1#!/usr/bin/env python
2
3src_header = """/*
4 * Copyright (C) 2014 The Android Open Source Project
5 *
6 * Licensed under the Apache License, Version 2.0 (the "License");
7 * you may not use this file except in compliance with the License.
8 * You may obtain a copy of the License at
9 *
10 *      http://www.apache.org/licenses/LICENSE-2.0
11 *
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License.
17 */
18
19package android.cts.security;
20
21import com.android.cts.migration.MigrationHelper;
22import com.android.tradefed.build.IBuildInfo;
23import com.android.tradefed.device.ITestDevice;
24import com.android.tradefed.testtype.DeviceTestCase;
25import com.android.tradefed.testtype.IBuildReceiver;
26import com.android.tradefed.testtype.IDeviceTest;
27
28import java.io.BufferedReader;
29import java.io.File;
30import java.io.InputStream;
31import java.io.InputStreamReader;
32
33/**
34 * Neverallow Rules SELinux tests.
35 */
36public class SELinuxNeverallowRulesTest extends DeviceTestCase implements IBuildReceiver, IDeviceTest {
37    private File sepolicyAnalyze;
38    private File devicePolicyFile;
39
40    private IBuildInfo mBuild;
41
42    /**
43     * A reference to the device under test.
44     */
45    private ITestDevice mDevice;
46
47    /**
48     * {@inheritDoc}
49     */
50    @Override
51    public void setBuild(IBuildInfo build) {
52        mBuild = build;
53    }
54
55    /**
56     * {@inheritDoc}
57     */
58    @Override
59    public void setDevice(ITestDevice device) {
60        super.setDevice(device);
61        mDevice = device;
62    }
63    @Override
64    protected void setUp() throws Exception {
65        super.setUp();
66        sepolicyAnalyze = MigrationHelper.getTestFile(mBuild, "sepolicy-analyze");
67        sepolicyAnalyze.setExecutable(true);
68
69        /* obtain sepolicy file from running device */
70        devicePolicyFile = File.createTempFile("sepolicy", ".tmp");
71        devicePolicyFile.deleteOnExit();
72        mDevice.pullFile("/sys/fs/selinux/policy", devicePolicyFile);
73    }
74"""
75src_body = ""
76src_footer = """}
77"""
78
79src_method = """
80    public void testNeverallowRules() throws Exception {
81        String neverallowRule = "$NEVERALLOW_RULE_HERE$";
82
83        /* run sepolicy-analyze neverallow check on policy file using given neverallow rules */
84        ProcessBuilder pb = new ProcessBuilder(sepolicyAnalyze.getAbsolutePath(),
85                devicePolicyFile.getAbsolutePath(), "neverallow", "-n",
86                neverallowRule);
87        pb.redirectOutput(ProcessBuilder.Redirect.PIPE);
88        pb.redirectErrorStream(true);
89        Process p = pb.start();
90        p.waitFor();
91        BufferedReader result = new BufferedReader(new InputStreamReader(p.getInputStream()));
92        String line;
93        StringBuilder errorString = new StringBuilder();
94        while ((line = result.readLine()) != null) {
95            errorString.append(line);
96            errorString.append("\\n");
97        }
98        assertTrue("The following errors were encountered when validating the SELinux"
99                   + "neverallow rule:\\n" + neverallowRule + "\\n" + errorString,
100                   errorString.length() == 0);
101    }
102"""
103