3a9d91ce68
Files under /dev should have dev_type attribute. Bug: 303367345 Test: m selinux_policy Change-Id: Iaa1e39338e2fae32086bd770c6f3ab4b33bb82aa
405 lines
17 KiB
Python
405 lines
17 KiB
Python
# Copyright 2021 The Android Open Source Project
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
from optparse import OptionParser
|
|
from optparse import Option, OptionValueError
|
|
import os
|
|
import pkgutil
|
|
import policy
|
|
import re
|
|
import shutil
|
|
import sys
|
|
import tempfile
|
|
|
|
SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
|
|
|
|
#############################################################
|
|
# Tests
|
|
#############################################################
|
|
def TestDataTypeViolations(pol):
|
|
return pol.AssertPathTypesHaveAttr(["/data/"], [], "data_file_type")
|
|
|
|
def TestSystemTypeViolations(pol):
|
|
partitions = ["/system/", "/system_ext/", "/product/"]
|
|
exceptions = [
|
|
# devices before treble don't have a vendor partition
|
|
"/system/vendor/",
|
|
|
|
# overlay files are mounted over vendor
|
|
"/product/overlay/",
|
|
"/product/vendor_overlay/",
|
|
"/system/overlay/",
|
|
"/system/product/overlay/",
|
|
"/system/product/vendor_overlay/",
|
|
"/system/system_ext/overlay/",
|
|
"/system_ext/overlay/",
|
|
]
|
|
|
|
return pol.AssertPathTypesHaveAttr(partitions, exceptions, "system_file_type")
|
|
|
|
def TestBpffsTypeViolations(pol):
|
|
return pol.AssertGenfsFilesystemTypesHaveAttr("bpf", "bpffs_type")
|
|
|
|
def TestProcTypeViolations(pol):
|
|
return pol.AssertGenfsFilesystemTypesHaveAttr("proc", "proc_type")
|
|
|
|
def TestSysfsTypeViolations(pol):
|
|
ret = pol.AssertGenfsFilesystemTypesHaveAttr("sysfs", "sysfs_type")
|
|
ret += pol.AssertPathTypesHaveAttr(["/sys/"], ["/sys/kernel/debug/",
|
|
"/sys/kernel/tracing"], "sysfs_type")
|
|
return ret
|
|
|
|
def TestDebugfsTypeViolations(pol):
|
|
ret = pol.AssertGenfsFilesystemTypesHaveAttr("debugfs", "debugfs_type")
|
|
ret += pol.AssertPathTypesHaveAttr(["/sys/kernel/debug/",
|
|
"/sys/kernel/tracing"], [], "debugfs_type")
|
|
return ret
|
|
|
|
def TestTracefsTypeViolations(pol):
|
|
ret = pol.AssertGenfsFilesystemTypesHaveAttr("tracefs", "tracefs_type")
|
|
ret += pol.AssertPathTypesHaveAttr(["/sys/kernel/tracing"], [], "tracefs_type")
|
|
ret += pol.AssertPathTypesDoNotHaveAttr(["/sys/kernel/debug"],
|
|
["/sys/kernel/debug/tracing"], "tracefs_type",
|
|
[])
|
|
return ret
|
|
|
|
def TestVendorTypeViolations(pol):
|
|
partitions = ["/vendor/", "/odm/"]
|
|
exceptions = [
|
|
"/vendor/etc/selinux/",
|
|
"/vendor/odm/etc/selinux/",
|
|
"/odm/etc/selinux/",
|
|
]
|
|
return pol.AssertPathTypesHaveAttr(partitions, exceptions, "vendor_file_type")
|
|
|
|
def TestCoreDataTypeViolations(pol):
|
|
ret = pol.AssertPathTypesHaveAttr(["/data/"], ["/data/vendor",
|
|
"/data/vendor_ce", "/data/vendor_de"], "core_data_file_type")
|
|
ret += pol.AssertPathTypesDoNotHaveAttr(["/data/vendor/", "/data/vendor_ce/",
|
|
"/data/vendor_de/"], [], "core_data_file_type")
|
|
return ret
|
|
|
|
def TestPropertyTypeViolations(pol):
|
|
return pol.AssertPropertyOwnersAreExclusive()
|
|
|
|
def TestAppDataTypeViolations(pol):
