1#!/usr/bin/env python 2 3src_header = """/* 4 * Copyright (C) 2014 The Android Open Source Project 5 * 6 * Licensed under the Apache License, Version 2.0 (the "License"); 7 * you may not use this file except in compliance with the License. 8 * You may obtain a copy of the License at 9 * 10 * http://www.apache.org/licenses/LICENSE-2.0 11 * 12 * Unless required by applicable law or agreed to in writing, software 13 * distributed under the License is distributed on an "AS IS" BASIS, 14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 * See the License for the specific language governing permissions and 16 * limitations under the License. 17 */ 18 19package android.security.cts; 20 21import android.platform.test.annotations.RestrictedBuildTest; 22import com.android.compatibility.common.tradefed.build.CompatibilityBuildHelper; 23import com.android.compatibility.common.util.PropertyUtil; 24import com.android.tradefed.build.IBuildInfo; 25import com.android.tradefed.device.ITestDevice; 26import com.android.tradefed.testtype.DeviceTestCase; 27import com.android.tradefed.testtype.IBuildReceiver; 28import com.android.tradefed.testtype.IDeviceTest; 29 30import java.io.BufferedReader; 31import java.io.File; 32import java.io.InputStream; 33import java.io.InputStreamReader; 34 35/** 36 * Neverallow Rules SELinux tests. 37 */ 38public class SELinuxNeverallowRulesTest extends DeviceTestCase implements IBuildReceiver, IDeviceTest { 39 private File sepolicyAnalyze; 40 private File devicePolicyFile; 41 private File deviceSystemPolicyFile; 42 43 private IBuildInfo mBuild; 44 private int mVendorSepolicyVersion = -1; 45 private int mSystemSepolicyVersion = -1; 46 47 /** 48 * A reference to the device under test. 49 */ 50 private ITestDevice mDevice; 51 52 /** 53 * {@inheritDoc} 54 */ 55 @Override 56 public void setBuild(IBuildInfo build) { 57 mBuild = build; 58 } 59 60 /** 61 * {@inheritDoc} 62 */ 63 @Override 64 public void setDevice(ITestDevice device) { 65 super.setDevice(device); 66 mDevice = device; 67 } 68 @Override 69 protected void setUp() throws Exception { 70 super.setUp(); 71 CompatibilityBuildHelper buildHelper = new CompatibilityBuildHelper(mBuild); 72 sepolicyAnalyze = android.security.cts.SELinuxHostTest.copyResourceToTempFile("/sepolicy-analyze"); 73 sepolicyAnalyze.setExecutable(true); 74 75 devicePolicyFile = android.security.cts.SELinuxHostTest.getDevicePolicyFile(mDevice); 76 77 if (isSepolicySplit()) { 78 deviceSystemPolicyFile = 79 android.security.cts.SELinuxHostTest.getDeviceSystemPolicyFile(mDevice); 80 81 // Caching this variable to save time. 82 if (mVendorSepolicyVersion == -1) { 83 mVendorSepolicyVersion = 84 android.security.cts.SELinuxHostTest.getVendorSepolicyVersion(mBuild, mDevice); 85 } 86 if (mSystemSepolicyVersion == -1) { 87 mSystemSepolicyVersion = 88 android.security.cts.SELinuxHostTest.getSystemSepolicyVersion(mBuild); 89 } 90 } 91 } 92 93 @Override 94 protected void tearDown() throws Exception { 95 super.tearDown(); 96 sepolicyAnalyze.delete(); 97 } 98 99 private boolean isFullTrebleDevice() throws Exception { 100 return android.security.cts.SELinuxHostTest.isFullTrebleDevice(mDevice); 101 } 102 103 private boolean isDeviceLaunchingWithR() throws Exception { 104 return PropertyUtil.getFirstApiLevel(mDevice) > 29; 105 } 106 107 private boolean isDeviceLaunchingWithS() throws Exception { 108 return PropertyUtil.getFirstApiLevel(mDevice) > 30; 109 } 110 111 private boolean isCompatiblePropertyEnforcedDevice() throws Exception { 112 return android.security.cts.SELinuxHostTest.isCompatiblePropertyEnforcedDevice(mDevice); 113 } 114 115 private boolean isSepolicySplit() throws Exception { 116 return android.security.cts.SELinuxHostTest.isSepolicySplit(mDevice); 117 } 118""" 119src_body = "" 120src_footer = """} 121""" 122 123src_method = """ 124 @RestrictedBuildTest 125 public void testNeverallowRules() throws Exception { 126 String neverallowRule = "$NEVERALLOW_RULE_HERE$"; 127 boolean fullTrebleOnly = $TREBLE_ONLY_BOOL_HERE$; 128 boolean launchingWithROnly = $LAUNCHING_WITH_R_ONLY_BOOL_HERE$; 129 boolean launchingWithSOnly = $LAUNCHING_WITH_S_ONLY_BOOL_HERE$; 130 boolean compatiblePropertyOnly = $COMPATIBLE_PROPERTY_ONLY_BOOL_HERE$; 131 132 if ((fullTrebleOnly) && (!isFullTrebleDevice())) { 133 // This test applies only to Treble devices but this device isn't one 134 return; 135 } 136 if ((launchingWithROnly) && (!isDeviceLaunchingWithR())) { 137 // This test applies only to devices launching with R or later but this device isn't one 138 return; 139 } 140 if ((launchingWithSOnly) && (!isDeviceLaunchingWithS())) { 141 // This test applies only to devices launching with S or later but this device isn't one 142 return; 143 } 144 if ((compatiblePropertyOnly) && (!isCompatiblePropertyEnforcedDevice())) { 145 // This test applies only to devices on which compatible property is enforced but this 146 // device isn't one 147 return; 148 } 149 150 // If sepolicy is split and vendor sepolicy version is behind platform's, 151 // only test against platform policy. 152 File policyFile = 153 (isSepolicySplit() && mVendorSepolicyVersion < mSystemSepolicyVersion) ? 154 deviceSystemPolicyFile : 155 devicePolicyFile; 156 157 /* run sepolicy-analyze neverallow check on policy file using given neverallow rules */ 158 ProcessBuilder pb = new ProcessBuilder(sepolicyAnalyze.getAbsolutePath(), 159 policyFile.getAbsolutePath(), "neverallow", "-w", "-n", 160 neverallowRule); 161 pb.redirectOutput(ProcessBuilder.Redirect.PIPE); 162 pb.redirectErrorStream(true); 163 Process p = pb.start(); 164 BufferedReader result = new BufferedReader(new InputStreamReader(p.getInputStream())); 165 String line; 166 StringBuilder errorString = new StringBuilder(); 167 while ((line = result.readLine()) != null) { 168 errorString.append(line); 169 errorString.append("\\n"); 170 } 171 p.waitFor(); 172 assertTrue("The following errors were encountered when validating the SELinux" 173 + "neverallow rule:\\n" + neverallowRule + "\\n" + errorString, 174 errorString.length() == 0); 175 } 176""" 177