Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / cts / 64495e1c361aaae1e398580ce77f105cc19ab5b0^! / . / tools
commit64495e1c361aaae1e398580ce77f105cc19ab5b0[log] [tgz]
authorJaekyun Seok <jaekyun@google.com>Tue Jan 30 17:08:54 2018 +0900
committerJaekyun Seok <jaekyun@google.com>Tue Jan 30 17:29:03 2018 +0900
tree28c28c36a8abf924e247433cf4083a72577e8fab
parentc060c1b9fc50177ee44173023e812c23c0ddf4e1 [diff]
Add tests for compatible property (2/2)

The feature of compatible property has its own neverallow rules and it
is enforced on devices launchig with Android P.

Bug: 72013705
Test: 'run cts -m CtsSecurityHostTestCases' on walleye with
ro.product.first_api_level=28

Change-Id: Ifa121445c37b53ce534ef4fdaf0bc769daba04c6

diff --git a/tools/selinux/SELinuxNeverallowTestFrame.py b/tools/selinux/SELinuxNeverallowTestFrame.py
index 20e1ed4..f27c81d 100644
--- a/tools/selinux/SELinuxNeverallowTestFrame.py
+++ b/tools/selinux/SELinuxNeverallowTestFrame.py

@@ -74,6 +74,10 @@
     private boolean isFullTrebleDevice() throws Exception {
         return android.security.cts.SELinuxHostTest.isFullTrebleDevice(mDevice);
     }
+
+    private boolean isCompatiblePropertyEnforcedDevice() throws Exception {
+        return android.security.cts.SELinuxHostTest.isCompatiblePropertyEnforcedDevice(mDevice);
+    }
 """
 src_body = ""
 src_footer = """}
@@ -84,11 +88,17 @@
     public void testNeverallowRules() throws Exception {
         String neverallowRule = "$NEVERALLOW_RULE_HERE$";
         boolean fullTrebleOnly = $FULL_TREBLE_ONLY_BOOL_HERE$;
+        boolean compatiblePropertyOnly = $COMPATIBLE_PROPERTY_ONLY_BOOL_HERE$;
 
         if ((fullTrebleOnly) && (!isFullTrebleDevice())) {
             // This test applies only to Treble devices but this device isn't one
             return;
         }
+        if ((compatiblePropertyOnly) && (!isCompatiblePropertyEnforcedDevice())) {
+            // This test applies only to devices on which compatible property is enforced but this
+            // device isn't one
+            return;
+        }
 
         /* run sepolicy-analyze neverallow check on policy file using given neverallow rules */
         ProcessBuilder pb = new ProcessBuilder(sepolicyAnalyze.getAbsolutePath(),

diff --git a/tools/selinux/SELinuxNeverallowTestGen.py b/tools/selinux/SELinuxNeverallowTestGen.py
index e74ba78..b4b900e 100755
--- a/tools/selinux/SELinuxNeverallowTestGen.py
+++ b/tools/selinux/SELinuxNeverallowTestGen.py

@@ -10,10 +10,12 @@
 class NeverallowRule:
     statement = ''
     treble_only = False
+    compatible_property_only = False
 
     def __init__(self, statement):
         self.statement = statement
         self.treble_only = False
+        self.compatible_property_only = False
 
 
 # extract_neverallow_rules - takes an intermediate policy file and pulls out the
@@ -29,7 +31,7 @@
 
         # uncomment TREBLE_ONLY section delimiter lines
         remaining = re.sub(
-            r'^\s*#\s*(BEGIN_TREBLE_ONLY|END_TREBLE_ONLY)',
+            r'^\s*#\s*(BEGIN_TREBLE_ONLY|END_TREBLE_ONLY|BEGIN_COMPATIBLE_PROPERTY_ONLY|END_COMPATIBLE_PROPERTY_ONLY)',
             r'\1',
             policy_str,
             flags = re.M)
@@ -37,13 +39,14 @@
         remaining = re.sub(r'#.+?$', r'', remaining, flags = re.M)
         # match neverallow rules
         lines = re.findall(
-            r'^\s*(neverallow\s.+?;|BEGIN_TREBLE_ONLY|END_TREBLE_ONLY)',
+            r'^\s*(neverallow\s.+?;|BEGIN_TREBLE_ONLY|END_TREBLE_ONLY|BEGIN_COMPATIBLE_PROPERTY_ONLY|END_COMPATIBLE_PROPERTY_ONLY)',
             remaining,
             flags = re.M |re.S)
 
         # extract neverallow rules from the remaining lines
         rules = list()
         treble_only_depth = 0
+        compatible_property_only_depth = 0
         for line in lines:
             if line.startswith("BEGIN_TREBLE_ONLY"):
                 treble_only_depth += 1
@@ -53,12 +56,24 @@
                     exit("ERROR: END_TREBLE_ONLY outside of TREBLE_ONLY section")
                 treble_only_depth -= 1
                 continue
+            elif line.startswith("BEGIN_COMPATIBLE_PROPERTY_ONLY"):
+                compatible_property_only_depth += 1
+                continue
+            elif line.startswith("END_COMPATIBLE_PROPERTY_ONLY"):
+                if compatible_property_only_depth < 1:
+                    exit("ERROR: END_COMPATIBLE_PROPERTY_ONLY outside of COMPATIBLE_PROPERTY_ONLY section")
+                compatible_property_only_depth -= 1
+                continue
             rule = NeverallowRule(line)
             rule.treble_only = (treble_only_depth > 0)
+            rule.compatible_property_only = (compatible_property_only_depth > 0)
             rules.append(rule)
 
         if treble_only_depth != 0:
             exit("ERROR: end of input while inside TREBLE_ONLY section")
+        if compatible_property_only_depth != 0:
+            exit("ERROR: end of input while inside COMPATIBLE_PROPERTY_ONLY section")
+
         return rules
 
 # neverallow_rule_to_test - takes a neverallow statement and transforms it into
@@ -73,6 +88,9 @@
     method = method.replace(
         "$FULL_TREBLE_ONLY_BOOL_HERE$",
         "true" if rule.treble_only else "false")
+    method = method.replace(
+        "$COMPATIBLE_PROPERTY_ONLY_BOOL_HERE$",
+        "true" if rule.compatible_property_only else "false")
     return method
 
 if __name__ == "__main__":