|
|
# Types with the app_data_file_type should only be used for app data files
|
|
# (/data/data/package.name etc) via seapp_contexts, and never applied
|
|
# explicitly to other files.
|
|
partitions = [
|
|
"/data/",
|
|
"/vendor/",
|
|
"/odm/",
|
|
"/product/",
|
|
]
|
|
exceptions = [
|
|
# These are used for app data files for the corresponding user and
|
|
# assorted other files.
|
|
# TODO(b/172812577): Use different types for the different purposes
|
|
"shell_data_file",
|
|
"bluetooth_data_file",
|
|
"nfc_data_file",
|
|
"radio_data_file",
|
|
]
|
|
return pol.AssertPathTypesDoNotHaveAttr(partitions, [], "app_data_file_type",
|
|
exceptions)
|
|
def TestDmaHeapDevTypeViolations(pol):
|
|
return pol.AssertPathTypesHaveAttr(["/dev/dma_heap/"], [],
|
|
"dmabuf_heap_device_type")
|
|
|
|
def TestCoredomainViolations(test_policy):
|
|
# verify that all domains launched from /system have the coredomain
|
|
# attribute
|
|
ret = ""
|
|
|
|
for d in test_policy.alldomains:
|
|
domain = test_policy.alldomains[d]
|
|
if domain.fromSystem and domain.fromVendor:
|
|
ret += "The following domain is system and vendor: " + d + "\n"
|
|
|
|
for domain in test_policy.alldomains.values():
|
|
ret += domain.error
|
|
|
|
violators = []
|
|
for d in test_policy.alldomains:
|
|
domain = test_policy.alldomains[d]
|
|
if domain.fromSystem and "coredomain" not in domain.attributes:
|
|
violators.append(d);
|
|
if len(violators) > 0:
|
|
ret += "The following domain(s) must be associated with the "
|
|
ret += "\"coredomain\" attribute because they are executed off of "
|
|
ret += "/system:\n"
|
|
ret += " ".join(str(x) for x in sorted(violators)) + "\n"
|
|
|
|
# verify that all domains launched form /vendor do not have the coredomain
|
|
# attribute
|
|
violators = []
|
|
for d in test_policy.alldomains:
|
|
domain = test_policy.alldomains[d]
|
|
if domain.fromVendor and "coredomain" in domain.attributes:
|
|
violators.append(d)
|
|
if len(violators) > 0:
|
|
ret += "The following domains must not be associated with the "
|
|
ret += "\"coredomain\" attribute because they are executed off of "
|
|
ret += "/vendor or /system/vendor:\n"
|
|
ret += " ".join(str(x) for x in sorted(violators)) + "\n"
|
|
|
|
return ret
|
|
|
|
def TestViolatorAttribute(test_policy, attribute):
