commit 1b8b1f648cd6ded165c8b8163e77b1370f91332e
author Inseob Kim <inseob@google.com> Fri Oct 23 15:16:11 2020 +0900
committer Inseob Kim <inseob@google.com> Fri Oct 23 15:16:11 2020 +0900
tree de1b09046a710d5ceae29fe1703dd2e1cb5c9e1f
parent c1eb80e302f3a23c9dbbea8ab1fa8a972ff8bf30

Ensure property owners are exclusive

system_property_type and vendor_property_type can't be assigned
together. For example, the following policy snippet will fail.

system_public_prop(foo_prop)
typeattribute foo_prop vendor_property_type;

product_property_type is currently synonym for system_property_type, so
we only check those two.

Bug: 171437654
Test: m selinux_policy
Test: add "typeattribute default_prop vendor_property_type;" to
      property.te and then "m selinux_policy"
Change-Id: I1cdbf3d04264bb045568c30f19339dfe3889dbb4

tests/policy.py

diff --git a/tests/policy.py b/tests/policy.py
index 0f51e2f..24466e9 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -103,6 +103,17 @@
             ret += " ".join(str(x) for x in sorted(violators)) + "\n"
         return ret
 
+    def AssertPropertyOwnersAreExclusive(self):
+        systemProps = self.QueryTypeAttribute('system_property_type', True)
+        vendorProps = self.QueryTypeAttribute('vendor_property_type', True)
+        violators = systemProps.intersection(vendorProps)
+        ret = ""
+        if len(violators) > 0:
+            ret += "The following types have both system_property_type "
+            ret += "and vendor_property_type: "
+            ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+        return ret
+
     # Return all file_contexts entries that map to the input Type.
     def QueryFc(self, Type):
         if Type in self.__FcDict: