commit b99644c566aa87f9ed2ac6c1595120b566740e5e
author Tri Vo <trong@google.com> Tue May 08 14:34:51 2018 -0700
committer Tri Vo <trong@google.com> Tue May 08 14:34:54 2018 -0700
tree 8d7a03520e75b8677509072c782192c1c34ae5fc
parent d7d11dce10fff8af6609c0e6566d183d5ed8d58e

SELinuxNeverallowTestFrame: account for split sepolicy.

If sepolicy is *not* split across different partitions, the test checks
neverallow rules against the monolithic device sepolicy.

If sepolicy *is* split, the test can test the system sepolicy when
applicable.

Bug: 70045465
Test: cts-tradefed run commandAndExit cts --skip-all-system-status-check
--primary-abi-only --skip-preconditions -m CtsSecurityHostTestCases
-t android.cts.security.SELinuxNeverallowRulesTest
walleye results unchanged.
bullhead (which has PRODUCT_SEPOLICY_SPLIT=false) has 36 failures (was 746)
Change-Id: I15ec25b50237c9471233998cb86a97ef77892cae

hostsidetests/security/src/android/security/cts/SELinuxHostTest.java

diff --git a/hostsidetests/security/src/android/security/cts/SELinuxHostTest.java b/hostsidetests/security/src/android/security/cts/SELinuxHostTest.java
index fbba092..2052e8f 100644
--- a/hostsidetests/security/src/android/security/cts/SELinuxHostTest.java
+++ b/hostsidetests/security/src/android/security/cts/SELinuxHostTest.java
@@ -151,7 +151,7 @@
         sepolicyAnalyze.setExecutable(true);
 
         devicePolicyFile = getDevicePolicyFile(mDevice);
-        if (mDevice.doesFileExist("/system/etc/selinux/plat_file_contexts")) {
+        if (isSepolicySplit(mDevice)) {
             devicePlatFcFile = getDeviceFile(mDevice, cachedDevicePlatFcFiles,
                     "/system/etc/selinux/plat_file_contexts", "plat_file_contexts");
             if (mDevice.doesFileExist("/vendor/etc/selinux/nonplat_file_contexts")){
@@ -219,9 +219,7 @@
         File systemSepolicyCilFile = File.createTempFile("plat_sepolicy", ".cil");
         systemSepolicyCilFile.deleteOnExit();
 
-        if (!device.pullFile("/system/etc/selinux/plat_sepolicy.cil", systemSepolicyCilFile)) {
-            device.pullFile("/plat_sepolicy.cil", systemSepolicyCilFile);
-        }
+        assertTrue(device.pullFile("/system/etc/selinux/plat_sepolicy.cil", systemSepolicyCilFile));
 
         ProcessBuilder pb = new ProcessBuilder(
             secilc.getAbsolutePath(),
@@ -404,6 +402,16 @@
         return PropertyUtil.getFirstApiLevel(device) > 27;
     }
 
+    // NOTE: cts/tools/selinux depends on this method. Rename/change with caution.
+    /**
+     * Returns {@code true} if this device has sepolicy split across different paritions.
+     * This is possible even for devices launched at api level higher than 26.
+     */
+    public static boolean isSepolicySplit(ITestDevice device)
+            throws DeviceNotAvailableException {
+        return device.doesFileExist("/system/etc/selinux/plat_file_contexts");
+    }
+
     /**
      * Asserts that no vendor domains are exempted from the prohibition on Binder use.
      *

tools/selinux/SELinuxNeverallowTestFrame.py

diff --git a/tools/selinux/SELinuxNeverallowTestFrame.py b/tools/selinux/SELinuxNeverallowTestFrame.py
index 3607e57..20f953f 100644
--- a/tools/selinux/SELinuxNeverallowTestFrame.py
+++ b/tools/selinux/SELinuxNeverallowTestFrame.py
@@ -72,13 +72,16 @@
         sepolicyAnalyze.setExecutable(true);
 
         devicePolicyFile = android.security.cts.SELinuxHostTest.getDevicePolicyFile(mDevice);
-        deviceSystemPolicyFile =
-                android.security.cts.SELinuxHostTest.getDeviceSystemPolicyFile(mDevice);
 
-        // Caching this variable to save time.
-        if (mVendorSepolicyVersion == -1) {
-            mVendorSepolicyVersion =
-                    android.security.cts.SELinuxHostTest.getVendorSepolicyVersion(mDevice);
+        if (isSepolicySplit()) {
+            deviceSystemPolicyFile =
+                    android.security.cts.SELinuxHostTest.getDeviceSystemPolicyFile(mDevice);
+
+            // Caching this variable to save time.
+            if (mVendorSepolicyVersion == -1) {
+                mVendorSepolicyVersion =
+                        android.security.cts.SELinuxHostTest.getVendorSepolicyVersion(mDevice);
+            }
         }
     }
 
@@ -89,6 +92,10 @@
     private boolean isCompatiblePropertyEnforcedDevice() throws Exception {
         return android.security.cts.SELinuxHostTest.isCompatiblePropertyEnforcedDevice(mDevice);
     }
+
+    private boolean isSepolicySplit() throws Exception {
+        return android.security.cts.SELinuxHostTest.isSepolicySplit(mDevice);
+    }
 """
 src_body = ""
 src_footer = """}
@@ -111,9 +118,10 @@
             return;
         }
 
-        // If vendor sepolicy version is behind platform's, only test against platform policy.
+        // If sepolicy is split and vendor sepolicy version is behind platform's,
+        // only test against platform policy.
         File policyFile =
-                (mVendorSepolicyVersion < P_SEPOLICY_VERSION) ?
+                (isSepolicySplit() && mVendorSepolicyVersion < P_SEPOLICY_VERSION) ?
                 deviceSystemPolicyFile :
                 devicePolicyFile;