#!/usr/bin/env python import re import sys import SELinuxNeverallowTestFrame usage = "Usage: ./SELinuxNeverallowTestGen.py " class NeverallowRule: statement = '' treble_only = False compatible_property_only = False def __init__(self, statement): self.statement = statement self.treble_only = False self.compatible_property_only = False # extract_neverallow_rules - takes an intermediate policy file and pulls out the # neverallow rules by taking all of the non-commented text between the 'neverallow' # keyword and a terminating ';' # returns: a list of rules def extract_neverallow_rules(policy_file): with open(policy_file, 'r') as in_file: policy_str = in_file.read() # full-Treble only tests are inside sections delimited by BEGIN_TREBLE_ONLY # and END_TREBLE_ONLY comments. # uncomment TREBLE_ONLY section delimiter lines remaining = re.sub( r'^\s*#\s*(BEGIN_TREBLE_ONLY|END_TREBLE_ONLY|BEGIN_COMPATIBLE_PROPERTY_ONLY|END_COMPATIBLE_PROPERTY_ONLY)', r'\1', policy_str, flags = re.M) # remove comments remaining = re.sub(r'#.+?$', r'', remaining, flags = re.M) # match neverallow rules lines = re.findall( r'^\s*(neverallow\s.+?;|BEGIN_TREBLE_ONLY|END_TREBLE_ONLY|BEGIN_COMPATIBLE_PROPERTY_ONLY|END_COMPATIBLE_PROPERTY_ONLY)', remaining, flags = re.M |re.S) # extract neverallow rules from the remaining lines rules = list() treble_only_depth = 0 compatible_property_only_depth = 0 for line in lines: if line.startswith("BEGIN_TREBLE_ONLY"): treble_only_depth += 1 continue elif line.startswith("END_TREBLE_ONLY"): if treble_only_depth < 1: exit("ERROR: END_TREBLE_ONLY outside of TREBLE_ONLY section") treble_only_depth -= 1 continue elif line.startswith("BEGIN_COMPATIBLE_PROPERTY_ONLY"): compatible_property_only_depth += 1 continue elif line.startswith("END_COMPATIBLE_PROPERTY_ONLY"): if compatible_property_only_depth < 1: exit("ERROR: END_COMPATIBLE_PROPERTY_ONLY outside of COMPATIBLE_PROPERTY_ONLY section") compatible_property_only_depth -= 1 continue rule = NeverallowRule(line) rule.treble_only = (treble_only_depth > 0) rule.compatible_property_only = (compatible_property_only_depth > 0) rules.append(rule) if treble_only_depth != 0: exit("ERROR: end of input while inside TREBLE_ONLY section") if compatible_property_only_depth != 0: exit("ERROR: end of input while inside COMPATIBLE_PROPERTY_ONLY section") return rules # neverallow_rule_to_test - takes a neverallow statement and transforms it into # the output necessary to form a cts unit test in a java source file. # returns: a string representing a generic test method based on this rule. def neverallow_rule_to_test(rule, test_num): squashed_neverallow = rule.statement.replace("\n", " ") method = SELinuxNeverallowTestFrame.src_method method = method.replace("testNeverallowRules()", "testNeverallowRules" + str(test_num) + "()") method = method.replace("$NEVERALLOW_RULE_HERE$", squashed_neverallow) method = method.replace( "$FULL_TREBLE_ONLY_BOOL_HERE$", "true" if rule.treble_only else "false") method = method.replace( "$COMPATIBLE_PROPERTY_ONLY_BOOL_HERE$", "true" if rule.compatible_property_only else "false") return method if __name__ == "__main__": # check usage if len(sys.argv) != 3: print usage exit(1) input_file = sys.argv[1] output_file = sys.argv[2] src_header = SELinuxNeverallowTestFrame.src_header src_body = SELinuxNeverallowTestFrame.src_body src_footer = SELinuxNeverallowTestFrame.src_footer # grab the neverallow rules from the policy file and transform into tests neverallow_rules = extract_neverallow_rules(input_file) i = 0 for rule in neverallow_rules: src_body += neverallow_rule_to_test(rule, i) i += 1 with open(output_file, 'w') as out_file: out_file.write(src_header) out_file.write(src_body) out_file.write(src_footer)