1from optparse import OptionParser
2from optparse import Option, OptionValueError
3import os
4import policy
5import re
6import sys
7
8#############################################################
9# Tests
10#############################################################
11def TestDataTypeViolations(pol):
12    return pol.AssertPathTypesHaveAttr(["/data/"], [], "data_file_type")
13
14def TestSystemTypeViolations(pol):
15    partitions = ["/system/", "/system_ext/", "/product/"]
16    exceptions = [
17        # devices before treble don't have a vendor partition
18        "/system/vendor/",
19
20        # overlay files are mounted over vendor
21        "/product/overlay/",
22        "/product/vendor_overlay/",
23        "/system/overlay/",
24        "/system/product/overlay/",
25        "/system/product/vendor_overlay/",
26        "/system/system_ext/overlay/",
27        "/system_ext/overlay/",
28    ]
29
30    return pol.AssertPathTypesHaveAttr(partitions, exceptions, "system_file_type")
31
32def TestProcTypeViolations(pol):
33    return pol.AssertGenfsFilesystemTypesHaveAttr("proc", "proc_type")
34
35def TestSysfsTypeViolations(pol):
36    ret = pol.AssertGenfsFilesystemTypesHaveAttr("sysfs", "sysfs_type")
37    ret += pol.AssertPathTypesHaveAttr(["/sys/"], ["/sys/kernel/debug/",
38                                    "/sys/kernel/tracing"], "sysfs_type")
39    return ret
40
41def TestDebugfsTypeViolations(pol):
42    ret = pol.AssertGenfsFilesystemTypesHaveAttr("debugfs", "debugfs_type")
43    ret += pol.AssertGenfsFilesystemTypesHaveAttr("tracefs", "debugfs_type")
44    ret += pol.AssertPathTypesHaveAttr(["/sys/kernel/debug/",
45                                    "/sys/kernel/tracing"], [], "debugfs_type")
46    return ret
47
48def TestVendorTypeViolations(pol):
49    partitions = ["/vendor/", "/odm/"]
50    exceptions = [
51        "/vendor/etc/selinux/",
52        "/vendor/odm/etc/selinux/",
53        "/odm/etc/selinux/",
54    ]
55    return pol.AssertPathTypesHaveAttr(partitions, exceptions, "vendor_file_type")
56
57def TestCoreDataTypeViolations(pol):
58    return pol.AssertPathTypesHaveAttr(["/data/"], ["/data/vendor",
59            "/data/vendor_ce", "/data/vendor_de"], "core_data_file_type")
60
61def TestPropertyTypeViolations(pol):
62    return pol.AssertPropertyOwnersAreExclusive()
63
64def TestAppDataTypeViolations(pol):
65    # Types with the app_data_file_type should only be used for app data files
66    # (/data/data/package.name etc) via seapp_contexts, and never applied
67    # explicitly to other files.
68    partitions = [
69        "/data/",
70        "/vendor/",
71        "/odm/",
72        "/product/",
73    ]
74    exceptions = [
75        # These are used for app data files for the corresponding user and
76        # assorted other files.
77        # TODO(b/172812577): Use different types for the different purposes
78        "shell_data_file",
79        "bluetooth_data_file",
80        "nfc_data_file",
81        "radio_data_file",
82    ]
83    return pol.AssertPathTypesDoNotHaveAttr(partitions, [], "app_data_file_type",
84                                            exceptions)
85def TestDmaHeapDevTypeViolations(pol):
86    return pol.AssertPathTypesHaveAttr(["/dev/dma_heap/"], [],
87                                       "dmabuf_heap_device_type")
88
89
90
91###
92# extend OptionParser to allow the same option flag to be used multiple times.
93# This is used to allow multiple file_contexts files and tests to be
94# specified.
