xref: /aosp_15_r20/system/sepolicy/tests/apex_sepolicy_tests_test.py (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1*e4a36f41SAndroid Build Coastguard Worker# Copyright 2023 The Android Open Source Project
2*e4a36f41SAndroid Build Coastguard Worker#
3*e4a36f41SAndroid Build Coastguard Worker# Licensed under the Apache License, Version 2.0 (the "License");
4*e4a36f41SAndroid Build Coastguard Worker# you may not use this file except in compliance with the License.
5*e4a36f41SAndroid Build Coastguard Worker# You may obtain a copy of the License at
6*e4a36f41SAndroid Build Coastguard Worker#
7*e4a36f41SAndroid Build Coastguard Worker#     http://www.apache.org/licenses/LICENSE-2.0
8*e4a36f41SAndroid Build Coastguard Worker#
9*e4a36f41SAndroid Build Coastguard Worker# Unless required by applicable law or agreed to in writing, software
10*e4a36f41SAndroid Build Coastguard Worker# distributed under the License is distributed on an "AS IS" BASIS,
11*e4a36f41SAndroid Build Coastguard Worker# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12*e4a36f41SAndroid Build Coastguard Worker# See the License for the specific language governing permissions and
13*e4a36f41SAndroid Build Coastguard Worker# limitations under the License.
14*e4a36f41SAndroid Build Coastguard Worker"""Tests for apex_sepolicy_tests"""
15*e4a36f41SAndroid Build Coastguard Worker
16*e4a36f41SAndroid Build Coastguard Workerimport re
17*e4a36f41SAndroid Build Coastguard Workerimport shutil
18*e4a36f41SAndroid Build Coastguard Workerimport tempfile
19*e4a36f41SAndroid Build Coastguard Workerimport unittest
20*e4a36f41SAndroid Build Coastguard Worker
21*e4a36f41SAndroid Build Coastguard Workerimport apex_sepolicy_tests as apex
22*e4a36f41SAndroid Build Coastguard Workerimport policy
23*e4a36f41SAndroid Build Coastguard Worker
24*e4a36f41SAndroid Build Coastguard Worker
25*e4a36f41SAndroid Build Coastguard Worker# pylint: disable=missing-docstring
26*e4a36f41SAndroid Build Coastguard Workerclass ApexSepolicyTests(unittest.TestCase):
27*e4a36f41SAndroid Build Coastguard Worker
28*e4a36f41SAndroid Build Coastguard Worker    @classmethod
29*e4a36f41SAndroid Build Coastguard Worker    def setUpClass(cls) -> None:
30*e4a36f41SAndroid Build Coastguard Worker        cls.temp_dir = tempfile.mkdtemp()
31*e4a36f41SAndroid Build Coastguard Worker        lib_path = apex.extract_data(apex.LIBSEPOLWRAP, cls.temp_dir)
32*e4a36f41SAndroid Build Coastguard Worker        policy_path = apex.extract_data('precompiled_sepolicy', cls.temp_dir)
33*e4a36f41SAndroid Build Coastguard Worker        cls.pol = policy.Policy(policy_path, None,  lib_path)
34*e4a36f41SAndroid Build Coastguard Worker
35*e4a36f41SAndroid Build Coastguard Worker    @classmethod
36*e4a36f41SAndroid Build Coastguard Worker    def tearDownClass(cls) -> None:
37*e4a36f41SAndroid Build Coastguard Worker        shutil.rmtree(cls.temp_dir)
38*e4a36f41SAndroid Build Coastguard Worker
39*e4a36f41SAndroid Build Coastguard Worker    # helpers
40*e4a36f41SAndroid Build Coastguard Worker
41*e4a36f41SAndroid Build Coastguard Worker    @property
42*e4a36f41SAndroid Build Coastguard Worker    def pol(self):
43*e4a36f41SAndroid Build Coastguard Worker        return self.__class__.pol
44*e4a36f41SAndroid Build Coastguard Worker
45*e4a36f41SAndroid Build Coastguard Worker    def assert_ok(self, line: str):
46*e4a36f41SAndroid Build Coastguard Worker        errors = apex.check_line(self.pol, line, apex.all_rules)
47*e4a36f41SAndroid Build Coastguard Worker        self.assertEqual(errors, [], "Should be no errors")
48*e4a36f41SAndroid Build Coastguard Worker
49*e4a36f41SAndroid Build Coastguard Worker    def assert_error(self, line: str, expected_error: str):
50*e4a36f41SAndroid Build Coastguard Worker        pattern = re.compile(expected_error)
51*e4a36f41SAndroid Build Coastguard Worker        errors = apex.check_line(self.pol, line, apex.all_rules)
52*e4a36f41SAndroid Build Coastguard Worker        for err in errors:
53*e4a36f41SAndroid Build Coastguard Worker            if re.search(pattern, err):
54*e4a36f41SAndroid Build Coastguard Worker                return
55*e4a36f41SAndroid Build Coastguard Worker        self.fail(f"Expected error '{expected_error}' is not found in {errors}")
56*e4a36f41SAndroid Build Coastguard Worker
57*e4a36f41SAndroid Build Coastguard Worker    # tests
58*e4a36f41SAndroid Build Coastguard Worker
59*e4a36f41SAndroid Build Coastguard Worker    def test_parse_lines(self):
60*e4a36f41SAndroid Build Coastguard Worker        self.assert_ok('# commented line')
61*e4a36f41SAndroid Build Coastguard Worker        self.assert_ok('') # empty line
62*e4a36f41SAndroid Build Coastguard Worker        self.assert_error('./path1 invalid_contexts',
