Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / cts / cb20eaf8582dd2391f4f46aa1f5a6dfeeaa6fd86 / . / tools / selinux / SELinuxNeverallowTestFrame.py
blob: f84f2ec4dfd659d58ed2436b2ff7bc33b13f163d [file] [log] [blame]
dcashman9b615752015-01-07 14:23:11 -0800[diff] [blame]1#!/usr/bin/env python
dcashmanb34ae0b2014-10-24 16:16:30 -0700[diff] [blame]2
3src_header = """/*
4 * Copyright (C) 2014 The Android Open Source Project
5 *
6 * Licensed under the Apache License, Version 2.0 (the "License");
7 * you may not use this file except in compliance with the License.
8 * You may obtain a copy of the License at
9 *
10 * http://www.apache.org/licenses/LICENSE-2.0
11 *
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License.
17 */
18
19package android.cts.security;
20
Changfei Chen178b43b2016-12-05 18:13:06 -0800[diff] [blame]21import android.platform.test.annotations.RestrictedBuildTest;
Aaron Holdend16ae8f2016-11-22 18:44:36 -0800[diff] [blame]22import com.android.compatibility.common.tradefed.build.CompatibilityBuildHelper;
dcashmanb34ae0b2014-10-24 16:16:30 -0700[diff] [blame]23import com.android.tradefed.build.IBuildInfo;
24import com.android.tradefed.device.ITestDevice;
25import com.android.tradefed.testtype.DeviceTestCase;
26import com.android.tradefed.testtype.IBuildReceiver;
dcashman4371f002016-03-29 10:42:03 -0700[diff] [blame]27import com.android.tradefed.testtype.IDeviceTest;
dcashmanb34ae0b2014-10-24 16:16:30 -0700[diff] [blame]28
29import java.io.BufferedReader;
30import java.io.File;
dcashmanb34ae0b2014-10-24 16:16:30 -0700[diff] [blame]31import java.io.InputStream;
32import java.io.InputStreamReader;
dcashmanb34ae0b2014-10-24 16:16:30 -0700[diff] [blame]33
34/**
35 * Neverallow Rules SELinux tests.
36 */
dcashman4371f002016-03-29 10:42:03 -0700[diff] [blame]37public class SELinuxNeverallowRulesTest extends DeviceTestCase implements IBuildReceiver, IDeviceTest {
dcashmanb34ae0b2014-10-24 16:16:30 -0700[diff] [blame]38 private File sepolicyAnalyze;
39 private File devicePolicyFile;
40
dcashman9cf20df2016-04-01 11:32:35 -0700[diff] [blame]41 private IBuildInfo mBuild;
42
dcashmanb34ae0b2014-10-24 16:16:30 -0700[diff] [blame]43 /**
44 * A reference to the device under test.
45 */
46 private ITestDevice mDevice;
47
dcashman4371f002016-03-29 10:42:03 -0700[diff] [blame]48 /**
49 * {@inheritDoc}
50 */
51 @Override
52 public void setBuild(IBuildInfo build) {
dcashman9cf20df2016-04-01 11:32:35 -0700[diff] [blame]53 mBuild = build;
dcashmanb34ae0b2014-10-24 16:16:30 -0700[diff] [blame]54 }
55
dcashman4371f002016-03-29 10:42:03 -0700[diff] [blame]56 /**
57 * {@inheritDoc}
58 */
59 @Override
60 public void setDevice(ITestDevice device) {
61 super.setDevice(device);
62 mDevice = device;
63 }
dcashmanb34ae0b2014-10-24 16:16:30 -0700[diff] [blame]64 @Override
65 protected void setUp() throws Exception {
66 super.setUp();
Aaron Holdend16ae8f2016-11-22 18:44:36 -0800[diff] [blame]67 CompatibilityBuildHelper buildHelper = new CompatibilityBuildHelper(mBuild);
68 sepolicyAnalyze = buildHelper.getTestFile("sepolicy-analyze");
dcashmanb34ae0b2014-10-24 16:16:30 -0700[diff] [blame]69 sepolicyAnalyze.setExecutable(true);
70
71 /* obtain sepolicy file from running device */
72 devicePolicyFile = File.createTempFile("sepolicy", ".tmp");
73 devicePolicyFile.deleteOnExit();
Alain Vongsouvanh2cda0cd2015-04-30 08:32:49 -0700[diff] [blame]74 mDevice.pullFile("/sys/fs/selinux/policy", devicePolicyFile);
dcashmanb34ae0b2014-10-24 16:16:30 -0700[diff] [blame]75 }
Alex Klyubin9dd67db2017-04-06 20:14:43 -0700[diff] [blame]76
77 private boolean isFullTrebleDevice() throws Exception {
78 return android.security.cts.SELinuxHostTest.isFullTrebleDevice(mDevice);
79 }
dcashmanb34ae0b2014-10-24 16:16:30 -0700[diff] [blame]80"""
81src_body = ""
82src_footer = """}
83"""
84
85src_method = """
Changfei Chen178b43b2016-12-05 18:13:06 -0800[diff] [blame]86 @RestrictedBuildTest
dcashmanb34ae0b2014-10-24 16:16:30 -0700[diff] [blame]87 public void testNeverallowRules() throws Exception {
88 String neverallowRule = "$NEVERALLOW_RULE_HERE$";
Alex Klyubin9dd67db2017-04-06 20:14:43 -0700[diff] [blame]89 boolean fullTrebleOnly = $FULL_TREBLE_ONLY_BOOL_HERE$;
90
91 if ((fullTrebleOnly) && (!isFullTrebleDevice())) {
92 // This test applies only to Treble devices but this device isn't one
93 return;
94 }
dcashmanb34ae0b2014-10-24 16:16:30 -0700[diff] [blame]95
96 /* run sepolicy-analyze neverallow check on policy file using given neverallow rules */
97 ProcessBuilder pb = new ProcessBuilder(sepolicyAnalyze.getAbsolutePath(),
Alex Klyubincb20eaf2017-04-25 13:16:00 -0700[diff] [blame^]98 devicePolicyFile.getAbsolutePath(), "neverallow", "-w", "-n",
dcashmanb34ae0b2014-10-24 16:16:30 -0700[diff] [blame]99 neverallowRule);
100 pb.redirectOutput(ProcessBuilder.Redirect.PIPE);
101 pb.redirectErrorStream(true);
102 Process p = pb.start();
103 p.waitFor();
104 BufferedReader result = new BufferedReader(new InputStreamReader(p.getInputStream()));
105 String line;
106 StringBuilder errorString = new StringBuilder();
107 while ((line = result.readLine()) != null) {
108 errorString.append(line);
109 errorString.append("\\n");
110 }
111 assertTrue("The following errors were encountered when validating the SELinux"
112 + "neverallow rule:\\n" + neverallowRule + "\\n" + errorString,
113 errorString.length() == 0);
114 }
115"""