributes = {}`
Don't require private types in mapping file. Private types are not visible to vendor/odm policy, so we don't need mapping entries for them. We build platform-only public policy .cil file and give it as input to treble_sepolicy_tests. Using this public policy the test can now figure out if the newly added type in public or private. Bug: 116344577 Test: adding public type triggers mapping test failure, adding private type does not. Change-Id: I421f335e37274b24aa73109e260653d7b73788b5 2018-09-29 02:21:08 +02:00			`self.typeattributes = set() # attributes declared in mapping`
			`self.typeattributesets = {} # sets defined in mapping`
			`self.rTypeattributesets = {} # reverse mapping of above sets`
			`self.apiLevel = None`

			`with open(policyFile, 'r') as infile:`
			`s = self._getNextStmt(infile)`
			`while s:`
			`self._parseStmt(s)`
			`s = self._getNextStmt(infile)`
			`fn = basename(policyFile)`
			`m = re.match(r"(\d+\.\d+).+\.cil", fn)`
			`if m:`
			`self.apiLevel = m.group(1)`
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb 2017-09-26 21:58:29 +02:00
Only maintain maps between current and previous selinux versions. New maintenance scheme for mapping files: Say, V is the current SELinux platform version, then at any point in time we only maintain (V->V-1) mapping. (V->V-n) map is constructed from top (V->V-n+1) and bottom (V-n+1->V-n) without changes to previously maintained mapping files. Caveats: - 26.0.cil doesn't technically represent 27.0->26.0 map, but rather current->26.0. We'll fully migrate to the scheme with future releases. Bug: 67510052 Test: adding new public type only requires changing the latest compat map Change-Id: Iab5564e887ef2c8004cb493505dd56c6220c61f8 2018-09-30 02:47:10 +02:00			`def unparse(self):`
			`def wrapParens(stmt):`
			`return "(" + stmt + ")"`

			`def joinWrapParens(entries):`
			`return wrapParens(" ".join(entries))`

			`result = ""`
			`for ty in sorted(self.types):`
			`result += joinWrapParens(["type", ty]) + "\n"`

			`for ta in sorted(self.typeattributes):`
			`result += joinWrapParens(["typeattribute", ta]) + "\n"`

			`for eta in sorted(self.expandtypeattributes.items(),`
			`key=lambda x: x[0]):`
			`result += joinWrapParens(`
			`["expandtypeattribute", wrapParens(eta[0]), eta[1]]) + "\n"`

			`for tas in sorted(self.typeattributesets.items(), key=lambda x: x[0]):`
			`result += joinWrapParens(`
			`["typeattributeset", tas[0],`
			`joinWrapParens(sorted(tas[1]))]) + "\n"`

			`return result`

Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb 2017-09-26 21:58:29 +02:00			`def _getNextStmt(self, infile):`
			`parens = 0`
			`s = ""`
			`c = infile.read(1)`
			`# get to first statement`
			`while c and c != "(":`
			`c = infile.read(1)`

			`parens += 1`
			`c = infile.read(1)`
			`while c and parens != 0:`
			`s += c`
			`c = infile.read(1)`
			`if c == ';':`
			`# comment, get rid of rest of the line`
			`while c != '\n':`
			`c = infile.read(1)`
			`elif c == '(':`
			`parens += 1`
			`elif c == ')':`
			`parens -= 1`
			`return s`

			`def _parseType(self, stmt):`
			`m = re.match(r"type\s+(.+)", stmt)`
			`self.types.add(m.group(1))`
			`return`

Only maintain maps between current and previous selinux versions. New maintenance scheme for mapping files: Say, V is the current SELinux platform version, then at any point in time we only maintain (V->V-1) mapping. (V->V-n) map is constructed from top (V->V-n+1) and bottom (V-n+1->V-n) without changes to previously maintained mapping files. Caveats: - 26.0.cil doesn't technically represent 27.0->26.0 map, but rather current->26.0. We'll fully migrate to the scheme with future releases. Bug: 67510052 Test: adding new public type only requires changing the latest compat map Change-Id: Iab5564e887ef2c8004cb493505dd56c6220c61f8 2018-09-30 02:47:10 +02:00			`def _parseExpandtypeattribute(self, stmt):`
			`m = re.match(r"expandtypeattribute\s+\((.+)\)\s+(true\|false)", stmt)`
			`self.expandtypeattributes[m.group(1)] = m.group(2)`
			`return`

Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb 2017-09-26 21:58:29 +02:00			`def _parseTypeattribute(self, stmt):`
			`m = re.match(r"typeattribute\s+(.+)", stmt)`
			`self.typeattributes.add(m.group(1))`
			`return`

			`def _parseTypeattributeset(self, stmt):`
			`m = re.match(r"typeattributeset\s+(.+?)\s+\((.+?)\)", stmt, flags = re.M \|re.S)`
			`ta = m.group(1)`
			`# this isn't proper expression parsing, but will do for our`
			`# current use`
			`tas = m.group(2).split()`

			`if self.typeattributesets.get(ta) is None:`
			`self.typeattributesets[ta] = set()`
			`self.typeattributesets[ta].update(set(tas))`
			`for t in tas:`
			`if self.rTypeattributesets.get(t) is None:`
			`self.rTypeattributesets[t] = set()`
Only maintain maps between current and previous selinux versions. New maintenance scheme for mapping files: Say, V is the current SELinux platform version, then at any point in time we only maintain (V->V-1) mapping. (V->V-n) map is constructed from top (V->V-n+1) and bottom (V-n+1->V-n) without changes to previously maintained mapping files. Caveats: - 26.0.cil doesn't technically represent 27.0->26.0 map, but rather current->26.0. We'll fully migrate to the scheme with future releases. Bug: 67510052 Test: adding new public type only requires changing the latest compat map Change-Id: Iab5564e887ef2c8004cb493505dd56c6220c61f8 2018-09-30 02:47:10 +02:00			`self.rTypeattributesets[t].update([ta])`
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb 2017-09-26 21:58:29 +02:00
			`# check to see if this typeattributeset is a versioned public type`
			`pub = re.match(r"(\w+)_\d+_\d+", ta)`
			`if pub is not None:`
			`self.pubtypes.add(pub.group(1))`
			`return`

			`def _parseStmt(self, stmt):`
			`if re.match(r"type\s+.+", stmt):`
			`self._parseType(stmt)`
			`elif re.match(r"typeattribute\s+.+", stmt):`
			`self._parseTypeattribute(stmt)`
			`elif re.match(r"typeattributeset\s+.+", stmt):`
			`self._parseTypeattributeset(stmt)`
Only maintain maps between current and previous selinux versions. New maintenance scheme for mapping files: Say, V is the current SELinux platform version, then at any point in time we only maintain (V->V-1) mapping. (V->V-n) map is constructed from top (V->V-n+1) and bottom (V-n+1->V-n) without changes to previously maintained mapping files. Caveats: - 26.0.cil doesn't technically represent 27.0->26.0 map, but rather current->26.0. We'll fully migrate to the scheme with future releases. Bug: 67510052 Test: adding new public type only requires changing the latest compat map Change-Id: Iab5564e887ef2c8004cb493505dd56c6220c61f8 2018-09-30 02:47:10 +02:00			`elif re.match(r"expandtypeattribute\s+.+", stmt):`
			`self._parseExpandtypeattribute(stmt)`
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb 2017-09-26 21:58:29 +02:00			`return`

			`if __name__ == '__main__':`
			`f = sys.argv[1]`
			`p = MiniCilParser(f)`