Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / cts / b34ae0b2998aa3ac14034b2a8e48b6d4e94f7605^! / . / tools / selinux / SELinuxNeverallowTestGen.py
commitb34ae0b2998aa3ac14034b2a8e48b6d4e94f7605[log] [tgz]
authordcashman <dcashman@google.com>Fri Oct 24 16:16:30 2014 -0700
committerdcashman <dcashman@google.com>Tue Nov 25 09:40:41 2014 -0800
treea6d3536655419cdd0f5aa9b8379fb46721d95970
parent83a66c288f2665166724ab0b1a7fb3f89810fecb [diff] [blame]
Split SELinux neverallow rules test.

The current neverallow rules test component of the security host tests is
responsible for validating all of the security assertions present as part of
the neverallow rules present, but it offers an all-or-nothing result. Given
the number and scope of those rules, finer granularity is desired.  This CL
dynamically produces a java source file at build-time which has split each
neverallow rule into its own test.

Bug: 18005561

Change-Id: Ib3b454766419532de69f1726bd03215d35d6d495

diff --git a/tools/selinux/SELinuxNeverallowTestGen.py b/tools/selinux/SELinuxNeverallowTestGen.py
new file mode 100755
index 0000000..9cb1e24
--- /dev/null
+++ b/tools/selinux/SELinuxNeverallowTestGen.py

@@ -0,0 +1,53 @@
+#!/usr/bin/python
+
+import re
+import sys
+import SELinuxNeverallowTestFrame
+
+usage = "Usage: ./gen_SELinux_CTS_neverallows.py <input policy file> <output cts java source>"
+
+# extract_neverallow_rules - takes an intermediate policy file and pulls out the
+# neverallow rules by taking all of the non-commented text between the 'neverallow'
+# keyword and a terminating ';'
+# returns: a list of strings representing these rules
+def extract_neverallow_rules(policy_file):
+    with open(policy_file, 'r') as in_file:
+        policy_str = in_file.read()
+        # remove comments
+        no_comments = re.sub(r'#.+?$', r'', policy_str, flags = re.M)
+        # match neverallow rules
+        return re.findall(r'(^neverallow\s.+?;)', no_comments, flags = re.M |re.S);
+
+# neverallow_rule_to_test - takes a neverallow statement and transforms it into
+# the output necessary to form a cts unit test in a java source file.
+# returns: a string representing a generic test method based on this rule.
+def neverallow_rule_to_test(neverallow_rule, test_num):
+    squashed_neverallow = neverallow_rule.replace("\n", " ")
+    method  = SELinuxNeverallowTestFrame.src_method
+    method = method.replace("testNeverallowRules()",
+        "testNeverallowRules" + str(test_num) + "()")
+    return method.replace("$NEVERALLOW_RULE_HERE$", squashed_neverallow)
+
+if __name__ == "__main__":
+    # check usage
+    if len(sys.argv) != 3:
+        print usage
+        exit()
+    input_file = sys.argv[1]
+    output_file = sys.argv[2]
+
+    src_header = SELinuxNeverallowTestFrame.src_header
+    src_body = SELinuxNeverallowTestFrame.src_body
+    src_footer = SELinuxNeverallowTestFrame.src_footer
+
+    # grab the neverallow rules from the policy file and transform into tests
+    neverallow_rules = extract_neverallow_rules(input_file)
+    i = 0
+    for rule in neverallow_rules:
+        src_body += neverallow_rule_to_test(rule, i)
+        i += 1
+
+    with open(output_file, 'w') as out_file:
+        out_file.write(src_header)
+        out_file.write(src_body)
+        out_file.write(src_footer)