Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 3a9d91ce68891e6914a3edceb5a6e79ccaeaa2d3^! / . / tests
commit3a9d91ce68891e6914a3edceb5a6e79ccaeaa2d3[log] [tgz]
authorInseob Kim <inseob@google.com>Wed Sep 27 17:39:07 2023 +0900
committerInseob Kim <inseob@google.com>Tue Nov 21 16:47:03 2023 +0900
tree463a9b4aeba622c682a5f9d8cc2e3a1c1db862bd
parent0d65502e9edc8eb6b9fccea31e985fb096fd83e3 [diff]
Add dev_type test

Files under /dev should have dev_type attribute.

Bug: 303367345
Test: m selinux_policy
Change-Id: Iaa1e39338e2fae32086bd770c6f3ab4b33bb82aa

diff --git a/tests/policy.py b/tests/policy.py
index 8fc2ef7..98133b7 100644
--- a/tests/policy.py
+++ b/tests/policy.py

@@ -146,9 +146,9 @@
     # DoNotMatchPrefix have the attribute Attr.
     # For example assert that all types in /sys, and not in /sys/kernel/debugfs
     # have the sysfs_type attribute.
-    def AssertPathTypesHaveAttr(self, MatchPrefix, DoNotMatchPrefix, Attr):
+    def AssertPathTypesHaveAttr(self, MatchPrefix, DoNotMatchPrefix, Attr, ExcludedTypes = []):
         # Query policy for the types associated with Attr
-        TypesPol = self.QueryTypeAttribute(Attr, True)
+        TypesPol = self.QueryTypeAttribute(Attr, True) | set(ExcludedTypes)
         # Search file_contexts to find paths/types that should be associated with
         # Attr.
         PathTypes = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)

diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 4ef161b..7a341cb 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py

@@ -265,6 +265,22 @@
             "\"-isolated_app_all\". Violations are shown as the following: \n")  + ret
     return ret
 
+def TestDevTypeViolations(pol):
+    exceptions = [
+        "/dev/socket",
+    ]
+    exceptionTypes = [
+        "boringssl_self_test_marker",  # /dev/boringssl/selftest
+        "cgroup_rc_file",              # /dev/cgroup.rc
+        "dev_cpu_variant",             # /dev/cpu_variant:{arch}
+        "fscklogs",                    # /dev/fscklogs
+        "properties_serial",           # /dev/__properties__/properties_serial
+        "property_info",               # /dev/__properties__/property_info
+        "runtime_event_log_tags_file", # /dev/event-log-tags
+    ]
+    return pol.AssertPathTypesHaveAttr(["/dev"], exceptions,
+                                       "dev_type", exceptionTypes)
+
 ###
 # extend OptionParser to allow the same option flag to be used multiple times.
 # This is used to allow multiple file_contexts files and tests to be
@@ -298,6 +314,7 @@
     "TestCoredomainViolations",
     "TestViolatorAttributes",
     "TestIsolatedAttributeConsistency",
+    "TestDevTypeViolations",
 ]
 
 def do_main(libpath):
@@ -366,6 +383,10 @@
     if options.test is None or "TestIsolatedAttributeConsistency" in options.test:
         results += TestIsolatedAttributeConsistency(test_policy)
 
+    # dev type test won't be run as default
+    if options.test and "TestDevTypeViolations" in options.test:
+        results += TestDevTypeViolations(pol)
+
     if len(results) > 0:
         sys.exit(results)