1*e4a36f41SAndroid Build Coastguard Worker# Copyright 2023 The Android Open Source Project 2*e4a36f41SAndroid Build Coastguard Worker# 3*e4a36f41SAndroid Build Coastguard Worker# Licensed under the Apache License, Version 2.0 (the "License"); 4*e4a36f41SAndroid Build Coastguard Worker# you may not use this file except in compliance with the License. 5*e4a36f41SAndroid Build Coastguard Worker# You may obtain a copy of the License at 6*e4a36f41SAndroid Build Coastguard Worker# 7*e4a36f41SAndroid Build Coastguard Worker# http://www.apache.org/licenses/LICENSE-2.0 8*e4a36f41SAndroid Build Coastguard Worker# 9*e4a36f41SAndroid Build Coastguard Worker# Unless required by applicable law or agreed to in writing, software 10*e4a36f41SAndroid Build Coastguard Worker# distributed under the License is distributed on an "AS IS" BASIS, 11*e4a36f41SAndroid Build Coastguard Worker# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12*e4a36f41SAndroid Build Coastguard Worker# See the License for the specific language governing permissions and 13*e4a36f41SAndroid Build Coastguard Worker# limitations under the License. 14*e4a36f41SAndroid Build Coastguard Worker"""Tests for apex_sepolicy_tests""" 15*e4a36f41SAndroid Build Coastguard Worker 16*e4a36f41SAndroid Build Coastguard Workerimport re 17*e4a36f41SAndroid Build Coastguard Workerimport shutil 18*e4a36f41SAndroid Build Coastguard Workerimport tempfile 19*e4a36f41SAndroid Build Coastguard Workerimport unittest 20*e4a36f41SAndroid Build Coastguard Worker 21*e4a36f41SAndroid Build Coastguard Workerimport apex_sepolicy_tests as apex 22*e4a36f41SAndroid Build Coastguard Workerimport policy 23*e4a36f41SAndroid Build Coastguard Worker 24*e4a36f41SAndroid Build Coastguard Worker 25*e4a36f41SAndroid Build Coastguard Worker# pylint: disable=missing-docstring 26*e4a36f41SAndroid Build Coastguard Workerclass ApexSepolicyTests(unittest.TestCase): 27*e4a36f41SAndroid Build Coastguard Worker 28*e4a36f41SAndroid Build Coastguard Worker @classmethod 29*e4a36f41SAndroid Build Coastguard Worker def setUpClass(cls) -> None: 30*e4a36f41SAndroid Build Coastguard Worker cls.temp_dir = tempfile.mkdtemp() 31*e4a36f41SAndroid Build Coastguard Worker lib_path = apex.extract_data(apex.LIBSEPOLWRAP, cls.temp_dir) 32*e4a36f41SAndroid Build Coastguard Worker policy_path = apex.extract_data('precompiled_sepolicy', cls.temp_dir) 33*e4a36f41SAndroid Build Coastguard Worker cls.pol = policy.Policy(policy_path, None, lib_path) 34*e4a36f41SAndroid Build Coastguard Worker 35*e4a36f41SAndroid Build Coastguard Worker @classmethod 36*e4a36f41SAndroid Build Coastguard Worker def tearDownClass(cls) -> None: 37*e4a36f41SAndroid Build Coastguard Worker shutil.rmtree(cls.temp_dir) 38*e4a36f41SAndroid Build Coastguard Worker 39*e4a36f41SAndroid Build Coastguard Worker # helpers 40*e4a36f41SAndroid Build Coastguard Worker 41*e4a36f41SAndroid Build Coastguard Worker @property 42*e4a36f41SAndroid Build Coastguard Worker def pol(self): 43*e4a36f41SAndroid Build Coastguard Worker return self.__class__.pol 44*e4a36f41SAndroid Build Coastguard Worker 45*e4a36f41SAndroid Build Coastguard Worker def assert_ok(self, line: str): 46*e4a36f41SAndroid Build Coastguard Worker errors = apex.check_line(self.pol, line, apex.all_rules) 47*e4a36f41SAndroid Build Coastguard Worker self.assertEqual(errors, [], "Should be no errors") 48*e4a36f41SAndroid Build Coastguard Worker 49*e4a36f41SAndroid Build Coastguard Worker def assert_error(self, line: str, expected_error: str): 50*e4a36f41SAndroid Build Coastguard Worker pattern = re.compile(expected_error) 51*e4a36f41SAndroid Build Coastguard Worker errors = apex.check_line(self.pol, line, apex.all_rules) 52*e4a36f41SAndroid Build Coastguard Worker for err in errors: 53*e4a36f41SAndroid Build Coastguard Worker if re.search(pattern, err): 54*e4a36f41SAndroid Build Coastguard Worker return 55*e4a36f41SAndroid Build Coastguard Worker self.fail(f"Expected error '{expected_error}' is not found in {errors}") 56*e4a36f41SAndroid Build Coastguard Worker 57*e4a36f41SAndroid Build Coastguard Worker # tests 58*e4a36f41SAndroid Build Coastguard Worker 59*e4a36f41SAndroid Build Coastguard Worker def test_parse_lines(self): 60*e4a36f41SAndroid Build Coastguard Worker self.assert_ok('# commented line') 61*e4a36f41SAndroid Build Coastguard Worker self.assert_ok('') # empty line 62*e4a36f41SAndroid Build Coastguard Worker self.assert_error('./path1 invalid_contexts', 63*e4a36f41SAndroid Build Coastguard Worker r'Error: invalid file_contexts: .