tests/apex_sepolicy_tests.py - platform/system/sepolicy - Git at Google

 #!/usr/bin/env python3
 #
 # Copyright 2023 The Android Open Source Project
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 """ A tool to test APEX file_contexts

 Usage:
     $ deapexer list -Z foo.apex > /tmp/fc
     $ apex_sepolicy_tests -f /tmp/fc
 """


 import argparse
 import os
 import pathlib
 import pkgutil
 import re
 import sys
 import tempfile
 from dataclasses import dataclass
 from typing import List

 import policy


 SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
 LIBSEPOLWRAP = "libsepolwrap" + SHARED_LIB_EXTENSION


 @dataclass
 class Is:
     """Exact matcher for a path."""
     path: str


 @dataclass
 class Glob:
     """Path matcher with pathlib.PurePath.match"""
     pattern: str


 @dataclass
 class Regex:
     """Path matcher with re.match"""
     pattern: str


 Matcher = Is | Glob | Regex

 @dataclass
 class AllowRead:
     """Rule checking if scontext can read the entity"""
     tclass: str
     scontext: set[str]


 Rule = AllowRead


 def match_path(path: str, matcher: Matcher) -> bool:
     """True if path matches with the given matcher"""
     match matcher:
         case Is(target):
             return path == target
         case Glob(pattern):
             return pathlib.PurePath(path).match(pattern)
         case Regex(pattern):
             return re.match(pattern, path)


 def check_rule(pol, path: str, tcontext: str, rule: Rule) -> List[str]:
     """Returns error message if scontext can't read the target"""
     match rule:
         case AllowRead(tclass, scontext):
             te_rules = list(pol.QueryTERule(scontext=scontext,
                                             tcontext={tcontext},
                                             tclass={tclass},
                                             perms={'read'}))
             if len(te_rules) > 0:
                 return []  # no errors

             return [f"Error: {path}: {scontext} can't read. (tcontext={tcontext})"]


 rules = [
     # permissions
     (Is('./etc/permissions/'), AllowRead('dir', {'system_server'})),
     (Glob('./etc/permissions/*.xml'), AllowRead('file', {'system_server'})),
     # init scripts with optional SDK version (e.g. foo.rc, foo.32rc)
     (Regex('\./etc/.*\.\d*rc'), AllowRead('file', {'init'})),
     # vintf fragments
     (Is('./etc/vintf/'), AllowRead('dir', {'servicemanager', 'apexd'})),
     (Glob('./etc/vintf/*.xml'), AllowRead('file', {'servicemanager', 'apexd'})),
     # ./ and apex_manifest.pb
     (Is('./apex_manifest.pb'), AllowRead('file', {'linkerconfig', 'apexd'})),
     (Is('./'), AllowRead('dir', {'linkerconfig', 'apexd'})),
 ]


 def check_line(pol: policy.Policy, line: str) -> List[str]:
     """Parses a file_contexts line and runs checks"""
     # skip empty/comment line
     line = line.strip()
     if line == '' or line[0] == '#':
         return []

     # parse
     split = line.split()
     if len(split) != 2:
         return [f"Error: invalid file_contexts: {line}"]
     path, context = split[0], split[1]
     if len(context.split(':')) != 4:
         return [f"Error: invalid file_contexts: {line}"]
     tcontext = context.split(':')[2]

     # check rules
     errors = []
     for matcher, rule in rules:
         if match_path(path, matcher):
             errors.extend(check_rule(pol, path, tcontext, rule))
     return errors


 def extract_data(name, temp_dir):
     out_path = os.path.join(temp_dir, name)
     with open(out_path, 'wb') as f:
         blob = pkgutil.get_data('apex_sepolicy_tests', name)
         if not blob:
             sys.exit(f"Error: {name} does not exist. Is this binary corrupted?\n")
         f.write(blob)
     return out_path


 def do_main(work_dir):
     """Do testing"""
     parser = argparse.ArgumentParser()
     parser.add_argument('-f', '--file_contexts', help='output of "deapexer list -Z"')
     args = parser.parse_args()

     lib_path = extract_data(LIBSEPOLWRAP, work_dir)
     policy_path = extract_data('precompiled_sepolicy', work_dir)
     pol = policy.Policy(policy_path, None, lib_path)

     errors = []
     with open(args.file_contexts, 'rt', encoding='utf-8') as file_contexts:
         for line in file_contexts:
             errors.extend(check_line(pol, line))
     if len(errors) > 0:
         sys.exit('\n'.join(errors))


 if __name__ == '__main__':
     with tempfile.TemporaryDirectory() as temp_dir:
         do_main(temp_dir)
	#!/usr/bin/env python3
	#
	# Copyright 2023 The Android Open Source Project
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.
	""" A tool to test APEX file_contexts

