Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / cts / c762485c48719abe0fd7a36d823dc8d1fe3f1d4e^! / . / tools / selinux / src / gen_SELinux_CTS.py
commitc762485c48719abe0fd7a36d823dc8d1fe3f1d4e[log] [tgz]
authorNick Kralevich <nnk@google.com>Wed Oct 01 11:23:51 2014 -0700
committerNick Kralevich <nnk@google.com>Wed Oct 01 11:23:51 2014 -0700
tree4a9773629b4e255d9349f545738dc1a826b60bd0
parentc502d8176b547e283a520fc76c7a908d88d9bf54 [diff] [blame]
move selinux tools to cts/tools/selinux

CTS shouldn't be depending on packages/experimental. Move
all the SELinux scripts/code from that directory to CTS
proper.

Bug: 17301255
Bug: 17593625
Change-Id: If43efc6aab803d1089adc03bafe8621955778730

diff --git a/tools/selinux/src/gen_SELinux_CTS.py b/tools/selinux/src/gen_SELinux_CTS.py
new file mode 100755
index 0000000..85d49a8
--- /dev/null
+++ b/tools/selinux/src/gen_SELinux_CTS.py

@@ -0,0 +1,58 @@
+#!/usr/bin/python
+# genCheckAccessCTS.py - takes an input SELinux policy.conf file and generates
+# an XML file based on the allow and neverallow rules.  The file contains rules,
+# which are created by expanding the SELinux rule notation into the individual
+# components which a checkAccess() check, that a policy manager would have to
+# perform, needs.
+#
+# This test does not work with all valid SELinux policy.conf files.  It is meant
+# to simply use a given AOSP generated policy.conf file to create sets
+# representing the policy's types, attributes, classes and permissions, which
+# are used to expand the allow and neverallow rules found.  For a full parser
+# and compiler of SELinux, see external/checkpolicy.
+# @dcashman
+
+import pdb
+import re
+import sys
+from xml.etree.ElementTree import Element, SubElement, tostring
+from xml.dom import minidom
+
+import SELinux_CTS
+from SELinux_CTS import SELinuxPolicy
+
+usage = "Usage: ./gen_SELinux_CTS.py input_policy_file output_xml_avc_rules_file neverallow_only=[t/f]"
+
+if __name__ == "__main__":
+    # check usage
+    if len(sys.argv) != 4:
+        print usage
+        exit()
+    input_file = sys.argv[1]
+    output_file = sys.argv[2]
+    neverallow_only = (sys.argv[3] == "neverallow_only=t")
+    policy = SELinuxPolicy()
+    policy.from_file_name(input_file) #load data from file
+
+    # expand rules into 4-tuples for SELinux.h checkAccess() check
+    xml_root = Element('SELinux_AVC_Rules')
+    if not neverallow_only:
+        count = 1
+        for a in policy.allow_rules:
+            expanded_xml = SELinux_CTS.expand_avc_rule_to_xml(policy, a, str(count), 'allow')
+            if len(expanded_xml):
+                xml_root.append(expanded_xml)
+                count += 1
+    count = 1
+    for n in policy.neverallow_rules:
+        expanded_xml = SELinux_CTS.expand_avc_rule_to_xml(policy, n, str(count), 'neverallow')
+        if len(expanded_xml):
+            xml_root.append(expanded_xml)
+            count += 1
+
+    #print out the xml file
+    s = tostring(xml_root)
+    s_parsed = minidom.parseString(s)
+    output = s_parsed.toprettyxml(indent="    ")
+    with open(output_file, 'w') as out_file:
+        out_file.write(output)