c945a104c0
This can detect a common mistake of not labeling binaries in APEX. Note - we can't simply check if the lable has exec_type attribute because there're many exceptions. Bug: 324005965 Test: atest apex_sepolicy_tests_test Change-Id: Ib643e8b73fac1a3b8851804e58e69b19d32b997d
222 lines
6.2 KiB
Python
222 lines
6.2 KiB
Python
#!/usr/bin/env python3
|
|
#
|
|
# Copyright 2023 The Android Open Source Project
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
""" A tool to test APEX file_contexts
|
|
|
|
Usage:
|
|
$ deapexer list -Z foo.apex > /tmp/fc
|
|
$ apex_sepolicy_tests -f /tmp/fc
|
|
"""
|
|
|
|
|
|
import argparse
|
|
import os
|
|
import pathlib
|
|
import pkgutil
|
|
import re
|
|
import sys
|
|
import tempfile
|
|
from dataclasses import dataclass
|
|
from typing import List
|
|
|
|
import policy
|
|
|
|
|
|
SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
|
|
LIBSEPOLWRAP = "libsepolwrap" + SHARED_LIB_EXTENSION
|
|
|
|
|
|
@dataclass
|
|
class Is:
|
|
"""Exact matcher for a path."""
|
|
path: str
|
|
|
|
|
|
@dataclass
|
|
class Glob:
|
|
"""Path matcher with pathlib.PurePath.match"""
|
|
pattern: str
|
|
|
|
|
|
@dataclass
|
|
class Regex:
|
|
"""Path matcher with re.match"""
|
|
pattern: str
|
|
|
|
|
|
@dataclass
|
|
class BinaryFile:
|
|
pass
|
|
|
|
|
|
Matcher = Is | Glob | Regex | BinaryFile
|
|
|
|
|
|
# predicate functions for Func matcher
|
|
|
|
|
|
@dataclass
|
|
class AllowPerm:
|
|
"""Rule checking if scontext has 'perm' to the entity"""
|
|
tclass: str
|
|
scontext: set[str]
|
|
perm: str
|
|
|
|
|
|
@dataclass
|
|
class ResolveType:
|
|
"""Rule checking if type can be resolved"""
|
|
pass
|
|
|
|
|
|
@dataclass
|
|
class NotAnyOf:
|
|
"""Rule checking if entity is not labelled as any of the given labels"""
|
|
labels: set[str]
|
|
|
|
|
|
Rule = AllowPerm | ResolveType | NotAnyOf
|
|
|
|
|
|
# Helper for 'read'
|
|
def AllowRead(tclass, scontext):
|
|
return AllowPerm(tclass, scontext, 'read')
|
|
|
|
|
|
def match_path(path: str, matcher: Matcher) -> bool:
|
|
"""True if path matches with the given matcher"""
|
|
match matcher:
|
|
case Is(target):
|
|
return path == target
|
|
case Glob(pattern):
|
|
return pathlib.PurePath(path).match(pattern)
|
|
case Regex(pattern):
|
|
return re.match(pattern, path)
|
|
case BinaryFile:
|
|
return path.startswith('./bin/') and not path.endswith('/')
|
|
|
|
|
|
def check_rule(pol, path: str, tcontext: str, rule: Rule) -> List[str]:
|
|
"""Returns error message if scontext can't read the target"""
|
|
errors = []
|
|
match rule:
|
|
case AllowPerm(tclass, scontext, perm):
|
|
# Test every source in scontext(set)
|
|
for s in scontext:
|
|
te_rules = list(pol.QueryTERule(scontext={s},
|
|
tcontext={tcontext},
|
|
tclass={tclass},
|
|
perms={perm}))
|
|
if len(te_rules) > 0:
|
|
continue # no errors
|
|
|
|
errors.append(f"Error: {path}: {s} can't {perm}. (tcontext={tcontext})")
|
|
case ResolveType():
|
|
if tcontext not in pol.GetAllTypes(False):
|
|
errors.append(f"Error: {path}: tcontext({tcontext}) is unknown")
