1#!/usr/bin/env python 2 3src_header = """/* 4 * Copyright (C) 2014 The Android Open Source Project 5 * 6 * Licensed under the Apache License, Version 2.0 (the "License"); 7 * you may not use this file except in compliance with the License. 8 * You may obtain a copy of the License at 9 * 10 * http://www.apache.org/licenses/LICENSE-2.0 11 * 12 * Unless required by applicable law or agreed to in writing, software 13 * distributed under the License is distributed on an "AS IS" BASIS, 14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 * See the License for the specific language governing permissions and 16 * limitations under the License. 17 */ 18 19package android.security.cts; 20 21import android.platform.test.annotations.RestrictedBuildTest; 22import com.android.compatibility.common.tradefed.build.CompatibilityBuildHelper; 23import com.android.compatibility.common.util.PropertyUtil; 24import com.android.tradefed.build.IBuildInfo; 25import com.android.tradefed.device.ITestDevice; 26import com.android.tradefed.testtype.DeviceTestCase; 27import com.android.tradefed.testtype.IBuildReceiver; 28import com.android.tradefed.testtype.IDeviceTest; 29 30import java.io.BufferedReader; 31import java.io.File; 32import java.io.InputStream; 33import java.io.InputStreamReader; 34 35/** 36 * Neverallow Rules SELinux tests. 37 */ 38public class SELinuxNeverallowRulesTest extends DeviceTestCase implements IBuildReceiver, IDeviceTest { 39 private static final int Q_SEPOLICY_VERSION = 29; 40 private File sepolicyAnalyze; 41 private File devicePolicyFile; 42 private File deviceSystemPolicyFile; 43 44 private IBuildInfo mBuild; 45 private int mVendorSepolicyVersion = -1; 46 47 /** 48 * A reference to the device under test. 49 */ 50 private ITestDevice mDevice; 51 52 /** 53 * {@inheritDoc} 54 */ 55 @Override 56 public void setBuild(IBuildInfo build) { 57 mBuild = build; 58 } 59 60 /** 61 * {@inheritDoc} 62 */ 63 @Override 64 public void setDevice(ITestDevice device) { 65 super.setDevice(device); 66 mDevice = device; 67 } 68 @Override 69 protected void setUp() throws Exception { 70 super.setUp(); 71 CompatibilityBuildHelper buildHelper = new CompatibilityBuildHelper(mBuild); 72 sepolicyAnalyze = android.security.cts.SELinuxHostTest.copyResourceToTempFile("/sepolicy-analyze"); 73 sepolicyAnalyze.setExecutable(true); 74 75 devicePolicyFile = android.security.cts.SELinuxHostTest.getDevicePolicyFile(mDevice); 76 77 if (isSepolicySplit()) { 78 deviceSystemPolicyFile = 79 android.security.cts.SELinuxHostTest.getDeviceSystemPolicyFile(mDevice); 80 81 // Caching this variable to save time. 82 if (mVendorSepolicyVersion == -1) { 83 mVendorSepolicyVersion = 84 android.security.cts.SELinuxHostTest.getVendorSepolicyVersion(mDevice); 85 } 86 } 87 } 88 89 private boolean isFullTrebleDevice() throws Exception { 90 return android.security.cts.SELinuxHostTest.isFullTrebleDevice(mDevice); 91 } 92 93 private boolean isDeviceLaunchingWithR() throws Exception { 94 return PropertyUtil.getFirstApiLevel(mDevice) > 29; 95 } 96 97 private boolean isCompatiblePropertyEnforcedDevice() throws Exception { 98 return android.security.cts.SELinuxHostTest.isCompatiblePropertyEnforcedDevice(mDevice); 99 } 100 101 private boolean isSepolicySplit() throws Exception { 102 return android.security.cts.SELinuxHostTest.isSepolicySplit(mDevice); 103 } 104""" 105src_body = "" 106src_footer = """} 107""" 108 109src_method = """ 110 @RestrictedBuildTest 111 public void testNeverallowRules() throws Exception { 112 String neverallowRule = "$NEVERALLOW_RULE_HERE$"; 113 boolean fullTrebleOnly = $TREBLE_ONLY_BOOL_HERE$; 114 boolean launchingWithROnly = $LAUNCHING_WITH_R_ONLY_BOOL_HERE$; 115 boolean compatiblePropertyOnly = $COMPATIBLE_PROPERTY_ONLY_BOOL_HERE$; 116 117 if ((fullTrebleOnly) && (!isFullTrebleDevice())) { 118 // This test applies only to Treble devices but this device isn't one 119 return; 120 } 121 if ((launchingWithROnly) && (!isDeviceLaunchingWithR())) { 122 // This test applies only to devices launching with R or later but this device isn't one 123 return; 124 } 125 if ((compatiblePropertyOnly) && (!isCompatiblePropertyEnforcedDevice())) { 126 // This test applies only to devices on which compatible property is enforced but this 127 // device isn't one 128 return; 129 } 130 131 // If sepolicy is split and vendor sepolicy version is behind platform's, 132 // only test against platform policy. 133 File policyFile = 134 (isSepolicySplit() && mVendorSepolicyVersion < Q_SEPOLICY_VERSION) ? 135 deviceSystemPolicyFile : 136 devicePolicyFile; 137 138 /* run sepolicy-analyze neverallow check on policy file using given neverallow rules */ 139 ProcessBuilder pb = new ProcessBuilder(sepolicyAnalyze.getAbsolutePath(), 140 policyFile.getAbsolutePath(), "neverallow", "-w", "-n", 141 neverallowRule); 142 pb.redirectOutput(ProcessBuilder.Redirect.PIPE); 143 pb.redirectErrorStream(true); 144 Process p = pb.start(); 145 p.waitFor(); 146 BufferedReader result = new BufferedReader(new InputStreamReader(p.getInputStream())); 147 String line; 148 StringBuilder errorString = new StringBuilder(); 149 while ((line = result.readLine()) != null) { 150 errorString.append(line); 151 errorString.append("\\n"); 152 } 153 assertTrue("The following errors were encountered when validating the SELinux" 154 + "neverallow rule:\\n" + neverallowRule + "\\n" + errorString, 155 errorString.length() == 0); 156 } 157""" 158