tests/sepolicy_tests.py

# Copyright 2021 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

from optparse import OptionParser
from optparse import Option, OptionValueError
import os
import pkgutil
import policy
import re
import shutil
import sys
import tempfile

SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'

#############################################################
# Tests
#############################################################
def TestDataTypeViolations(pol):
return pol.AssertPathTypesHaveAttr(["/data/"], [], "data_file_type")

def TestSystemTypeViolations(pol):
partitions = ["/system/", "/system_ext/", "/product/"]
exceptions = [
# devices before treble don't have a vendor partition
"/system/vendor/",

# overlay files are mounted over vendor
"/product/overlay/",
"/product/vendor_overlay/",
"/system/overlay/",
"/system/product/overlay/",
"/system/product/vendor_overlay/",
"/system/system_ext/overlay/",
"/system_ext/overlay/",

# adb_keys_file hasn't been a system_file_type
"/product/etc/security/adb_keys",
"/system/product/etc/security/adb_keys",
]

return pol.AssertPathTypesHaveAttr(partitions, exceptions, "system_file_type")

def TestBpffsTypeViolations(pol):
return pol.AssertGenfsFilesystemTypesHaveAttr("bpf", "bpffs_type")

def TestProcTypeViolations(pol):
return pol.AssertGenfsFilesystemTypesHaveAttr("proc", "proc_type")

def TestSysfsTypeViolations(pol):
ret = pol.AssertGenfsFilesystemTypesHaveAttr("sysfs", "sysfs_type")
ret += pol.AssertPathTypesHaveAttr(["/sys/"], ["/sys/kernel/debug/",
"/sys/kernel/tracing"], "sysfs_type")
return ret

def TestDebugfsTypeViolations(pol):
ret = pol.AssertGenfsFilesystemTypesHaveAttr("debugfs", "debugfs_type")
ret += pol.AssertPathTypesHaveAttr(["/sys/kernel/debug/",
"/sys/kernel/tracing"], [], "debugfs_type")
return ret

def TestTracefsTypeViolations(pol):
ret = pol.AssertGenfsFilesystemTypesHaveAttr("tracefs", "tracefs_type")
ret += pol.AssertPathTypesHaveAttr(["/sys/kernel/tracing"], [], "tracefs_type")
ret += pol.AssertPathTypesDoNotHaveAttr(["/sys/kernel/debug"],
["/sys/kernel/debug/tracing"], "tracefs_type",
[])
return ret

def TestVendorTypeViolations(pol):
partitions = ["/vendor/", "/odm/"]
exceptions = [
"/vendor/etc/selinux/",
"/vendor/odm/etc/selinux/",
"/odm/etc/selinux/",
]
return pol.AssertPathTypesHaveAttr(partitions, exceptions, "vendor_file_type")

def TestCoreDataTypeViolations(pol):
ret = pol.AssertPathTypesHaveAttr(["/data/"], ["/data/vendor",
"/data/vendor_ce", "/data/vendor_de"], "core_data_file_type")
ret += pol.AssertPathTypesDoNotHaveAttr(["/data/vendor/", "/data/vendor_ce/",
"/data/vendor_de/"], [], "core_data_file_type")
return ret

def TestPropertyTypeViolations(pol):
return pol.AssertPropertyOwnersAreExclusive()

def TestAppDataTypeViolations(pol):
# Types with the app_data_file_type should only be used for app data files
# (/data/data/package.name etc) via seapp_contexts, and never applied
# explicitly to other files.
partitions = [
"/data/",
"/vendor/",
"/odm/",
"/product/",
]
exceptions = [
# These are used for app data files for the corresponding user and
# assorted other files.
# TODO(b/172812577): Use different types for the different purposes
"shell_data_file",
"bluetooth_data_file",
"nfc_data_file",
"radio_data_file",
]
return pol.AssertPathTypesDoNotHaveAttr(partitions, [], "app_data_file_type",
exceptions)
def TestDmaHeapDevTypeViolations(pol):
return pol.AssertPathTypesHaveAttr(["/dev/dma_heap/"], [],
"dmabuf_heap_device_type")

def TestCoredomainViolations(test_policy):
# verify that all domains launched from /system have the coredomain
# attribute
ret = ""

for d in test_policy.alldomains:
domain = test_policy.alldomains[d]
if domain.fromSystem and domain.fromVendor:
ret += "The following domain is system and vendor: " + d + "\n"

for domain in test_policy.alldomains.values():
ret += domain.error

violators = []
for d in test_policy.alldomains:
domain = test_policy.alldomains[d]
if domain.fromSystem and "coredomain" not in domain.attributes:
violators.append(d);
if len(violators) > 0:
ret += "The following domain(s) must be associated with the "
ret += "\"coredomain\" attribute because they are executed off of "
ret += "/system:\n"
ret += " ".join(str(x) for x in sorted(violators)) + "\n"

# verify that all domains launched form /vendor do not have the coredomain
# attribute
violators = []
for d in test_policy.alldomains:
domain = test_policy.alldomains[d]
if domain.fromVendor and "coredomain" in domain.attributes:
violators.append(d)
if len(violators) > 0:
ret += "The following domains must not be associated with the "
ret += "\"coredomain\" attribute because they are executed off of "
ret += "/vendor or /system/vendor:\n"
ret += " ".join(str(x) for x in sorted(violators)) + "\n"

return ret

def TestViolatorAttribute(test_policy, attribute):
# TODO(b/113124961): re-enable once all violator attributes are removed.
return ""

# ret = ""
# return ret

# violators = test_policy.DomainsWithAttribute(attribute)
# if len(violators) > 0:
# ret += "SELinux: The following domains violate the Treble ban "
# ret += "against use of the " + attribute + " attribute: "
# ret += " ".join(str(x) for x in sorted(violators)) + "\n"
# return ret

def TestViolatorAttributes(test_policy):
ret = ""
ret += TestViolatorAttribute(test_policy, "socket_between_core_and_vendor_violators")
ret += TestViolatorAttribute(test_policy, "vendor_executes_system_violators")
return ret

def TestIsolatedAttributeConsistency(test_policy):
permissionAllowList = {
# access given from technical_debt.cil
"codec2_config_prop" : ["file"],
"device_config_nnapi_native_prop":["file"],
"gpu_device": ["dir"],
"hal_allocator_default":["binder", "fd"],
"hal_codec2": ["binder", "fd"],
"hal_codec2_hwservice":["hwservice_manager"],
"hal_graphics_allocator": ["binder", "fd"],
"hal_graphics_allocator_service":["service_manager"],
"hal_graphics_allocator_hwservice":["hwservice_manager"],
"hal_graphics_allocator_server":["binder", "service_manager"],
"hal_graphics_mapper_hwservice":["hwservice_manager"],
"hal_graphics_mapper_service":["service_manager"],
"hal_neuralnetworks": ["binder", "fd"],
"hal_neuralnetworks_service": ["service_manager"],
"hal_neuralnetworks_hwservice":["hwservice_manager"],
"hal_omx_hwservice":["hwservice_manager"],
"hidl_allocator_hwservice":["hwservice_manager"],
"hidl_manager_hwservice":["hwservice_manager"],
"hidl_memory_hwservice":["hwservice_manager"],
"hidl_token_hwservice":["hwservice_manager"],
"hwservicemanager":["binder"],
"hwservicemanager_prop":["file"],
"mediacodec":["binder", "fd"],
"mediaswcodec":["binder", "fd"],
"media_variant_prop":["file"],
"nnapi_ext_deny_product_prop":["file"],
"servicemanager":["fd"],
"sysfs_gpu": ["file"],
"toolbox_exec": ["file"],
# extra types being granted to isolated_compute_app
"isolated_compute_allowed":["service_manager", "chr_file"],
}

def resolveHalServerSubtype(target):
# permission given as a client in technical_debt.cil
hal_server_attributes = [
"hal_codec2_server",
"hal_graphics_allocator_server",
"hal_neuralnetworks_server"]

for attr in hal_server_attributes:
if target in test_policy.pol.QueryTypeAttribute(Type=attr, IsAttr=True):
return attr.rsplit("_", 1)[0]
return target

def checkIsolatedComputeAllowed(tctx, tclass):
# check if the permission is in isolated_compute_allowed
allowedMemberTypes = test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_service", IsAttr=True) \
.union(test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_device", IsAttr=True))
return tctx in allowedMemberTypes and tclass in permissionAllowList["isolated_compute_allowed"]

def checkPermissions(permissions):
violated_permissions = []
for perm in permissions:
tctx, tclass, p = perm.split(":")
tctx = resolveHalServerSubtype(tctx)
# check unwanted permissions
if not checkIsolatedComputeAllowed(tctx, tclass) and \
( tctx not in permissionAllowList \
or tclass not in permissionAllowList[tctx] \
or ( p == "write") \
or ( p == "rw_file_perms") ):
violated_permissions += [perm]
return violated_permissions

ret = ""

isolatedMemberTypes = test_policy.pol.QueryTypeAttribute(Type="isolated_app_all", IsAttr=True)
baseRules = test_policy.pol.QueryExpandedTERule(scontext=["isolated_app"])
basePermissionSet = set([":".join([rule.tctx, rule.tclass, perm])
for rule in baseRules for perm in rule.perms])
for subType in isolatedMemberTypes:
if subType == "isolated_app" : continue
currentTypeRule = test_policy.pol.QueryExpandedTERule(scontext=[subType])
typePermissionSet = set([":".join([rule.tctx, rule.tclass, perm])
for rule in currentTypeRule for perm in rule.perms
if not rule.tctx in [subType, subType + "_userfaultfd"]])
deltaPermissionSet = typePermissionSet.difference(basePermissionSet)
violated_permissions = checkPermissions(list(deltaPermissionSet))
for perm in violated_permissions:
ret += "allow %s %s:%s %s \n" % (subType, *perm.split(":"))

if ret:
ret = ("Found prohibited permission granted for isolated like types. " + \
"Please replace your allow statements that involve \"-isolated_app\" with " + \
"\"-isolated_app_all\". Violations are shown as the following: \n") + ret
return ret

def TestDevTypeViolations(pol):
exceptions = [
"/dev/socket",
]
exceptionTypes = [
"boringssl_self_test_marker", # /dev/boringssl/selftest
"cgroup_rc_file", # /dev/cgroup.rc
"dev_cpu_variant", # /dev/cpu_variant:{arch}
"fscklogs", # /dev/fscklogs
"properties_serial", # /dev/__properties__/properties_serial
"property_info", # /dev/__properties__/property_info
"runtime_event_log_tags_file", # /dev/event-log-tags
]
return pol.AssertPathTypesHaveAttr(["/dev"], exceptions,
"dev_type", exceptionTypes)