|
|
case NotAnyOf(labels):
|
|
if tcontext in labels:
|
|
errors.append(f"Error: {path}: can't be labelled as '{tcontext}'")
|
|
return errors
|
|
|
|
|
|
target_specific_rules = [
|
|
(Glob('*'), ResolveType()),
|
|
]
|
|
|
|
|
|
generic_rules = [
|
|
# binaries should be executable
|
|
(BinaryFile, NotAnyOf({'vendor_file'})),
|
|
# permissions
|
|
(Is('./etc/permissions/'), AllowRead('dir', {'system_server'})),
|
|
(Glob('./etc/permissions/*.xml'), AllowRead('file', {'system_server'})),
|
|
# init scripts with optional SDK version (e.g. foo.rc, foo.32rc)
|
|
(Regex('\./etc/.*\.\d*rc'), AllowRead('file', {'init'})),
|
|
# vintf fragments
|
|
(Is('./etc/vintf/'), AllowRead('dir', {'servicemanager', 'apexd'})),
|
|
(Glob('./etc/vintf/*.xml'), AllowRead('file', {'servicemanager', 'apexd'})),
|
|
# ./ and apex_manifest.pb
|
|
(Is('./apex_manifest.pb'), AllowRead('file', {'linkerconfig', 'apexd'})),
|
|
(Is('./'), AllowPerm('dir', {'linkerconfig', 'apexd'}, 'search')),
|
|
# linker.config.pb
|
|
(Is('./etc/linker.config.pb'), AllowRead('file', {'linkerconfig'})),
|
|
]
|
|
|
|
|
|
all_rules = target_specific_rules + generic_rules
|
|
|
|
|
|
def check_line(pol: policy.Policy, line: str, rules) -> List[str]:
|
|
"""Parses a file_contexts line and runs checks"""
|
|
# skip empty/comment line
|
|
line = line.strip()
|
|
if line == '' or line[0] == '#':
|
|
return []
|
|
|
|
# parse
|
|
split = line.split()
|
|
if len(split) != 2:
|
|
return [f"Error: invalid file_contexts: {line}"]
|
|
path, context = split[0], split[1]
|
|
if len(context.split(':')) != 4:
|
|
return [f"Error: invalid file_contexts: {line}"]
|
|
tcontext = context.split(':')[2]
|
|
|
|
# check rules
|
|
errors = []
|
|
for matcher, rule in rules:
|
|
if match_path(path, matcher):
|
|
errors.extend(check_rule(pol, path, tcontext, rule))
|
|
return errors
|
|
|
|
|
|
def extract_data(name, temp_dir):
|
|
out_path = os.path.join(temp_dir, name)
|
|
with open(out_path, 'wb') as f:
|
|
blob = pkgutil.get_data('apex_sepolicy_tests', name)
|
|
if not blob:
|
|
sys.exit(f"Error: {name} does not exist. Is this binary corrupted?\n")
|
|
f.write(blob)
|
|
return out_path
|
|
|
|
|
|
def do_main(work_dir):
|
|
"""Do testing"""
|
|
parser = argparse.ArgumentParser()
|
|
parser.add_argument('--all', action='store_true', help='tests ALL aspects')
|
|
parser.add_argument('-f', '--file_contexts', help='output of "deapexer list -Z"')
|
|
args = parser.parse_args()
|
|
|
|
lib_path = extract_data(LIBSEPOLWRAP, work_dir)
|
|
policy_path = extract_data('precompiled_sepolicy', work_dir)
|
|
pol = policy.Policy(policy_path, None, lib_path)
|
|
|
|
if args.all:
|
|
rules = all_rules
|
|
else:
|
|
rules = generic_rules
|
|
|
|
errors = []
|
|
with open(args.file_contexts, 'rt', encoding='utf-8') as file_contexts:
|
|
for line in file_contexts:
|
|
errors.extend(check_line(pol, line, rules))
|
|
if len(errors) > 0:
|
|
sys.exit('\n'.join(errors))
|
|
|
|
|
|
if __name__ == '__main__':
|
|
with tempfile.TemporaryDirectory() as temp_dir:
|
|
do_main(temp_dir)
|