1#!/usr/bin/env python3 2# -*- coding: utf-8 -*- 3# 4# Copyright (c) 2024 Huawei Device Co., Ltd. 5# Licensed under the Apache License, Version 2.0 (the "License"); 6# you may not use this file except in compliance with the License. 7# You may obtain a copy of the License at 8# 9# http://www.apache.org/licenses/LICENSE-2.0 10# 11# Unless required by applicable law or agreed to in writing, software 12# distributed under the License is distributed on an "AS IS" BASIS, 13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14# See the License for the specific language governing permissions and 15# limitations under the License. 16 17from devicetest.core.test_case import TestCase, Step 18from PermissionUtils import PermissionUtils 19import json 20 21# @tc.number: STD-SECURITY-0200 22# @tc.name: testSelinuxFileLable 23# @tc.desc: 【STD-SECURITY-0200】特性应定义自己的文件标签,不应直接使用大分区(比如:system、chipset、data 分区等)默认的标签,否则必将造成权限过大。 24class testSelinuxFileLable(TestCase): 25 26 def __init__(self, controllers): 27 self.TAG = self.__class__.__name__ 28 super().__init__(self.TAG, controllers) 29 30 def setup(self): 31 Step("Setup") 32 33 def process(self): 34 Step("Process") 35 fileContextFile = self.device1.execute_shell_command("ls /system/etc/selinux/targeted/contexts/file_contexts | wc -l").strip() 36 if fileContextFile != '1': 37 self.log.info('selinux file configuration file not exist.') 38 assert False 39 defaultLabels = ['u:object_r:rootfs:s0', 'u:object_r:configfs:s0', 'u:object_r:data_file:s0', 40 'u:object_r:dev_file:s0', 'u:object_r:vendor_file:s0', 'u:object_r:system_file:s0', 41 'u:object_r:etc_file:s0', 'u:object_r:lib_file:s0', 'u:object_r:sys_file:s0'] 42 defaultDirectories = ['/', '/lost\+found', '/bin', '/chip_prod', '/init', '/chipset', '/mnt', '/proc', 43 '/storage', '/sys_prod', '/cust', '/tmp', '/module_update', '/config', '/data(/.*)?', 44 '/dev(/.*)?', '/vendor(/.*)?', '/eng_chipset(/.*)?', '/version', '/preload', 45 '/cust(/.*)?', '/preload(/.*)?', '/version(/.*)?', '/system(/.*)?', '/eng_system(/.*)?' , 46 '/etc(/.*)?', '/lib(/.*)?', '/lib64(/.*)?', '/sys'] 47 errorList = [] 48 fileContextFile = self.device1.execute_shell_command("cat /system/etc/selinux/targeted/contexts/file_contexts") 49 for fileConfiguration in fileContextFile.splitlines(): 50 configuration = fileConfiguration.strip().split() 51 if len(configuration) < 2: 52 continue 53 if configuration[1] in defaultLabels: 54 filePath = configuration[0].rstrip('(/.*)?') 55 if filePath.count('/') > 1: 56 errorList.append(configuration[0] + ' ' + configuration[1]) 57 if len(errorList) != 0: 58 self.log.info('These file\'s lable is not allowed. errorList: [' + ', '.join(errorList) + ']') 59 assert False 60 61 def teardown(self): 62 Step("Teardown")