1fc0682ec6
Bug: 37008075
Test: build policy on Marlin
Change-Id: I53748f94c5df66fa17a53e7d0bed1be6b8603544
(cherry picked from commit e1ddc6df75)
274 lines
9.3 KiB
Python
274 lines
9.3 KiB
Python
from optparse import OptionParser
|
|
from optparse import Option, OptionValueError
|
|
import os
|
|
import policy
|
|
import re
|
|
import sys
|
|
|
|
DEBUG=False
|
|
|
|
'''
|
|
Use file_contexts and policy to verify Treble requirements
|
|
are not violated.
|
|
'''
|
|
###
|
|
# Differentiate between domains that are part of the core Android platform and
|
|
# domains introduced by vendors
|
|
coreAppdomain = {
|
|
'bluetooth',
|
|
'ephemeral_app',
|
|
'isolated_app',
|
|
'nfc',
|
|
'platform_app',
|
|
'priv_app',
|
|
'radio',
|
|
'shared_relro',
|
|
'shell',
|
|
'system_app',
|
|
'untrusted_app',
|
|
'untrusted_app_25',
|
|
'untrusted_v2_app',
|
|
}
|
|
coredomainWhitelist = {
|
|
'adbd',
|
|
'kernel',
|
|
'postinstall',
|
|
'postinstall_dexopt',
|
|
'recovery',
|
|
'system_server',
|
|
}
|
|
coredomainWhitelist |= coreAppdomain
|
|
|
|
class scontext:
|
|
def __init__(self):
|
|
self.fromSystem = False
|
|
self.fromVendor = False
|
|
self.coredomain = False
|
|
self.appdomain = False
|
|
self.attributes = set()
|
|
self.entrypoints = []
|
|
self.entrypointpaths = []
|
|
|
|
def PrintScontexts():
|
|
for d in sorted(alldomains.keys()):
|
|
sctx = alldomains[d]
|
|
print d
|
|
print "\tcoredomain="+str(sctx.coredomain)
|
|
print "\tappdomain="+str(sctx.appdomain)
|
|
print "\tfromSystem="+str(sctx.fromSystem)
|
|
print "\tfromVendor="+str(sctx.fromVendor)
|
|
print "\tattributes="+str(sctx.attributes)
|
|
print "\tentrypoints="+str(sctx.entrypoints)
|
|
print "\tentrypointpaths="
|
|
if sctx.entrypointpaths is not None:
|
|
for path in sctx.entrypointpaths:
|
|
print "\t\t"+str(path)
|
|
|
|
alldomains = {}
|
|
coredomains = set()
|
|
appdomains = set()
|
|
vendordomains = set()
|
|
|
|
###
|
|
# Check whether the regex will match a file path starting with the provided
|
|
# prefix
|
|
#
|
|
# Compares regex entries in file_contexts with a path prefix. Regex entries
|
|
# are often more specific than this file prefix. For example, the regex could
|
|
# be /system/bin/foo\.sh and the prefix could be /system. This function
|
|
# loops over the regex removing characters from the end until
|
|
# 1) there is a match - return True or 2) run out of characters - return
|
|
# False.
|
|
#
|
|
def MatchPathPrefix(pathregex, prefix):
|
|
for i in range(len(pathregex), 0, -1):
|
|
try:
|
|
pattern = re.compile('^' + pathregex[0:i] + "$")
|
|
except:
|
|
continue
|
|
if pattern.match(prefix):
|
|
return True
|
|
return False
|
|
|
|
def GetAllDomains(pol):
|
|
global alldomains
|
|
for result in pol.QueryTypeAttribute("domain", True):
|
|
alldomains[result] = scontext()
|
|
|
|
def GetAppDomains():
|
|
global appdomains
|
|
global alldomains
|
|
for d in alldomains:
|
|
# The application of the "appdomain" attribute is trusted because core
|
|
# selinux policy contains neverallow rules that enforce that only zygote
|
|
# and runas spawned processes may transition to processes that have
|
|
# the appdomain attribute.
|
|
if "appdomain" in alldomains[d].attributes:
|
|
alldomains[d].appdomain = True
|
|
appdomains.add(d)
|
|
|
|
|
|
def GetCoreDomains():
|
|
global alldomains
|
|
global coredomains
|
|
for d in alldomains:
|
|
# TestCoredomainViolators will verify if coredomain was incorrectly
|
|
# applied.
|
|
if "coredomain" in alldomains[d].attributes:
|
|
alldomains[d].coredomain = True
|
|
coredomains.add(d)
|
|
# check whether domains are executed off of /system or /vendor
|
|
if d in coredomainWhitelist:
|
|
continue
|
|
# TODO, add checks to prevent app domains from being incorrectly
|
|
# labeled as coredomain. Apps don't have entrypoints as they're always
|
|
# dynamically transitioned to by zygote.
|
|
if d in appdomains:
|
|
continue
|
|
if not alldomains[d].entrypointpaths:
|
|
continue
|
|
for path in alldomains[d].entrypointpaths:
|
|
# Processes with entrypoint on /system
|
|
if ((MatchPathPrefix(path, "/system") and not
|
|
MatchPathPrefix(path, "/system/vendor")) or
|
|
MatchPathPrefix(path, "/init") or
|
|
MatchPathPrefix(path, "/charger")):
|
|
alldomains[d].fromSystem = True
|
|
# Processes with entrypoint on /vendor or /system/vendor
|
|
if (MatchPathPrefix(path, "/vendor") or
|
|
MatchPathPrefix(path, "/system/vendor")):