	Usage:
	$ deapexer list -Z foo.apex > /tmp/fc
	$ apex_sepolicy_tests -f /tmp/fc
	"""


	import argparse
	import os
	import pathlib
	import pkgutil
	import re
	import sys
	import tempfile
	from dataclasses import dataclass
	from typing import List

	import policy


	SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
	LIBSEPOLWRAP = "libsepolwrap" + SHARED_LIB_EXTENSION


	@dataclass
	class Is:
	"""Exact matcher for a path."""
	path: str


	@dataclass
	class Glob:
	"""Path matcher with pathlib.PurePath.match"""
	pattern: str


	@dataclass
	class Regex:
	"""Path matcher with re.match"""
	pattern: str


	Matcher = Is \| Glob \| Regex

	@dataclass
	class AllowRead:
	"""Rule checking if scontext can read the entity"""
	tclass: str
	scontext: set[str]


	Rule = AllowRead


	def match_path(path: str, matcher: Matcher) -> bool:
	"""True if path matches with the given matcher"""
	match matcher:
	case Is(target):
	return path == target
	case Glob(pattern):
	return pathlib.PurePath(path).match(pattern)
	case Regex(pattern):
	return re.match(pattern, path)


	def check_rule(pol, path: str, tcontext: str, rule: Rule) -> List[str]:
	"""Returns error message if scontext can't read the target"""
	match rule:
	case AllowRead(tclass, scontext):
	te_rules = list(pol.QueryTERule(scontext=scontext,
	tcontext={tcontext},
	tclass={tclass},
	perms={'read'}))
	if len(te_rules) > 0:
	return [] # no errors

	return [f"Error: {path}: {scontext} can't read. (tcontext={tcontext})"]


	rules = [
	# permissions
	(Is('./etc/permissions/'), AllowRead('dir', {'system_server'})),
	(Glob('./etc/permissions/*.xml'), AllowRead('file', {'system_server'})),
	# init scripts with optional SDK version (e.g. foo.rc, foo.32rc)
	(Regex('\./etc/.\.\drc'), AllowRead('file', {'init'})),
	# vintf fragments
	(Is('./etc/vintf/'), AllowRead('dir', {'servicemanager', 'apexd'})),
	(Glob('./etc/vintf/*.xml'), AllowRead('file', {'servicemanager', 'apexd'})),
	# ./ and apex_manifest.pb
	(Is('./apex_manifest.pb'), AllowRead('file', {'linkerconfig', 'apexd'})),
	(Is('./'), AllowRead('dir', {'linkerconfig', 'apexd'})),
	]


	def check_line(pol: policy.Policy, line: str) -> List[str]:
	"""Parses a file_contexts line and runs checks"""
	# skip empty/comment line
	line = line.strip()
	if line == '' or line[0] == '#':
	return []

	# parse
	split = line.split()
	if len(split) != 2:
	return [f"Error: invalid file_contexts: {line}"]
	path, context = split[0], split[1]
	if len(context.split(':')) != 4:
	return [f"Error: invalid file_contexts: {line}"]
	tcontext = context.split(':')[2]

	# check rules
	errors = []
	for matcher, rule in rules:
	if match_path(path, matcher):
	errors.extend(check_rule(pol, path, tcontext, rule))
	return errors


	def extract_data(name, temp_dir):
	out_path = os.path.join(temp_dir, name)
	with open(out_path, 'wb') as f:
	blob = pkgutil.get_data('apex_sepolicy_tests', name)
	if not blob:
	sys.exit(f"Error: {name} does not exist. Is this binary corrupted?\n")
	f.write(blob)
	return out_path


	def do_main(work_dir):
	"""Do testing"""
	parser = argparse.ArgumentParser()
	parser.add_argument('-f', '--file_contexts', help='output of "deapexer list -Z"')
	args = parser.parse_args()

	lib_path = extract_data(LIBSEPOLWRAP, work_dir)
	policy_path = extract_data('precompiled_sepolicy', work_dir)
	pol = policy.Policy(policy_path, None, lib_path)

	errors = []
	with open(args.file_contexts, 'rt', encoding='utf-8') as file_contexts:
	for line in file_contexts:
	errors.extend(check_line(pol, line))
	if len(errors) > 0:
	sys.exit('\n'.join(errors))


	if __name__ == '__main__':
	with tempfile.TemporaryDirectory() as temp_dir:
	do_main(temp_dir)