1#!/usr/bin/env python3 2# -*- coding: utf-8 -*- 3 4# 5# Copyright (c) 2023 Huawei Device Co., Ltd. 6# Licensed under the Apache License, Version 2.0 (the "License"); 7# you may not use this file except in compliance with the License. 8# You may obtain a copy of the License at 9# 10# http://www.apache.org/licenses/LICENSE-2.0 11# 12# Unless required by applicable law or agreed to in writing, software 13# distributed under the License is distributed on an "AS IS" BASIS, 14# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15# See the License for the specific language governing permissions and 16# limitations under the License. 17# 18 19import sys 20import argparse 21import json 22import os 23 24 25class ValidateError(Exception): 26 def __init__(self, msg): 27 super().__init__(msg) 28 29 30def parse_cfg_file(file_name: str): 31 """ 32 Load the cfg file in JSON format 33 """ 34 services_name = set() 35 with open(file_name) as fp: 36 data = json.load(fp) 37 if "services" not in data: 38 return services_name 39 for field in data['services']: 40 services_name.add(field['name']) 41 if "path" in field and len(field['path']) == 2 and field['path'][0] == "/system/bin/sa_main": 42 if field['path'][1].endswith('.xml'): 43 raise ValidateError('cfg error,please use json file replace xml process name: ' + field['name']) 44 return services_name 45 46 47def collect_cfg_services_name(cfg_dir: str): 48 services_name = set() 49 if not os.path.exists(cfg_dir): 50 return services_name 51 for file in os.listdir(cfg_dir): 52 if file.endswith(".cfg"): 53 services_name |= parse_cfg_file("{}/{}".format(cfg_dir, file)) 54 return services_name 55 56 57def collect_seccomp_services_name(lib_dir: str): 58 services_name = set() 59 name_allow_list = ['system', 'app', 'renderer', 'nwebspawn'] 60 if not os.path.exists(lib_dir): 61 return services_name 62 for file in os.listdir(lib_dir): 63 if not file.startswith('lib') or not file.endswith('_filter.z.so'): 64 raise ValidateError('seccomp directory has other shared library except seccomp policy library') 65 66 front_pos = file.find('lib') + 3 67 rear_pos = file.find('_filter.z.so') 68 name = file[front_pos : rear_pos] 69 if not name.startswith('com.') and name not in name_allow_list: 70 services_name.add(name) 71 72 return services_name 73 74 75def check_seccomp_services_name(servces_name: str, seccomp_services_name: str): 76 for name in seccomp_services_name: 77 if name not in servces_name: 78 raise ValidateError('service name {} not in cfg, please check the name used for seccomp'.format(name)) 79 return 80 81 82def main(): 83 parser = argparse.ArgumentParser( 84 description='check whehter name is legal used for the seccomp policy shared library') 85 parser.add_argument('--vendor-cfg-path', type=str, 86 help=('input vendor cfg path\n')) 87 88 parser.add_argument('--vendor-seccomp-lib-path', type=str, 89 help=('input vendor seccomp cfg path\n')) 90 91 parser.add_argument('--system-cfg-path', type=str, 92 help=('input system cfg path\n')) 93 94 parser.add_argument('--system-seccomp-lib-path', type=str, 95 help='input system seccomp cfg path\n') 96 97 args = parser.parse_args() 98 vendor_services_name = collect_cfg_services_name(args.vendor_cfg_path) 99 vendor_seccomp_services_name = collect_seccomp_services_name(args.vendor_seccomp_lib_path) 100 check_seccomp_services_name(vendor_services_name, vendor_seccomp_services_name) 101 102 system_services_name = collect_cfg_services_name(args.system_cfg_path) 103 system_seccomp_services_name = collect_seccomp_services_name(args.system_seccomp_lib_path) 104 check_seccomp_services_name(system_services_name, system_seccomp_services_name) 105 106 107if __name__ == '__main__': 108 sys.exit(main()) 109