|
|
# TODO(b/113124961): re-enable once all violator attributes are removed.
|
|
return ""
|
|
|
|
# ret = ""
|
|
# return ret
|
|
|
|
# violators = test_policy.DomainsWithAttribute(attribute)
|
|
# if len(violators) > 0:
|
|
# ret += "SELinux: The following domains violate the Treble ban "
|
|
# ret += "against use of the " + attribute + " attribute: "
|
|
# ret += " ".join(str(x) for x in sorted(violators)) + "\n"
|
|
# return ret
|
|
|
|
def TestViolatorAttributes(test_policy):
|
|
ret = ""
|
|
ret += TestViolatorAttribute(test_policy, "socket_between_core_and_vendor_violators")
|
|
ret += TestViolatorAttribute(test_policy, "vendor_executes_system_violators")
|
|
return ret
|
|
|
|
def TestIsolatedAttributeConsistency(test_policy):
|
|
permissionAllowList = {
|
|
# access given from technical_debt.cil
|
|
"codec2_config_prop" : ["file"],
|
|
"device_config_nnapi_native_prop":["file"],
|
|
"hal_allocator_default":["binder", "fd"],
|
|
"hal_codec2": ["binder", "fd"],
|
|
"hal_codec2_hwservice":["hwservice_manager"],
|
|
"hal_graphics_allocator": ["binder", "fd"],
|
|
"hal_graphics_allocator_service":["service_manager"],
|
|
"hal_graphics_allocator_hwservice":["hwservice_manager"],
|
|
"hal_graphics_allocator_server":["binder", "service_manager"],
|
|
"hal_graphics_mapper_hwservice":["hwservice_manager"],
|
|
"hal_neuralnetworks": ["binder", "fd"],
|
|
"hal_neuralnetworks_service": ["service_manager"],
|
|
"hal_neuralnetworks_hwservice":["hwservice_manager"],
|
|
"hal_omx_hwservice":["hwservice_manager"],
|
|
"hidl_allocator_hwservice":["hwservice_manager"],
|
|
"hidl_manager_hwservice":["hwservice_manager"],
|
|
"hidl_memory_hwservice":["hwservice_manager"],
|
|
"hidl_token_hwservice":["hwservice_manager"],
|
|
"hwservicemanager":["binder"],
|
|
"hwservicemanager_prop":["file"],
|
|
"mediacodec":["binder", "fd"],
|
|
"mediaswcodec":["binder", "fd"],
|
|
"media_variant_prop":["file"],
|
|
"nnapi_ext_deny_product_prop":["file"],
|
|
"servicemanager":["fd"],
|
|
"toolbox_exec": ["file"],
|
|
# extra types being granted to isolated_compute_app
|
|
"isolated_compute_allowed":["service_manager", "chr_file"],
|
|
}
|
|
|
|
def resolveHalServerSubtype(target):
|
|
# permission given as a client in technical_debt.cil
|
|
hal_server_attributes = [
|
|
"hal_codec2_server",
|
|
"hal_graphics_allocator_server",
|
|
"hal_neuralnetworks_server"]
|
|
|
|
for attr in hal_server_attributes:
|
|
if target in test_policy.pol.QueryTypeAttribute(Type=attr, IsAttr=True):
|
|
return attr.rsplit("_", 1)[0]
|
|
return target
|
|
|
|
def checkIsolatedComputeAllowed(tctx, tclass):
|
|
# check if the permission is in isolated_compute_allowed
|
|
allowedMemberTypes = test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_service", IsAttr=True) \
|
|
.union(test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_device", IsAttr=True))
|
|
return tctx in allowedMemberTypes and tclass in permissionAllowList["isolated_compute_allowed"]
|
|
|
|
def checkPermissions(permissions):
|
|
violated_permissions = []
|
|
for perm in permissions:
|
|
tctx, tclass, p = perm.split(":")
|
|
tctx = resolveHalServerSubtype(tctx)
|
|
# check unwanted permissions
|
|
if not checkIsolatedComputeAllowed(tctx, tclass) and \
|
|
( tctx not in permissionAllowList \
|
|
or tclass not in permissionAllowList[tctx] \
|
|
or ( p == "write") \
|
|
or ( p == "rw_file_perms") ):
|
|
violated_permissions += [perm]
|
|
return violated_permissions
|
|
|
|
ret = ""
|
|
|
|
isolatedMemberTypes = test_policy.pol.QueryTypeAttribute(Type="isolated_app_all", IsAttr=True)
|
|
baseRules = test_policy.pol.QueryExpandedTERule(scontext=["isolated_app"])
|
|
basePermissionSet = set([":".join([rule.tctx, rule.tclass, perm])
|
|
for rule in baseRules for perm in rule.perms])
|
|
for subType in isolatedMemberTypes:
|
|
if subType == "isolated_app" : continue
|
|