63*e4a36f41SAndroid Build Coastguard Worker                          r'Error: invalid file_contexts: .*')
64*e4a36f41SAndroid Build Coastguard Worker        self.assert_error('./path1 u:object_r:vendor_file',
65*e4a36f41SAndroid Build Coastguard Worker                          r'Error: invalid file_contexts: .*')
66*e4a36f41SAndroid Build Coastguard Worker        self.assert_ok('./path1 u:object_r:vendor_file:s0')
67*e4a36f41SAndroid Build Coastguard Worker
68*e4a36f41SAndroid Build Coastguard Worker    def test_vintf(self):
69*e4a36f41SAndroid Build Coastguard Worker        self.assert_ok('./etc/vintf/fragment.xml u:object_r:vendor_configs_file:s0')
70*e4a36f41SAndroid Build Coastguard Worker        self.assert_error('./etc/vintf/fragment.xml u:object_r:vendor_file:s0',
71*e4a36f41SAndroid Build Coastguard Worker                          r'Error: \./etc/vintf/fragment\.xml: .* can\'t read')
72*e4a36f41SAndroid Build Coastguard Worker
73*e4a36f41SAndroid Build Coastguard Worker    def test_permissions(self):
74*e4a36f41SAndroid Build Coastguard Worker        self.assert_ok('./etc/permissions/permisssion.xml u:object_r:vendor_configs_file:s0')
75*e4a36f41SAndroid Build Coastguard Worker        self.assert_error('./etc/permissions/permisssion.xml u:object_r:vendor_file:s0',
76*e4a36f41SAndroid Build Coastguard Worker                          r'Error: \./etc/permissions/permisssion.xml: .* can\'t read')
77*e4a36f41SAndroid Build Coastguard Worker
78*e4a36f41SAndroid Build Coastguard Worker    def test_initscripts(self):
79*e4a36f41SAndroid Build Coastguard Worker        # here, netd_service is chosen randomly for invalid label for a file
80*e4a36f41SAndroid Build Coastguard Worker
81*e4a36f41SAndroid Build Coastguard Worker        # init reads .rc file
82*e4a36f41SAndroid Build Coastguard Worker        self.assert_ok('./etc/init.rc u:object_r:vendor_file:s0')
83*e4a36f41SAndroid Build Coastguard Worker        self.assert_error('./etc/init.rc u:object_r:netd_service:s0',
84*e4a36f41SAndroid Build Coastguard Worker                          r'Error: .* can\'t read')
85*e4a36f41SAndroid Build Coastguard Worker        # init reads .#rc file
86*e4a36f41SAndroid Build Coastguard Worker        self.assert_ok('./etc/init.32rc u:object_r:vendor_file:s0')
87*e4a36f41SAndroid Build Coastguard Worker        self.assert_error('./etc/init.32rc u:object_r:netd_service:s0',
88*e4a36f41SAndroid Build Coastguard Worker                          r'Error: .* can\'t read')
89*e4a36f41SAndroid Build Coastguard Worker        # init skips file with unknown extension => no errors
90*e4a36f41SAndroid Build Coastguard Worker        self.assert_ok('./etc/init.x32rc u:object_r:vendor_file:s0')
91*e4a36f41SAndroid Build Coastguard Worker        self.assert_ok('./etc/init.x32rc u:object_r:netd_service:s0')
92*e4a36f41SAndroid Build Coastguard Worker
93*e4a36f41SAndroid Build Coastguard Worker    def test_linkerconfig(self):
94*e4a36f41SAndroid Build Coastguard Worker        self.assert_ok('./etc/linker.config.pb u:object_r:system_file:s0')
95*e4a36f41SAndroid Build Coastguard Worker        self.assert_ok('./etc/linker.config.pb u:object_r:linkerconfig_file:s0')
96*e4a36f41SAndroid Build Coastguard Worker        self.assert_error('./etc/linker.config.pb u:object_r:vendor_file:s0',
97*e4a36f41SAndroid Build Coastguard Worker                        r'Error: .*linkerconfig.* can\'t read')
98*e4a36f41SAndroid Build Coastguard Worker        self.assert_error('./ u:object_r:apex_data_file:s0',
99*e4a36f41SAndroid Build Coastguard Worker                        r'Error: .*linkerconfig.* can\'t search')
100*e4a36f41SAndroid Build Coastguard Worker
101*e4a36f41SAndroid Build Coastguard Worker    def test_unknown_label(self):
102*e4a36f41SAndroid Build Coastguard Worker        self.assert_error('./bin/hw/foo u:object_r:foo_exec:s0',
103*e4a36f41SAndroid Build Coastguard Worker                        r'Error: \./bin/hw/foo: tcontext\(foo_exec\) is unknown')
104*e4a36f41SAndroid Build Coastguard Worker
105*e4a36f41SAndroid Build Coastguard Worker    def test_binaries(self):
106*e4a36f41SAndroid Build Coastguard Worker        self.assert_ok('./bin/init u:object_r:init_exec:s0')
107*e4a36f41SAndroid Build Coastguard Worker        self.assert_ok('./bin/hw/svc u:object_r:init_exec:s0')
108*e4a36f41SAndroid Build Coastguard Worker        self.assert_error('./bin/hw/svc u:object_r:vendor_file:s0',
109*e4a36f41SAndroid Build Coastguard Worker                          r"Error: .*svc: can\'t be labelled as \'vendor_file\'")
110*e4a36f41SAndroid Build Coastguard Worker
111*e4a36f41SAndroid Build Coastguard Workerif __name__ == '__main__':
112*e4a36f41SAndroid Build Coastguard Worker    unittest.main(verbosity=2)
113