upload android base code part4

2018-08-08 17:00:29 +08:00 · 2018-08-08 17:00:29 +08:00 · 78ea2404cd
commit 78ea2404cd
parent b9e30e05b1
23455 changed files with 5250148 additions and 0 deletions
--- a/android/cts/tools/selinux/SELinuxNeverallowTestFrame.py
+++ b/android/cts/tools/selinux/SELinuxNeverallowTestFrame.py
@ -0,0 +1,112 @@
+#!/usr/bin/env python
+
+src_header = """/*
+ * Copyright (C) 2014 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.cts.security;
+
+import android.platform.test.annotations.RestrictedBuildTest;
+import com.android.compatibility.common.tradefed.build.CompatibilityBuildHelper;
+import com.android.tradefed.build.IBuildInfo;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceTestCase;
+import com.android.tradefed.testtype.IBuildReceiver;
+import com.android.tradefed.testtype.IDeviceTest;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+
+/**
+ * Neverallow Rules SELinux tests.
+ */
+public class SELinuxNeverallowRulesTest extends DeviceTestCase implements IBuildReceiver, IDeviceTest {
+    private File sepolicyAnalyze;
+    private File devicePolicyFile;
+
+    private IBuildInfo mBuild;
+
+    /**
+     * A reference to the device under test.
+     */
+    private ITestDevice mDevice;
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public void setBuild(IBuildInfo build) {
+        mBuild = build;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public void setDevice(ITestDevice device) {
+        super.setDevice(device);
+        mDevice = device;
+    }
+    @Override
+    protected void setUp() throws Exception {
+        super.setUp();
+        CompatibilityBuildHelper buildHelper = new CompatibilityBuildHelper(mBuild);
+        sepolicyAnalyze = buildHelper.getTestFile("sepolicy-analyze");
+        sepolicyAnalyze.setExecutable(true);
+
+        devicePolicyFile = android.security.cts.SELinuxHostTest.getDevicePolicyFile(mDevice);
+    }
+
+    private boolean isFullTrebleDevice() throws Exception {
+        return android.security.cts.SELinuxHostTest.isFullTrebleDevice(mDevice);
+    }
+"""
+src_body = ""
+src_footer = """}
+"""
+
+src_method = """
+    @RestrictedBuildTest
+    public void testNeverallowRules() throws Exception {
+        String neverallowRule = "$NEVERALLOW_RULE_HERE$";
+        boolean fullTrebleOnly = $FULL_TREBLE_ONLY_BOOL_HERE$;
+
+        if ((fullTrebleOnly) && (!isFullTrebleDevice())) {
+            // This test applies only to Treble devices but this device isn't one
+            return;
+        }
+
+        /* run sepolicy-analyze neverallow check on policy file using given neverallow rules */
+        ProcessBuilder pb = new ProcessBuilder(sepolicyAnalyze.getAbsolutePath(),
+                devicePolicyFile.getAbsolutePath(), "neverallow", "-w", "-n",
+                neverallowRule);
+        pb.redirectOutput(ProcessBuilder.Redirect.PIPE);
+        pb.redirectErrorStream(true);
+        Process p = pb.start();
+        p.waitFor();
+        BufferedReader result = new BufferedReader(new InputStreamReader(p.getInputStream()));
+        String line;
+        StringBuilder errorString = new StringBuilder();
+        while ((line = result.readLine()) != null) {
+            errorString.append(line);
+            errorString.append("\\n");
+        }
+        assertTrue("The following errors were encountered when validating the SELinux"
+                   + "neverallow rule:\\n" + neverallowRule + "\\n" + errorString,
+                   errorString.length() == 0);
+    }
+"""
--- a/android/cts/tools/selinux/SELinuxNeverallowTestGen.py
+++ b/android/cts/tools/selinux/SELinuxNeverallowTestGen.py
@ -0,0 +1,100 @@
+#!/usr/bin/env python
+
+import re
+import sys
+import SELinuxNeverallowTestFrame
+
+usage = "Usage: ./SELinuxNeverallowTestGen.py <input policy file> <output cts java source>"
+
+
+class NeverallowRule:
+    statement = ''
+    treble_only = False
+
+    def __init__(self, statement):
+        self.statement = statement
+        self.treble_only = False
+
+
+# extract_neverallow_rules - takes an intermediate policy file and pulls out the
+# neverallow rules by taking all of the non-commented text between the 'neverallow'
+# keyword and a terminating ';'
+# returns: a list of rules
+def extract_neverallow_rules(policy_file):
+    with open(policy_file, 'r') as in_file:
+        policy_str = in_file.read()
+
+        # full-Treble only tests are inside sections delimited by BEGIN_TREBLE_ONLY
+        # and END_TREBLE_ONLY comments.
+
+        # uncomment TREBLE_ONLY section delimiter lines
+        remaining = re.sub(
+            r'^\s*#\s*(BEGIN_TREBLE_ONLY|END_TREBLE_ONLY)',
+            r'\1',
+            policy_str,
+            flags = re.M)
+        # remove comments
+        remaining = re.sub(r'#.+?$', r'', remaining, flags = re.M)
+        # match neverallow rules
+        lines = re.findall(
+            r'^\s*(neverallow\s.+?;|BEGIN_TREBLE_ONLY|END_TREBLE_ONLY)',
+            remaining,
+            flags = re.M |re.S)
+
+        # extract neverallow rules from the remaining lines
+        rules = list()
+        treble_only_depth = 0
+        for line in lines:
+            if line.startswith("BEGIN_TREBLE_ONLY"):
+                treble_only_depth += 1
+                continue
+            elif line.startswith("END_TREBLE_ONLY"):
+                if treble_only_depth < 1:
+                    exit("ERROR: END_TREBLE_ONLY outside of TREBLE_ONLY section")
+                treble_only_depth -= 1
+                continue
+            rule = NeverallowRule(line)
+            rule.treble_only = (treble_only_depth > 0)
+            rules.append(rule)
+
+        if treble_only_depth != 0:
+            exit("ERROR: end of input while inside TREBLE_ONLY section")
+        return rules
+
+# neverallow_rule_to_test - takes a neverallow statement and transforms it into
+# the output necessary to form a cts unit test in a java source file.
+# returns: a string representing a generic test method based on this rule.
+def neverallow_rule_to_test(rule, test_num):
+    squashed_neverallow = rule.statement.replace("\n", " ")
+    method  = SELinuxNeverallowTestFrame.src_method
+    method = method.replace("testNeverallowRules()",
+        "testNeverallowRules" + str(test_num) + "()")
+    method = method.replace("$NEVERALLOW_RULE_HERE$", squashed_neverallow)
+    method = method.replace(
+        "$FULL_TREBLE_ONLY_BOOL_HERE$",
+        "true" if rule.treble_only else "false")
+    return method
+
+if __name__ == "__main__":
+    # check usage
+    if len(sys.argv) != 3:
+        print usage
+        exit(1)
+    input_file = sys.argv[1]
+    output_file = sys.argv[2]
+
+    src_header = SELinuxNeverallowTestFrame.src_header
+    src_body = SELinuxNeverallowTestFrame.src_body
+    src_footer = SELinuxNeverallowTestFrame.src_footer
+
+    # grab the neverallow rules from the policy file and transform into tests
+    neverallow_rules = extract_neverallow_rules(input_file)
+    i = 0
+    for rule in neverallow_rules:
+        src_body += neverallow_rule_to_test(rule, i)
+        i += 1
+
+    with open(output_file, 'w') as out_file:
+        out_file.write(src_header)
+        out_file.write(src_body)
+        out_file.write(src_footer)