currentTypeRule = test_policy.pol.QueryExpandedTERule(scontext=[subType])
|
|
typePermissionSet = set([":".join([rule.tctx, rule.tclass, perm])
|
|
for rule in currentTypeRule for perm in rule.perms
|
|
if not rule.tctx in [subType, subType + "_userfaultfd"]])
|
|
deltaPermissionSet = typePermissionSet.difference(basePermissionSet)
|
|
violated_permissions = checkPermissions(list(deltaPermissionSet))
|
|
for perm in violated_permissions:
|
|
ret += "allow %s %s:%s %s \n" % (subType, *perm.split(":"))
|
|
|
|
if ret:
|
|
ret = ("Found prohibited permission granted for isolated like types. " + \
|
|
"Please replace your allow statements that involve \"-isolated_app\" with " + \
|
|
"\"-isolated_app_all\". Violations are shown as the following: \n") + ret
|
|
return ret
|
|
|
|
def TestDevTypeViolations(pol):
|
|
exceptions = [
|
|
"/dev/socket",
|
|
]
|
|
exceptionTypes = [
|
|
"boringssl_self_test_marker", # /dev/boringssl/selftest
|
|
"cgroup_rc_file", # /dev/cgroup.rc
|
|
"dev_cpu_variant", # /dev/cpu_variant:{arch}
|
|
"fscklogs", # /dev/fscklogs
|
|
"properties_serial", # /dev/__properties__/properties_serial
|
|
"property_info", # /dev/__properties__/property_info
|
|
"runtime_event_log_tags_file", # /dev/event-log-tags
|
|
]
|
|
return pol.AssertPathTypesHaveAttr(["/dev"], exceptions,
|
|
"dev_type", exceptionTypes)
|
|
|
|
###
|
|
# extend OptionParser to allow the same option flag to be used multiple times.
|
|
# This is used to allow multiple file_contexts files and tests to be
|
|
# specified.
|
|
#
|
|
class MultipleOption(Option):
|
|
ACTIONS = Option.ACTIONS + ("extend",)
|
|
STORE_ACTIONS = Option.STORE_ACTIONS + ("extend",)
|
|
TYPED_ACTIONS = Option.TYPED_ACTIONS + ("extend",)
|
|
ALWAYS_TYPED_ACTIONS = Option.ALWAYS_TYPED_ACTIONS + ("extend",)
|
|
|
|
def take_action(self, action, dest, opt, value, values, parser):
|
|
if action == "extend":
|
|
values.ensure_value(dest, []).append(value)
|
|
else:
|
|
Option.take_action(self, action, dest, opt, value, values, parser)
|
|
|
|
Tests = [
|
|
"TestBpffsTypeViolations",
|
|
"TestDataTypeViolators",
|
|
"TestProcTypeViolations",
|
|
"TestSysfsTypeViolations",
|
|
"TestSystemTypeViolators",
|
|
"TestDebugfsTypeViolations",
|
|
"TestTracefsTypeViolations",
|
|
"TestVendorTypeViolations",
|
|
"TestCoreDataTypeViolations",
|
|
"TestPropertyTypeViolations",
|
|
"TestAppDataTypeViolations",
|
|
"TestDmaHeapDevTypeViolations",
|
|
"TestCoredomainViolations",
|
|
"TestViolatorAttributes",
|
|
"TestIsolatedAttributeConsistency",
|
|
"TestDevTypeViolations",
|
|
]
|
|
|
|
def do_main(libpath):
|
|
"""
|
|
Args:
|
|
libpath: string, path to libsepolwrap.so
|
|
"""
|
|
usage = "sepolicy_tests -f vendor_file_contexts -f "
|
|
usage +="plat_file_contexts -p policy [--test test] [--help]"
|
|
parser = OptionParser(option_class=MultipleOption, usage=usage)
|
|
parser.add_option("-f", "--file_contexts", dest="file_contexts",
|
|
metavar="FILE", action="extend", type="string")
|
|
parser.add_option("-p", "--policy", dest="policy", metavar="FILE")
|
|
parser.add_option("-t", "--test", dest="test", action="extend",
|
|
help="Test options include "+str(Tests))
|
|
|
|
(options, args) = parser.parse_args()
|
|
|
|
if not options.policy:
|
|
sys.exit("Must specify monolithic policy file\n" + parser.usage)
|
|
if not os.path.exists(options.policy):
|
|
sys.exit("Error: policy file " + options.policy + " does not exist\n"
|
|
+ parser.usage)
|
|
|
|
if not options.file_contexts:
|
|
sys.exit("Error: Must specify file_contexts file(s)\n" + parser.usage)
|
|
for f in options.file_contexts:
|
|
if not os.path.exists(f):
|
|
sys.exit("Error: File_contexts file " + f + " does not exist\n" +
|
|
parser.usage)
|
|
|
|
pol = policy.Policy(options.policy, options.file_contexts, libpath)
|
|
test_policy = policy.TestPolicy()
|
|
test_policy.setup(pol)
|
|
|
|
results = ""
