hostsidetests/security/src/android/security/cts/SELinuxNeverallowRulesTest.java - platform/cts - Git at Google

 /*
  * Copyright (C) 2023 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package android.security.cts;

 import static org.junit.Assert.assertTrue;
 import static org.junit.Assume.assumeTrue;

 import android.cts.host.utils.DeviceJUnit4ClassRunnerWithParameters;
 import android.cts.host.utils.DeviceJUnit4Parameterized;
 import android.platform.test.annotations.RestrictedBuildTest;

 import com.android.tradefed.build.IBuildInfo;
 import com.android.tradefed.device.ITestDevice;
 import com.android.tradefed.testtype.junit4.BaseHostJUnit4Test;

 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.Parameterized.Parameter;
 import org.junit.runners.Parameterized.Parameters;
 import org.junit.runners.Parameterized.UseParametersRunnerFactory;

 import java.io.File;
 import java.nio.file.Files;
 import java.util.List;

 /**
  * Neverallow Rules SELinux tests.
  *
  * This is a parametrised test. It extracts the neverallow rules from the
  * platform policy which is embedded in the CTS distribution. Each rule
  * generates its own test to ensure that it is not violated by the device
  * policy.
  *
  * A set of criteria can be used in the platform policy to skip the test
  * depending on the device (e.g., launching version). See
  * SELinuxNeverallowRule.sConditions.
  *
  */
 @RunWith(DeviceJUnit4Parameterized.class)
 @UseParametersRunnerFactory(DeviceJUnit4ClassRunnerWithParameters.RunnerFactory.class)
 public class SELinuxNeverallowRulesTest extends BaseHostJUnit4Test {
     private File sepolicyAnalyze;
     private File devicePolicyFile;
     private File deviceSystemPolicyFile;

     private IBuildInfo mBuild;
     private int mVendorSepolicyVersion = -1;
     private int mSystemSepolicyVersion = -1;

     /**
      * A reference to the device under test.
      */
     private ITestDevice mDevice;

     /**
      * Generate the test parameters based on the embedded policy (general_sepolicy.conf).
      */
     @Parameters
     public static Iterable<SELinuxNeverallowRule> generateRules() throws Exception {
         File publicPolicy = SELinuxHostTest.copyResourceToTempFile("/general_sepolicy.conf");
         String policy = Files.readString(publicPolicy.toPath());

         List<SELinuxNeverallowRule> rules = SELinuxNeverallowRule.parsePolicy(policy);

         assertTrue("No test generated from the CTS-embedded policy", !rules.isEmpty());
         return rules;
     }

     /* Parameter generated by generateRules() and available to testNeverallowRules */
     @Parameter
     public SELinuxNeverallowRule mRule;

     @Before
     public void setUp() throws Exception {
         mDevice = getDevice();
         mBuild = getBuild();

         assumeTrue("skipping not compatible rule", mRule.isCompatible(mDevice));

         if (sepolicyAnalyze == null) {
             sepolicyAnalyze = SELinuxHostTest.copyResourceToTempFile("/sepolicy-analyze");
             sepolicyAnalyze.setExecutable(true);
         }

         devicePolicyFile = SELinuxHostTest.getDevicePolicyFile(mDevice);

         if (SELinuxHostTest.isSepolicySplit(mDevice)) {
             deviceSystemPolicyFile =
                     SELinuxHostTest.getDeviceSystemPolicyFile(mDevice);

             // Caching this variable to save time.
             if (mVendorSepolicyVersion == -1) {
                 mVendorSepolicyVersion =
                         SELinuxHostTest.getVendorSepolicyVersion(mBuild, mDevice);
             }
             if (mSystemSepolicyVersion == -1) {
                 mSystemSepolicyVersion =
                         SELinuxHostTest.getSystemSepolicyVersion(mBuild);
             }
         }
     }

     @After
     public void tearDown() throws Exception {
         if (sepolicyAnalyze != null) {
             sepolicyAnalyze.delete();
             sepolicyAnalyze = null;
         }
     }