###
# extend OptionParser to allow the same option flag to be used multiple times.
# This is used to allow multiple file_contexts files and tests to be
# specified.
#
class MultipleOption(Option):
ACTIONS = Option.ACTIONS + ("extend",)
STORE_ACTIONS = Option.STORE_ACTIONS + ("extend",)
TYPED_ACTIONS = Option.TYPED_ACTIONS + ("extend",)
ALWAYS_TYPED_ACTIONS = Option.ALWAYS_TYPED_ACTIONS + ("extend",)

def take_action(self, action, dest, opt, value, values, parser):
if action == "extend":
values.ensure_value(dest, []).append(value)
else:
Option.take_action(self, action, dest, opt, value, values, parser)

TEST_NAMES = [ name for name in dir() if name.startswith('Test') ]

def do_main(libpath):
"""
Args:
libpath: string, path to libsepolwrap.so
"""
usage = "sepolicy_tests -f vendor_file_contexts -f "
usage +="plat_file_contexts -p policy [--test test] [--help]"
parser = OptionParser(option_class=MultipleOption, usage=usage)
parser.add_option("-f", "--file_contexts", dest="file_contexts",
metavar="FILE", action="extend", type="string")
parser.add_option("-p", "--policy", dest="policy", metavar="FILE")
parser.add_option("-t", "--test", dest="test", action="extend",
help="Test options include "+str(TEST_NAMES))

(options, args) = parser.parse_args()

if not options.policy:
sys.exit("Must specify monolithic policy file\n" + parser.usage)
if not os.path.exists(options.policy):
sys.exit("Error: policy file " + options.policy + " does not exist\n"
+ parser.usage)

if not options.file_contexts:
sys.exit("Error: Must specify file_contexts file(s)\n" + parser.usage)
for f in options.file_contexts:
if not os.path.exists(f):
sys.exit("Error: File_contexts file " + f + " does not exist\n" +
parser.usage)

pol = policy.Policy(options.policy, options.file_contexts, libpath)
test_policy = policy.TestPolicy()
test_policy.setup(pol)

results = ""
# If an individual test is not specified, run all tests.
if options.test is None or "TestBpffsTypeViolations" in options.test:
results += TestBpffsTypeViolations(pol)
if options.test is None or "TestDataTypeViolations" in options.test:
results += TestDataTypeViolations(pol)
if options.test is None or "TestProcTypeViolations" in options.test:
results += TestProcTypeViolations(pol)
if options.test is None or "TestSysfsTypeViolations" in options.test:
results += TestSysfsTypeViolations(pol)
if options.test is None or "TestSystemTypeViolations" in options.test:
results += TestSystemTypeViolations(pol)
if options.test is None or "TestDebugfsTypeViolations" in options.test:
results += TestDebugfsTypeViolations(pol)
if options.test is None or "TestTracefsTypeViolations" in options.test:
results += TestTracefsTypeViolations(pol)
if options.test is None or "TestVendorTypeViolations" in options.test:
results += TestVendorTypeViolations(pol)
if options.test is None or "TestCoreDataTypeViolations" in options.test:
results += TestCoreDataTypeViolations(pol)
if options.test is None or "TestPropertyTypeViolations" in options.test:
results += TestPropertyTypeViolations(pol)
if options.test is None or "TestAppDataTypeViolations" in options.test:
results += TestAppDataTypeViolations(pol)
if options.test is None or "TestDmaHeapDevTypeViolations" in options.test:
results += TestDmaHeapDevTypeViolations(pol)
if options.test is None or "TestCoredomainViolations" in options.test:
results += TestCoredomainViolations(test_policy)
if options.test is None or "TestViolatorAttributes" in options.test:
results += TestViolatorAttributes(test_policy)
if options.test is None or "TestIsolatedAttributeConsistency" in options.test:
results += TestIsolatedAttributeConsistency(test_policy)

# dev type test won't be run as default
if options.test and "TestDevTypeViolations" in options.test:
results += TestDevTypeViolations(pol)

if len(results) > 0:
sys.exit(results)

if __name__ == '__main__':
temp_dir = tempfile.mkdtemp()
try:
libname = "libsepolwrap" + SHARED_LIB_EXTENSION
libpath = os.path.join(temp_dir, libname)
with open(libpath, "wb") as f:
blob = pkgutil.get_data("sepolicy_tests", libname)
if not blob:
sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
f.write(blob)
do_main(libpath)
finally:
shutil.rmtree(temp_dir)