Fail SELinux neverallows when unknown type/attribute
This modifies SELinuxNeverallowRulesTest so that it fails when a
neverallow rule references a type or attribute which is not present in
the SELinux policy of the device under test.
Previous behavior was to pass such neverallow tests, which meant that
the corresponding neverallow rules were not enforced.
Test: make cts && \
cts-tradefed run singleCommand cts --skip-device-info \
--skip-preconditions --skip-connectivity-check \
--abi arm64-v8a --module CtsSecurityHostTestCases \
-t android.cts.security.SELinuxNeverallowRulesTest
succeeds on sailfish-user, and fails with system/sepolicy
5edd96d915ef98dc92f21bd303bca5ee82b0f54a and
b87876937b8ed73063fd44800beb86f3dd7079be reverted -- the
failures are about attributes referenced in neverallow rules
missing in on-device SELinux policy.
Bug: 37357742
Change-Id: Ia2fb78d5d3b1aa792c45a445566a6b477b7ecefa
diff --git a/tools/selinux/SELinuxNeverallowTestFrame.py b/tools/selinux/SELinuxNeverallowTestFrame.py
index 7e9c304..f84f2ec 100644
--- a/tools/selinux/SELinuxNeverallowTestFrame.py
+++ b/tools/selinux/SELinuxNeverallowTestFrame.py
@@ -95,7 +95,7 @@
/* run sepolicy-analyze neverallow check on policy file using given neverallow rules */
ProcessBuilder pb = new ProcessBuilder(sepolicyAnalyze.getAbsolutePath(),
- devicePolicyFile.getAbsolutePath(), "neverallow", "-n",
+ devicePolicyFile.getAbsolutePath(), "neverallow", "-w", "-n",
neverallowRule);
pb.redirectOutput(ProcessBuilder.Redirect.PIPE);
pb.redirectErrorStream(true);