| /* |
| * Copyright (C) 2023 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| package android.security.cts; |
| |
| import static org.junit.Assert.assertTrue; |
| import static org.junit.Assume.assumeTrue; |
| |
| import android.cts.host.utils.DeviceJUnit4ClassRunnerWithParameters; |
| import android.cts.host.utils.DeviceJUnit4Parameterized; |
| import android.platform.test.annotations.RestrictedBuildTest; |
| |
| import com.android.tradefed.build.IBuildInfo; |
| import com.android.tradefed.device.ITestDevice; |
| import com.android.tradefed.testtype.junit4.BaseHostJUnit4Test; |
| |
| import org.junit.After; |
| import org.junit.Before; |
| import org.junit.Test; |
| import org.junit.runner.RunWith; |
| import org.junit.runners.Parameterized.Parameter; |
| import org.junit.runners.Parameterized.Parameters; |
| import org.junit.runners.Parameterized.UseParametersRunnerFactory; |
| |
| import java.io.File; |
| import java.nio.file.Files; |
| import java.util.List; |
| |
| /** |
| * Neverallow Rules SELinux tests. |
| * |
| * This is a parametrised test. It extracts the neverallow rules from the |
| * platform policy which is embedded in the CTS distribution. Each rule |
| * generates its own test to ensure that it is not violated by the device |
| * policy. |
| * |
| * A set of criteria can be used in the platform policy to skip the test |
| * depending on the device (e.g., launching version). See |
| * SELinuxNeverallowRule.sConditions. |
| * |
| */ |
| @RunWith(DeviceJUnit4Parameterized.class) |
| @UseParametersRunnerFactory(DeviceJUnit4ClassRunnerWithParameters.RunnerFactory.class) |
| public class SELinuxNeverallowRulesTest extends BaseHostJUnit4Test { |
| private File sepolicyAnalyze; |
| private File devicePolicyFile; |
| private File deviceSystemPolicyFile; |
| |
| private IBuildInfo mBuild; |
| private int mVendorSepolicyVersion = -1; |
| private int mSystemSepolicyVersion = -1; |
| |
| /** |
| * A reference to the device under test. |
| */ |
| private ITestDevice mDevice; |
| |
| /** |
| * Generate the test parameters based on the embedded policy (general_sepolicy.conf). |
| */ |
| @Parameters |
| public static Iterable<SELinuxNeverallowRule> generateRules() throws Exception { |
| File publicPolicy = SELinuxHostTest.copyResourceToTempFile("/general_sepolicy.conf"); |
| String policy = Files.readString(publicPolicy.toPath()); |
| |
| List<SELinuxNeverallowRule> rules = SELinuxNeverallowRule.parsePolicy(policy); |
| |
| assertTrue("No test generated from the CTS-embedded policy", !rules.isEmpty()); |
| return rules; |
| } |
| |
| /* Parameter generated by generateRules() and available to testNeverallowRules */ |
| @Parameter |
| public SELinuxNeverallowRule mRule; |
| |
| @Before |
| public void setUp() throws Exception { |
| mDevice = getDevice(); |
| mBuild = getBuild(); |
| |
| assumeTrue("skipping not compatible rule", mRule.isCompatible(mDevice)); |
| |
| if (sepolicyAnalyze == null) { |
| sepolicyAnalyze = SELinuxHostTest.copyResourceToTempFile("/sepolicy-analyze"); |
| sepolicyAnalyze.setExecutable(true); |
| } |
| |
| devicePolicyFile = SELinuxHostTest.getDevicePolicyFile(mDevice); |
| |
| if (SELinuxHostTest.isSepolicySplit(mDevice)) { |
| deviceSystemPolicyFile = |
| SELinuxHostTest.getDeviceSystemPolicyFile(mDevice); |
| |
| // Caching this variable to save time. |
| if (mVendorSepolicyVersion == -1) { |
| mVendorSepolicyVersion = |
| SELinuxHostTest.getVendorSepolicyVersion(mBuild, mDevice); |
| } |
| if (mSystemSepolicyVersion == -1) { |
| mSystemSepolicyVersion = |
| SELinuxHostTest.getSystemSepolicyVersion(mBuild); |
| } |
| } |
| } |
| |
| @After |
| public void tearDown() throws Exception { |
| if (sepolicyAnalyze != null) { |
| sepolicyAnalyze.delete(); |
| sepolicyAnalyze = null; |
| } |
| } |
| |
| @Test |
| @RestrictedBuildTest |
| public void testNeverallowRules() throws Exception { |
| // If sepolicy is split and vendor sepolicy version is behind platform's, |
| // only test against platform policy. |
| File policyFile = |
| (SELinuxHostTest.isSepolicySplit(mDevice) |
| && mVendorSepolicyVersion < mSystemSepolicyVersion) |
| ? deviceSystemPolicyFile : devicePolicyFile; |
| |
| mRule.testNeverallowRule(sepolicyAnalyze, policyFile); |
| } |
| } |