Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / cts / b99644c566aa87f9ed2ac6c1595120b566740e5e^! / . / tools / selinux / SELinuxNeverallowTestFrame.py
commitb99644c566aa87f9ed2ac6c1595120b566740e5e[log] [tgz]
authorTri Vo <trong@google.com>Tue May 08 14:34:51 2018 -0700
committerTri Vo <trong@google.com>Tue May 08 14:34:54 2018 -0700
tree8d7a03520e75b8677509072c782192c1c34ae5fc
parentd7d11dce10fff8af6609c0e6566d183d5ed8d58e [diff] [blame]
SELinuxNeverallowTestFrame: account for split sepolicy.

If sepolicy is *not* split across different partitions, the test checks
neverallow rules against the monolithic device sepolicy.

If sepolicy *is* split, the test can test the system sepolicy when
applicable.

Bug: 70045465
Test: cts-tradefed run commandAndExit cts --skip-all-system-status-check
--primary-abi-only --skip-preconditions -m CtsSecurityHostTestCases
-t android.cts.security.SELinuxNeverallowRulesTest
walleye results unchanged.
bullhead (which has PRODUCT_SEPOLICY_SPLIT=false) has 36 failures (was 746)
Change-Id: I15ec25b50237c9471233998cb86a97ef77892cae

diff --git a/tools/selinux/SELinuxNeverallowTestFrame.py b/tools/selinux/SELinuxNeverallowTestFrame.py
index 3607e57..20f953f 100644
--- a/tools/selinux/SELinuxNeverallowTestFrame.py
+++ b/tools/selinux/SELinuxNeverallowTestFrame.py

@@ -72,13 +72,16 @@
         sepolicyAnalyze.setExecutable(true);
 
         devicePolicyFile = android.security.cts.SELinuxHostTest.getDevicePolicyFile(mDevice);
-        deviceSystemPolicyFile =
-                android.security.cts.SELinuxHostTest.getDeviceSystemPolicyFile(mDevice);
 
-        // Caching this variable to save time.
-        if (mVendorSepolicyVersion == -1) {
-            mVendorSepolicyVersion =
-                    android.security.cts.SELinuxHostTest.getVendorSepolicyVersion(mDevice);
+        if (isSepolicySplit()) {
+            deviceSystemPolicyFile =
+                    android.security.cts.SELinuxHostTest.getDeviceSystemPolicyFile(mDevice);
+
+            // Caching this variable to save time.
+            if (mVendorSepolicyVersion == -1) {
+                mVendorSepolicyVersion =
+                        android.security.cts.SELinuxHostTest.getVendorSepolicyVersion(mDevice);
+            }
         }
     }
 
@@ -89,6 +92,10 @@
     private boolean isCompatiblePropertyEnforcedDevice() throws Exception {
         return android.security.cts.SELinuxHostTest.isCompatiblePropertyEnforcedDevice(mDevice);
     }
+
+    private boolean isSepolicySplit() throws Exception {
+        return android.security.cts.SELinuxHostTest.isSepolicySplit(mDevice);
+    }
 """
 src_body = ""
 src_footer = """}
@@ -111,9 +118,10 @@
             return;
         }
 
-        // If vendor sepolicy version is behind platform's, only test against platform policy.
+        // If sepolicy is split and vendor sepolicy version is behind platform's,
+        // only test against platform policy.
         File policyFile =
-                (mVendorSepolicyVersion < P_SEPOLICY_VERSION) ?
+                (isSepolicySplit() && mVendorSepolicyVersion < P_SEPOLICY_VERSION) ?
                 deviceSystemPolicyFile :
                 devicePolicyFile;