treble_sepolicy_tests.py: require recognized loc am: 000ec93900
Change-Id: If42957f4780d41233e20af3b8307397aa82b2504
This commit is contained in:
Steven Moreland
Automerger Merge Worker
commit
e3834b6de2
1 changed files with 43 additions and 19 deletions
|
|
@ -13,10 +13,14 @@ DEBUG=False
|
||||||
Use file_contexts and policy to verify Treble requirements
|
Use file_contexts and policy to verify Treble requirements
|
||||||
are not violated.
|
are not violated.
|
||||||
'''
|
'''
|
||||||
###
|
|
||||||
# TODO: how do we make sure vendor_init doesn't have bad coupling with /vendor?
|
|
||||||
coredomainWhitelist = {
|
coredomainWhitelist = {
|
||||||
|
# TODO: how do we make sure vendor_init doesn't have bad coupling with
|
||||||
|
# /vendor? It is the only system process which is not coredomain.
|
||||||
'vendor_init',
|
'vendor_init',
|
||||||
|
# TODO(b/152813275): need to avoid whitelist for rootdir
|
||||||
|
"modprobe",
|
||||||
|
"slideshow",
|
||||||
|
"healthd",
|
||||||
}
|
}
|
||||||
|
|
||||||
class scontext:
|
class scontext:
|
||||||
|
|
@ -28,6 +32,7 @@ class scontext:
|
||||||
self.attributes = set()
|
self.attributes = set()
|
||||||
self.entrypoints = []
|
self.entrypoints = []
|
||||||
self.entrypointpaths = []
|
self.entrypointpaths = []
|
||||||
|
self.error = ""
|
||||||
|
|
||||||
def PrintScontexts():
|
def PrintScontexts():
|
||||||
for d in sorted(alldomains.keys()):
|
for d in sorted(alldomains.keys()):
|
||||||
|
|
@ -80,32 +85,42 @@ def GetCoreDomains():
|
||||||
global alldomains
|
global alldomains
|
||||||
global coredomains
|
global coredomains
|
||||||
for d in alldomains:
|
for d in alldomains:
|
||||||
|
domain = alldomains[d]
|
||||||
# TestCoredomainViolations will verify if coredomain was incorrectly
|
# TestCoredomainViolations will verify if coredomain was incorrectly
|
||||||
# applied.
|
# applied.
|
||||||
if "coredomain" in alldomains[d].attributes:
|
if "coredomain" in domain.attributes:
|
||||||
alldomains[d].coredomain = True
|
domain.coredomain = True
|
||||||
coredomains.add(d)
|
coredomains.add(d)
|
||||||
# check whether domains are executed off of /system or /vendor
|
# check whether domains are executed off of /system or /vendor
|
||||||
if d in coredomainWhitelist:
|
if d in coredomainWhitelist:
|
||||||
continue
|
continue
|
||||||
# TODO, add checks to prevent app domains from being incorrectly
|
# TODO(b/153112003): add checks to prevent app domains from being
|
||||||
# labeled as coredomain. Apps don't have entrypoints as they're always
|
# incorrectly labeled as coredomain. Apps don't have entrypoints as
|
||||||
# dynamically transitioned to by zygote.
|
# they're always dynamically transitioned to by zygote.
|
||||||
if d in appdomains:
|
if d in appdomains:
|
||||||
continue
|
continue
|
||||||
if not alldomains[d].entrypointpaths:
|
# TODO(b/153112747): need to handle cases where there is a dynamic
|
||||||
|
# transition OR there happens to be no context in AOSP files.
|
||||||
|
if not domain.entrypointpaths:
|
||||||
continue
|
continue
|
||||||
for path in alldomains[d].entrypointpaths:
|
|
||||||
# Processes with entrypoint on /system
|
for path in domain.entrypointpaths:
|
||||||
if ((MatchPathPrefix(path, "/system") and not
|
vendor = any(MatchPathPrefix(path, prefix) for prefix in
|
||||||
MatchPathPrefix(path, "/system/vendor")) or
|
["/vendor", "/odm"])
|
||||||
MatchPathPrefix(path, "/init") or
|
system = any(MatchPathPrefix(path, prefix) for prefix in
|
||||||
MatchPathPrefix(path, "/charger")):
|
["/init", "/system_ext", "/product" ])
|
||||||
alldomains[d].fromSystem = True
|
|
||||||
# Processes with entrypoint on /vendor or /system/vendor
|
# only mark entrypoint as system if it is not in legacy /system/vendor
|
||||||
if (MatchPathPrefix(path, "/vendor") or
|
if MatchPathPrefix(path, "/system/vendor"):
|
||||||
MatchPathPrefix(path, "/system/vendor")):
|
vendor = True
|
||||||
alldomains[d].fromVendor = True
|
elif MatchPathPrefix(path, "/system"):
|
||||||
|
system = True
|
||||||
|
|
||||||
|
if not vendor and not system:
|
||||||
|
domain.error += "Unrecognized entrypoint for " + d + " at " + path + "\n"
|
||||||
|
|
||||||
|
domain.fromSystem = domain.fromSystem or system
|
||||||
|
domain.fromVendor = domain.fromVendor or vendor
|
||||||
|
|
||||||
###
|
###
|
||||||
# Add the entrypoint type and path(s) to each domain.
|
# Add the entrypoint type and path(s) to each domain.
|
||||||
|
|
@ -173,6 +188,15 @@ def TestCoredomainViolations():
|
||||||
# verify that all domains launched from /system have the coredomain
|
# verify that all domains launched from /system have the coredomain
|
||||||
# attribute
|
# attribute
|
||||||
ret = ""
|
ret = ""
|
||||||
|
|
||||||
|
for d in alldomains:
|
||||||
|
domain = alldomains[d]
|
||||||
|
if domain.fromSystem and domain.fromVendor:
|
||||||
|
ret += "The following domain is system and vendor: " + d + "\n"
|
||||||
|
|
||||||
|
for domain in alldomains.values():
|
||||||
|
ret += domain.error
|
||||||
|
|
||||||
violators = []
|
violators = []
|
||||||
for d in alldomains:
|
for d in alldomains:
|
||||||
domain = alldomains[d]
|
domain = alldomains[d]
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue