1#!/usr/bin/env python
2
3import copy
4import re
5import sys
6import SELinuxNeverallowTestFrame
7
8usage = "Usage: ./SELinuxNeverallowTestGen.py <input policy file> <output cts java source>"
9
10
11class NeverallowRule:
12    statement = ''
13    depths = None
14
15    def __init__(self, statement, depths):
16        self.statement = statement
17        self.depths = copy.deepcopy(depths)
18
19# full-Treble only tests are inside sections delimited by BEGIN_{section} and
20# END_{section} comments.
21sections = [
22    "TREBLE_ONLY",
23    "COMPATIBLE_PROPERTY_ONLY",
24    "LAUNCHING_WITH_R_ONLY",
25    "LAUNCHING_WITH_S_ONLY",
26]
27
28# extract_neverallow_rules - takes an intermediate policy file and pulls out the
29# neverallow rules by taking all of the non-commented text between the 'neverallow'
30# keyword and a terminating ';'
31# returns: a list of rules
32def extract_neverallow_rules(policy_file):
33    with open(policy_file, 'r') as in_file:
34        policy_str = in_file.read()
35
36        # uncomment section delimiter lines
37        section_headers = '|'.join(['BEGIN_%s|END_%s' % (s, s) for s in sections])
38        remaining = re.sub(
39            r'^\s*#\s*(' + section_headers + ')',
40            r'\1',
41            policy_str,
42            flags = re.M)
43        # remove comments
44        remaining = re.sub(r'#.+?$', r'', remaining, flags = re.M)
45        # match neverallow rules
46        lines = re.findall(
47            r'^\s*(neverallow\s.+?;|' + section_headers + ')',
48            remaining,
49            flags = re.M |re.S)
50
51        # extract neverallow rules from the remaining lines
52        rules = list()
53        depths = dict()
54        for section in sections:
55            depths[section] = 0
56        for line in lines:
57            is_header = False
58            for section in sections:
59                if line.startswith("BEGIN_%s" % section):
60                    depths[section] += 1
61                    is_header = True
62                    break
63                elif line.startswith("END_%s" % section):
64                    if depths[section] < 1:
65                        exit("ERROR: END_%s outside of %s section" % (section, section))
66                    depths[section] -= 1
67                    is_header = True
68                    break
69            if not is_header:
70                rule = NeverallowRule(line, depths)
71                rules.append(rule)
72
73        for section in sections:
74            if depths[section] != 0:
75                exit("ERROR: end of input while inside %s section" % section)
76
77        return rules
78
79# neverallow_rule_to_test - takes a neverallow statement and transforms it into
80# the output necessary to form a cts unit test in a java source file.
81# returns: a string representing a generic test method based on this rule.
82def neverallow_rule_to_test(rule, test_num):
83    squashed_neverallow = rule.statement.replace("\n", " ")
84    method  = SELinuxNeverallowTestFrame.src_method
85    method = method.replace("testNeverallowRules()",
86        "testNeverallowRules" + str(test_num) + "()")
87    method = method.replace("$NEVERALLOW_RULE_HERE$", squashed_neverallow)
88    for section in sections:
89        method = method.replace(
90            "$%s_BOOL_HERE$" % section,
91            "true" if rule.depths[section] else "false")
92    return method
93
94if __name__ == "__main__":
95    # check usage
96    if len(sys.argv) != 3:
97        print usage
98        exit(1)
99    input_file = sys.argv[1]
100    output_file = sys.argv[2]
101
102    src_header = SELinuxNeverallowTestFrame.src_header
103    src_body = SELinuxNeverallowTestFrame.src_body
104    src_footer = SELinuxNeverallowTestFrame.src_footer
105
106    # grab the neverallow rules from the policy file and transform into tests
107    neverallow_rules = extract_neverallow_rules(input_file)
108    i = 0
109    for rule in neverallow_rules:
110        src_body += neverallow_rule_to_test(rule, i)
111        i += 1
112
113    with open(output_file, 'w') as out_file:
114        out_file.write(src_header)
115        out_file.write(src_body)
116        out_file.write(src_footer)
117