95#
96class MultipleOption(Option):
97    ACTIONS = Option.ACTIONS + ("extend",)
98    STORE_ACTIONS = Option.STORE_ACTIONS + ("extend",)
99    TYPED_ACTIONS = Option.TYPED_ACTIONS + ("extend",)
100    ALWAYS_TYPED_ACTIONS = Option.ALWAYS_TYPED_ACTIONS + ("extend",)
101
102    def take_action(self, action, dest, opt, value, values, parser):
103        if action == "extend":
104            values.ensure_value(dest, []).append(value)
105        else:
106            Option.take_action(self, action, dest, opt, value, values, parser)
107
108Tests = [
109    "TestDataTypeViolators",
110    "TestProcTypeViolations",
111    "TestSysfsTypeViolations",
112    "TestSystemTypeViolators",
113    "TestDebugfsTypeViolations",
114    "TestVendorTypeViolations",
115    "TestCoreDataTypeViolations",
116    "TestPropertyTypeViolations",
117    "TestAppDataTypeViolations",
118    "TestDmaHeapDevTypeViolations",
119]
120
121if __name__ == '__main__':
122    usage = "sepolicy_tests -l $(ANDROID_HOST_OUT)/lib64/libsepolwrap.so "
123    usage += "-f vendor_file_contexts -f "
124    usage +="plat_file_contexts -p policy [--test test] [--help]"
125    parser = OptionParser(option_class=MultipleOption, usage=usage)
126    parser.add_option("-f", "--file_contexts", dest="file_contexts",
127            metavar="FILE", action="extend", type="string")
128    parser.add_option("-p", "--policy", dest="policy", metavar="FILE")
129    parser.add_option("-l", "--library-path", dest="libpath", metavar="FILE")
130    parser.add_option("-t", "--test", dest="test", action="extend",
131            help="Test options include "+str(Tests))
132
133    (options, args) = parser.parse_args()
134
135    if not options.libpath:
136        sys.exit("Must specify path to libsepolwrap library\n" + parser.usage)
137    if not os.path.exists(options.libpath):
138        sys.exit("Error: library-path " + options.libpath + " does not exist\n"
139                + parser.usage)
140
141    if not options.policy:
142        sys.exit("Must specify monolithic policy file\n" + parser.usage)
143    if not os.path.exists(options.policy):
144        sys.exit("Error: policy file " + options.policy + " does not exist\n"
145                + parser.usage)
146
147    if not options.file_contexts:
148        sys.exit("Error: Must specify file_contexts file(s)\n" + parser.usage)
149    for f in options.file_contexts:
150        if not os.path.exists(f):
151            sys.exit("Error: File_contexts file " + f + " does not exist\n" +
152                    parser.usage)
153
154    pol = policy.Policy(options.policy, options.file_contexts, options.libpath)
155
156    results = ""
157    # If an individual test is not specified, run all tests.
158    if options.test is None or "TestDataTypeViolations" in options.test:
159        results += TestDataTypeViolations(pol)
160    if options.test is None or "TestProcTypeViolations" in options.test:
161        results += TestProcTypeViolations(pol)
162    if options.test is None or "TestSysfsTypeViolations" in options.test:
163        results += TestSysfsTypeViolations(pol)
164    if options.test is None or "TestSystemTypeViolations" in options.test:
165        results += TestSystemTypeViolations(pol)
166    if options.test is None or "TestDebugfsTypeViolations" in options.test:
167        results += TestDebugfsTypeViolations(pol)
168    if options.test is None or "TestVendorTypeViolations" in options.test:
169        results += TestVendorTypeViolations(pol)
170    if options.test is None or "TestCoreDataTypeViolations" in options.test:
171        results += TestCoreDataTypeViolations(pol)
172    if options.test is None or "TestPropertyTypeViolations" in options.test:
173        results += TestPropertyTypeViolations(pol)
174    if options.test is None or "TestAppDataTypeViolations" in options.test:
175        results += TestAppDataTypeViolations(pol)
176    if options.test is None or "TestDmaHeapDevTypeViolations" in options.test:
177        results += TestDmaHeapDevTypeViolations(pol)
178
179    if len(results) > 0:
180        sys.exit(results)
181