     @Test
     @RestrictedBuildTest
     public void testNeverallowRules() throws Exception {
         // If sepolicy is split and vendor sepolicy version is behind platform's,
         // only test against platform policy.
         File policyFile =
                 (SELinuxHostTest.isSepolicySplit(mDevice)
                         && mVendorSepolicyVersion < mSystemSepolicyVersion)
                 ? deviceSystemPolicyFile : devicePolicyFile;

         mRule.testNeverallowRule(sepolicyAnalyze, policyFile);
     }
 }
	/*
	* Copyright (C) 2023 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package android.security.cts;

	import static org.junit.Assert.assertTrue;
	import static org.junit.Assume.assumeTrue;

	import android.cts.host.utils.DeviceJUnit4ClassRunnerWithParameters;
	import android.cts.host.utils.DeviceJUnit4Parameterized;
	import android.platform.test.annotations.RestrictedBuildTest;

	import com.android.tradefed.build.IBuildInfo;
	import com.android.tradefed.device.ITestDevice;
	import com.android.tradefed.testtype.junit4.BaseHostJUnit4Test;

	import org.junit.After;
	import org.junit.Before;
	import org.junit.Test;
	import org.junit.runner.RunWith;
	import org.junit.runners.Parameterized.Parameter;
	import org.junit.runners.Parameterized.Parameters;
	import org.junit.runners.Parameterized.UseParametersRunnerFactory;

	import java.io.File;
	import java.nio.file.Files;
	import java.util.List;

	/**
	* Neverallow Rules SELinux tests.
	*
	* This is a parametrised test. It extracts the neverallow rules from the
	* platform policy which is embedded in the CTS distribution. Each rule
	* generates its own test to ensure that it is not violated by the device
	* policy.
	*
	* A set of criteria can be used in the platform policy to skip the test
	* depending on the device (e.g., launching version). See
	* SELinuxNeverallowRule.sConditions.
	*
	*/
	@RunWith(DeviceJUnit4Parameterized.class)
	@UseParametersRunnerFactory(DeviceJUnit4ClassRunnerWithParameters.RunnerFactory.class)
	public class SELinuxNeverallowRulesTest extends BaseHostJUnit4Test {
	private File sepolicyAnalyze;
	private File devicePolicyFile;
	private File deviceSystemPolicyFile;

	private IBuildInfo mBuild;
	private int mVendorSepolicyVersion = -1;
	private int mSystemSepolicyVersion = -1;

	/**
	* A reference to the device under test.
	*/
	private ITestDevice mDevice;

	/**
	* Generate the test parameters based on the embedded policy (general_sepolicy.conf).
	*/
	@Parameters
	public static Iterable<SELinuxNeverallowRule> generateRules() throws Exception {
	File publicPolicy = SELinuxHostTest.copyResourceToTempFile("/general_sepolicy.conf");
	String policy = Files.readString(publicPolicy.toPath());

	List<SELinuxNeverallowRule> rules = SELinuxNeverallowRule.parsePolicy(policy);

	assertTrue("No test generated from the CTS-embedded policy", !rules.isEmpty());
	return rules;
	}

	/* Parameter generated by generateRules() and available to testNeverallowRules */
	@Parameter
	public SELinuxNeverallowRule mRule;

	@Before
	public void setUp() throws Exception {
	mDevice = getDevice();
	mBuild = getBuild();

	assumeTrue("skipping not compatible rule", mRule.isCompatible(mDevice));

	if (sepolicyAnalyze == null) {
	sepolicyAnalyze = SELinuxHostTest.copyResourceToTempFile("/sepolicy-analyze");
	sepolicyAnalyze.setExecutable(true);
	}

	devicePolicyFile = SELinuxHostTest.getDevicePolicyFile(mDevice);

	if (SELinuxHostTest.isSepolicySplit(mDevice)) {
	deviceSystemPolicyFile =
	SELinuxHostTest.getDeviceSystemPolicyFile(mDevice);

	// Caching this variable to save time.
	if (mVendorSepolicyVersion == -1) {
	mVendorSepolicyVersion =
	SELinuxHostTest.getVendorSepolicyVersion(mBuild, mDevice);
	}
	if (mSystemSepolicyVersion == -1) {
	mSystemSepolicyVersion =
	SELinuxHostTest.getSystemSepolicyVersion(mBuild);
	}
	}
	}

	@After
	public void tearDown() throws Exception {
	if (sepolicyAnalyze != null) {
	sepolicyAnalyze.delete();
	sepolicyAnalyze = null;
	}
	}

	@Test
	@RestrictedBuildTest
	public void testNeverallowRules() throws Exception {
	// If sepolicy is split and vendor sepolicy version is behind platform's,
	// only test against platform policy.
	File policyFile =
	(SELinuxHostTest.isSepolicySplit(mDevice)
	&& mVendorSepolicyVersion < mSystemSepolicyVersion)
	? deviceSystemPolicyFile : devicePolicyFile;

	mRule.testNeverallowRule(sepolicyAnalyze, policyFile);
	}
	}