|
|
# If an individual test is not specified, run all tests.
|
|
if options.test is None or "TestBpffsTypeViolations" in options.test:
|
|
results += TestBpffsTypeViolations(pol)
|
|
if options.test is None or "TestDataTypeViolations" in options.test:
|
|
results += TestDataTypeViolations(pol)
|
|
if options.test is None or "TestProcTypeViolations" in options.test:
|
|
results += TestProcTypeViolations(pol)
|
|
if options.test is None or "TestSysfsTypeViolations" in options.test:
|
|
results += TestSysfsTypeViolations(pol)
|
|
if options.test is None or "TestSystemTypeViolations" in options.test:
|
|
results += TestSystemTypeViolations(pol)
|
|
if options.test is None or "TestDebugfsTypeViolations" in options.test:
|
|
results += TestDebugfsTypeViolations(pol)
|
|
if options.test is None or "TestTracefsTypeViolations" in options.test:
|
|
results += TestTracefsTypeViolations(pol)
|
|
if options.test is None or "TestVendorTypeViolations" in options.test:
|
|
results += TestVendorTypeViolations(pol)
|
|
if options.test is None or "TestCoreDataTypeViolations" in options.test:
|
|
results += TestCoreDataTypeViolations(pol)
|
|
if options.test is None or "TestPropertyTypeViolations" in options.test:
|
|
results += TestPropertyTypeViolations(pol)
|
|
if options.test is None or "TestAppDataTypeViolations" in options.test:
|
|
results += TestAppDataTypeViolations(pol)
|
|
if options.test is None or "TestDmaHeapDevTypeViolations" in options.test:
|
|
results += TestDmaHeapDevTypeViolations(pol)
|
|
if options.test is None or "TestCoredomainViolations" in options.test:
|
|
results += TestCoredomainViolations(test_policy)
|
|
if options.test is None or "TestViolatorAttributes" in options.test:
|
|
results += TestViolatorAttributes(test_policy)
|
|
if options.test is None or "TestIsolatedAttributeConsistency" in options.test:
|
|
results += TestIsolatedAttributeConsistency(test_policy)
|
|
|
|
# dev type test won't be run as default
|
|
if options.test and "TestDevTypeViolations" in options.test:
|
|
results += TestDevTypeViolations(pol)
|
|
|
|
if len(results) > 0:
|
|
sys.exit(results)
|
|
|
|
if __name__ == '__main__':
|
|
temp_dir = tempfile.mkdtemp()
|
|
try:
|
|
libname = "libsepolwrap" + SHARED_LIB_EXTENSION
|
|
libpath = os.path.join(temp_dir, libname)
|
|
with open(libpath, "wb") as f:
|
|
blob = pkgutil.get_data("sepolicy_tests", libname)
|
|
if not blob:
|
|
sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
|
|
f.write(blob)
|
|
do_main(libpath)
|
|
finally:
|
|
shutil.rmtree(temp_dir)
|