*') 64*e4a36f41SAndroid Build Coastguard Worker self.assert_error('./path1 u:object_r:vendor_file', 65*e4a36f41SAndroid Build Coastguard Worker r'Error: invalid file_contexts: .*') 66*e4a36f41SAndroid Build Coastguard Worker self.assert_ok('./path1 u:object_r:vendor_file:s0') 67*e4a36f41SAndroid Build Coastguard Worker 68*e4a36f41SAndroid Build Coastguard Worker def test_vintf(self): 69*e4a36f41SAndroid Build Coastguard Worker self.assert_ok('./etc/vintf/fragment.xml u:object_r:vendor_configs_file:s0') 70*e4a36f41SAndroid Build Coastguard Worker self.assert_error('./etc/vintf/fragment.xml u:object_r:vendor_file:s0', 71*e4a36f41SAndroid Build Coastguard Worker r'Error: \./etc/vintf/fragment\.xml: .* can\'t read') 72*e4a36f41SAndroid Build Coastguard Worker 73*e4a36f41SAndroid Build Coastguard Worker def test_permissions(self): 74*e4a36f41SAndroid Build Coastguard Worker self.assert_ok('./etc/permissions/permisssion.xml u:object_r:vendor_configs_file:s0') 75*e4a36f41SAndroid Build Coastguard Worker self.assert_error('./etc/permissions/permisssion.xml u:object_r:vendor_file:s0', 76*e4a36f41SAndroid Build Coastguard Worker r'Error: \./etc/permissions/permisssion.xml: .* can\'t read') 77*e4a36f41SAndroid Build Coastguard Worker 78*e4a36f41SAndroid Build Coastguard Worker def test_initscripts(self): 79*e4a36f41SAndroid Build Coastguard Worker # here, netd_service is chosen randomly for invalid label for a file 80*e4a36f41SAndroid Build Coastguard Worker 81*e4a36f41SAndroid Build Coastguard Worker # init reads .rc file 82*e4a36f41SAndroid Build Coastguard Worker self.assert_ok('./etc/init.rc u:object_r:vendor_file:s0') 83*e4a36f41SAndroid Build Coastguard Worker self.assert_error('./etc/init.rc u:object_r:netd_service:s0', 84*e4a36f41SAndroid Build Coastguard Worker r'Error: .* can\'t read') 85*e4a36f41SAndroid Build Coastguard Worker # init reads .#rc file 86*e4a36f41SAndroid Build Coastguard Worker self.assert_ok('./etc/init.32rc u:object_r:vendor_file:s0') 87*e4a36f41SAndroid Build Coastguard Worker self.assert_error('./etc/init.32rc u:object_r:netd_service:s0', 88*e4a36f41SAndroid Build Coastguard Worker r'Error: .* can\'t read') 89*e4a36f41SAndroid Build Coastguard Worker # init skips file with unknown extension => no errors 90*e4a36f41SAndroid Build Coastguard Worker self.assert_ok('./etc/init.x32rc u:object_r:vendor_file:s0') 91*e4a36f41SAndroid Build Coastguard Worker self.assert_ok('./etc/init.x32rc u:object_r:netd_service:s0') 92*e4a36f41SAndroid Build Coastguard Worker 93*e4a36f41SAndroid Build Coastguard Worker def test_linkerconfig(self): 94*e4a36f41SAndroid Build Coastguard Worker self.assert_ok('./etc/linker.config.pb u:object_r:system_file:s0') 95*e4a36f41SAndroid Build Coastguard Worker self.assert_ok('./etc/linker.config.pb u:object_r:linkerconfig_file:s0') 96*e4a36f41SAndroid Build Coastguard Worker self.assert_error('./etc/linker.config.pb u:object_r:vendor_file:s0', 97*e4a36f41SAndroid Build Coastguard Worker r'Error: .*linkerconfig.* can\'t read') 98*e4a36f41SAndroid Build Coastguard Worker self.assert_error('./ u:object_r:apex_data_file:s0', 99*e4a36f41SAndroid Build Coastguard Worker r'Error: .*linkerconfig.* can\'t search') 100*e4a36f41SAndroid Build Coastguard Worker 101*e4a36f41SAndroid Build Coastguard Worker def test_unknown_label(self): 102*e4a36f41SAndroid Build Coastguard Worker self.assert_error('./bin/hw/foo u:object_r:foo_exec:s0', 103*e4a36f41SAndroid Build Coastguard Worker r'Error: \./bin/hw/foo: tcontext\(foo_exec\) is unknown') 104*e4a36f41SAndroid Build Coastguard Worker 105*e4a36f41SAndroid Build Coastguard Worker def test_binaries(self): 106*e4a36f41SAndroid Build Coastguard Worker self.assert_ok('./bin/init u:object_r:init_exec:s0') 107*e4a36f41SAndroid Build Coastguard Worker self.assert_ok('./bin/hw/svc u:object_r:init_exec:s0') 108*e4a36f41SAndroid Build Coastguard Worker self.assert_error('./bin/hw/svc u:object_r:vendor_file:s0', 109*e4a36f41SAndroid Build Coastguard Worker r"Error: .*svc: can\'t be labelled as \'vendor_file\'") 110*e4a36f41SAndroid Build Coastguard Worker 111*e4a36f41SAndroid Build Coastguard Workerif __name__ == '__main__': 112*e4a36f41SAndroid Build Coastguard Worker unittest.main(verbosity=2) 113