|
|
alldomains[d].fromVendor = True
|
|
|
|
###
|
|
# Add the entrypoint type and path(s) to each domain.
|
|
#
|
|
def GetDomainEntrypoints(pol):
|
|
global alldomains
|
|
for x in pol.QueryTERule(tclass="file", perms=["entrypoint"]):
|
|
if not x.sctx in alldomains:
|
|
continue
|
|
alldomains[x.sctx].entrypoints.append(str(x.tctx))
|
|
# postinstall_file represents a special case specific to A/B OTAs.
|
|
# Update_engine mounts a partition and relabels it postinstall_file.
|
|
# There is no file_contexts entry associated with postinstall_file
|
|
# so skip the lookup.
|
|
if x.tctx == "postinstall_file":
|
|
continue
|
|
entrypointpath = pol.QueryFc(x.tctx)
|
|
if not entrypointpath:
|
|
continue
|
|
alldomains[x.sctx].entrypointpaths.extend(entrypointpath)
|
|
###
|
|
# Get attributes associated with each domain
|
|
#
|
|
def GetAttributes(pol):
|
|
global alldomains
|
|
for domain in alldomains:
|
|
for result in pol.QueryTypeAttribute(domain, False):
|
|
alldomains[domain].attributes.add(result)
|
|
|
|
def setup(pol):
|
|
GetAllDomains(pol)
|
|
GetAttributes(pol)
|
|
GetDomainEntrypoints(pol)
|
|
GetAppDomains()
|
|
GetCoreDomains()
|
|
|
|
#############################################################
|
|
# Tests
|
|
#############################################################
|
|
def TestCoredomainViolations():
|
|
global alldomains
|
|
# verify that all domains launched from /system have the coredomain
|
|
# attribute
|
|
ret = ""
|
|
violators = []
|
|
for d in alldomains:
|
|
domain = alldomains[d]
|
|
if domain.fromSystem and "coredomain" not in domain.attributes:
|
|
violators.append(d);
|
|
if len(violators) > 0:
|
|
ret += "The following domain(s) must be associated with the "
|
|
ret += "\"coredomain\" attribute because they are executed off of "
|
|
ret += "/system:\n"
|
|
ret += " ".join(str(x) for x in sorted(violators)) + "\n"
|
|
|
|
# verify that all domains launched form /vendor do not have the coredomain
|
|
# attribute
|
|
violators = []
|
|
for d in alldomains:
|
|
domain = alldomains[d]
|
|
if domain.fromVendor and "coredomain" in domain.attributes:
|
|
violators.append(d)
|
|
if len(violators) > 0:
|
|
ret += "The following domains must not be associated with the "
|
|
ret += "\"coredomain\" attribute because they are executed off of "
|
|
ret += "/vendor or /system/vendor:\n"
|
|
ret += " ".join(str(x) for x in sorted(violators)) + "\n"
|
|
|
|
return ret
|
|
|
|
###
|
|
# extend OptionParser to allow the same option flag to be used multiple times.
|
|
# This is used to allow multiple file_contexts files and tests to be
|
|
# specified.
|
|
#
|
|
class MultipleOption(Option):
|
|
ACTIONS = Option.ACTIONS + ("extend",)
|
|
STORE_ACTIONS = Option.STORE_ACTIONS + ("extend",)
|
|
TYPED_ACTIONS = Option.TYPED_ACTIONS + ("extend",)
|
|
ALWAYS_TYPED_ACTIONS = Option.ALWAYS_TYPED_ACTIONS + ("extend",)
|
|
|
|
def take_action(self, action, dest, opt, value, values, parser):
|
|
if action == "extend":
|
|
values.ensure_value(dest, []).append(value)
|
|
else:
|
|
Option.take_action(self, action, dest, opt, value, values, parser)
|
|
|
|
Tests = ["CoredomainViolators"]
|
|
|
|
if __name__ == '__main__':
|
|
usage = "sepolicy-trebletests -f nonplat_file_contexts -f "
|
|
usage +="plat_file_contexts -p policy [--test test] [--help]"
|
|
parser = OptionParser(option_class=MultipleOption, usage=usage)
|
|
parser.add_option("-f", "--file_contexts", dest="file_contexts",
|
|
metavar="FILE", action="extend", type="string")
|
|
parser.add_option("-p", "--policy", dest="policy", metavar="FILE")
|
|
parser.add_option("-l", "--library-path", dest="libpath", metavar="FILE")
|
|
parser.add_option("-t", "--test", dest="test", action="extend",
|
|
help="Test options include "+str(Tests))
|
|
|
|
(options, args) = parser.parse_args()
|
|
|
|
if not options.libpath:
|
|
sys.exit("Must specify path to host libraries\n" + parser.usage)
|
|
if not os.path.exists(options.libpath):
|
|
sys.exit("Error: library-path " + options.libpath + " does not exist\n"
|
|
+ parser.usage)
|
|
|
|
if not options.policy:
|
|
sys.exit("Must specify monolithic policy file\n" + parser.usage)
|
|
if not os.path.exists(options.policy):
|
|
sys.exit("Error: policy file " + options.policy + " does not exist\n"
|
|
+ parser.usage)
|
|
|
|
if not options.file_contexts:
|
|
sys.exit("Error: Must specify file_contexts file(s)\n" + parser.usage)
|
|
for f in options.file_contexts:
|
|
if not os.path.exists(f):
|
|
sys.exit("Error: File_contexts file " + f + " does not exist\n" +
|
|
parser.usage)
|
|
|
|
pol = policy.Policy(options.policy, options.file_contexts, options.libpath)
|
|
setup(pol)
|
|
|
|
if DEBUG:
|
|
PrintScontexts()
|
|
|
|
results = ""
|
|
# If an individual test is not specified, run all tests.
|
|
if options.test is None or "CoredomainViolations" in options.tests:
|
|
results += TestCoredomainViolations()
|
|
|
|
if len(results) > 0:
|
|
sys.exit(results)
|