#!/usr/bin/env python # coding: utf-8 """ Copyright (c) 2021-2022 Huawei Device Co., Ltd. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. """ import os import argparse import re import shutil import subprocess from collections import defaultdict def parse_args(): parser = argparse.ArgumentParser() parser.add_argument( '--dst-dir', help='the output dest path', required=True) parser.add_argument('--tool-path', help='the sefcontext_compile bin path', required=True) parser.add_argument('--policy-file', help='the policy.31 file', required=True) parser.add_argument('--source-root-dir', help='prj root path', required=True) parser.add_argument('--policy_dir_list', help='policy dirs need to be included', required=True) parser.add_argument('--components', help='system or vendor or default', required=True) return parser.parse_args() def run_command(in_cmd): cmdstr = " ".join(in_cmd) ret = subprocess.run(cmdstr, shell=True).returncode if ret != 0: raise Exception(ret) def traverse_folder_in_type(search_dir_list, file_suffix): """ for special folder search_dir, find all files endwith file_suffix. :param search_dir: path to search :param file_suffix: postfix of file name :return: file list """ flag = 0 policy_file_list = [] for item in search_dir_list: for root, _, files in os.walk(item): for each_file in files: file_name = os.path.basename(each_file) if file_name == file_suffix: file_list_path = os.path.join(root, each_file) flag |= check_contexts_file(file_list_path) policy_file_list.append(file_list_path) if flag: raise Exception(flag) policy_file_list.sort() return " ".join(str(x) for x in policy_file_list) def check_contexts_file(contexts_file): """ Check the format of contexts file. :param contexts_file: list of te file :return: """ err = 0 lines = [] with open(contexts_file, 'rb') as fp: lines = fp.readlines() if len(lines) == 0: return 0 last_line = lines[-1] if b'\n' not in last_line: print("".join((contexts_file, " : need an empty line at end \n"))) err = 1 for line in lines: if line.endswith(b'\r\n') or line.endswith(b'\r'): print("".join((contexts_file, " : must be unix format\n"))) err = 1 break return err def combine_contexts_file(file_contexts_list, combined_file_contexts): cat_cmd = ["cat", file_contexts_list, ">", combined_file_contexts + "_tmp"] run_command(cat_cmd) grep_cmd = ["grep -v ^#", combined_file_contexts + "_tmp", "| grep -v ^$", ">", combined_file_contexts] run_command(grep_cmd) def check_redefinition(contexts_file): type_hash = defaultdict(list) err = 0 with open(contexts_file, 'r') as contexts_read: pattern = re.compile(r'(\S+)\s+u:object_r:\S+:s0') line_index = 0 for line in contexts_read: line_ = line.lstrip() line_index += 1 if line_.startswith('#') or line_.strip() == '': continue match = pattern.match(line_) if match: type_hash[match.group(1)].append(line_index) else: print(contexts_file + ":" + str(line_index) + " format check fail") err = 1 contexts_read.close() if err: print("***********************************************************") print("please check whether the format meets the following rules:") print("[required format]: * u:object_r:*:s0") print("***********************************************************") raise Exception(err) err = 0 for type_key in type_hash.keys(): if len(type_hash[type_key]) > 1: err = 1 str_seq = (contexts_file, ":") err_msg = "".join(str_seq) for linenum in type_hash[type_key]: str_seq = (err_msg, str(linenum), ":") err_msg = "".join(str_seq) str_seq = (err_msg, "'type ", str(type_key), " is redefinition'") err_msg = "".join(str_seq) print(err_msg) if err: raise Exception(err) def check_common_contexts(args, contexts_file): """ check whether context used in contexts_file is defined in policy.31. :param args: :param contexts_file: path of contexts file :return: """ check_redefinition(contexts_file) check_cmd = [os.path.join(args.tool_path, "sefcontext_compile"), "-o", contexts_file + ".bin", "-p", args.policy_file, contexts_file] run_command(check_cmd) if os.path.exists(contexts_file + ".bin"): os.unlink(contexts_file + ".bin") def echo_error(): print("***********************************************************") print("please check whether the format meets the following rules:") print("[required format]: apl=* name=* domain=* type=*") print("apl=*, apl should be one of system_core|system_basic|normal") print("name=*, name is 'optional'") print("domain=*, hapdomain selinux type") print("type=*, hapdatafile selinux type") print("***********************************************************") def check_sehap_contexts(args, contexts_file, domain): """ check domain or type defined in sehap_contexts. :param args: :param contexts_file: path of contexts file :param domain: true for domain, false for type :return: """ shutil.copyfile(contexts_file, contexts_file + "_bk") err = 0 with open(contexts_file + "_bk", 'r') as contexts_read, open(contexts_file, 'w') as contexts_write: pattern = re.compile( r'apl=(system_core|system_basic|normal)\s+((name|debuggable)=\S+\s+)?domain=(\S+)\s+type=(\S+)\s*\n') line_index = 0 for line in contexts_read: line_ = line.lstrip() line_index += 1 if line_.startswith('#') or line_.strip() == '': contexts_write.write(line) continue match = pattern.match(line_) if match: if domain: line = match.group(1) + " u:r:" + match.group(4) + ":s0\n" else: line = match.group(1) + " u:object_r:" + \ match.group(5) + ":s0\n" contexts_write.write(line) else: print(contexts_file + ":" + str(line_index) + " format check fail") err = 1 if err: shutil.move(contexts_file + "_bk", contexts_file) echo_error() raise Exception(err) check_cmd = [os.path.join(args.tool_path, "sefcontext_compile"), "-o", contexts_file + ".bin", "-p", args.policy_file, contexts_file] ret = subprocess.run(" ".join(check_cmd), shell=True).returncode if ret != 0: shutil.move(contexts_file + "_bk", contexts_file) raise Exception(ret) shutil.move(contexts_file + "_bk", contexts_file) if os.path.exists(contexts_file + ".bin"): os.unlink(contexts_file + ".bin") def build_file_contexts(args, output_path, policy_path, all_policy_path): if args.components == "default": all_combined_file_contexts = os.path.join(output_path, "file_contexts") else: all_combined_file_contexts = os.path.join(output_path, "all_file_contexts") file_contexts_list = traverse_folder_in_type(policy_path, "file_contexts") combined_file_contexts = os.path.join(output_path, "file_contexts") combine_contexts_file(file_contexts_list, combined_file_contexts) all_file_contexts_list = traverse_folder_in_type( all_policy_path, "file_contexts") combine_contexts_file(all_file_contexts_list, all_combined_file_contexts) check_redefinition(all_combined_file_contexts) build_bin_cmd = [os.path.join(args.tool_path, "sefcontext_compile"), "-o", os.path.join(args.dst_dir, "file_contexts.bin"), "-p", args.policy_file, all_combined_file_contexts] run_command(build_bin_cmd) def build_common_contexts(args, output_path, contexts_file_name, policy_path, all_policy_path): if args.components == "default": all_combined_contexts = output_path + contexts_file_name else: all_combined_contexts = output_path + "all_" + contexts_file_name contexts_list = traverse_folder_in_type(policy_path, contexts_file_name) combined_contexts = output_path + contexts_file_name combine_contexts_file(contexts_list, combined_contexts) all_contexts_list = traverse_folder_in_type(all_policy_path, contexts_file_name) combine_contexts_file(all_contexts_list, all_combined_contexts) check_common_contexts(args, all_combined_contexts) def build_sehap_contexts(args, output_path, policy_path): contexts_list = traverse_folder_in_type( policy_path, "sehap_contexts") combined_contexts = os.path.join(output_path, "sehap_contexts") combine_contexts_file(contexts_list, combined_contexts) check_sehap_contexts(args, combined_contexts, 1) check_sehap_contexts(args, combined_contexts, 0) def prepare_build_path(dir_list, root_dir, build_dir_list): build_contexts_list = ["base/security/selinux_adapter/sepolicy/base", "base/security/selinux_adapter/sepolicy/ohos_policy"] build_contexts_list += dir_list.split(":") for i in build_contexts_list: if i == "" or i == "default": continue path = os.path.join(root_dir, i) if (os.path.exists(path)): build_dir_list.append(path) else: print("following path not exists!! {}".format(path)) exit(-1) def traverse_folder_in_dir_name(search_dir, folder_suffix): folder_list = [] for root, dirs, _ in os.walk(search_dir): for dir_i in dirs: if dir_i == folder_suffix: folder_list.append(os.path.join(root, dir_i)) return folder_list def main(args): libpcre2_path = os.path.realpath("./clang_x64/thirdparty/pcre2/") os.environ['LD_LIBRARY_PATH'] = libpcre2_path output_path = args.dst_dir policy_path = [] prepare_build_path(args.policy_dir_list, args.source_root_dir, policy_path) public_policy = [] system_policy = [] vendor_policy = [] for item in policy_path: public_policy += traverse_folder_in_dir_name(item, "public") system_policy += traverse_folder_in_dir_name(item, "system") vendor_policy += traverse_folder_in_dir_name(item, "vendor") system_folder_list = public_policy + system_policy vendor_folder_list = public_policy + vendor_policy all_folder_list = public_policy + system_policy + vendor_policy folder_list = [] if args.components == "system": folder_list = system_folder_list elif args.components == "vendor": folder_list = vendor_folder_list else: folder_list = all_folder_list build_file_contexts(args, output_path, folder_list, all_folder_list) build_common_contexts(args, output_path, "service_contexts", folder_list, all_folder_list) build_common_contexts(args, output_path, "hdf_service_contexts", folder_list, all_folder_list) build_common_contexts(args, output_path, "parameter_contexts", folder_list, all_folder_list) build_sehap_contexts(args, output_path, all_folder_list) if __name__ == "__main__": input_args = parse_args() main(input_args)