Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 4b966cb315f37e70406761cd983ac1320b356092^! / . / tests / apex_sepolicy_tests.py
commit4b966cb315f37e70406761cd983ac1320b356092[log] [tgz]
authorJooyung Han <jooyung@google.com>Thu Feb 06 23:23:15 2025 -0800
committerCherrypicker Worker <android-build-cherrypicker-worker@google.com>Thu Feb 06 23:23:15 2025 -0800
tree931bf95344a32e2ed0ed5efd3b7f8e48a33e852e
parent2ee16b501a7014d67ff4b1201c13834b56a0cb13 [diff] [blame]
Fix apex_sepolicy_tests

This was a mistake in 20b6352e0f653eef5bfca61990216f87b151fdaf, the new
check for system/vendor violation was not triggered.

Added tests for new code.

Bug: 387192232
Test: apex_sepolicy_tests_test
(cherry picked from https://android-review.googlesource.com/q/commit:4e00e4cf9a212efcaed4991009468a7f26fd6a4d)
Merged-In: Ic9bfb21f22f1dbb0d6421a348b24373a95bfbec8
Change-Id: Ic9bfb21f22f1dbb0d6421a348b24373a95bfbec8

diff --git a/tests/apex_sepolicy_tests.py b/tests/apex_sepolicy_tests.py
index d8c5c2b..b1d02a6 100644
--- a/tests/apex_sepolicy_tests.py
+++ b/tests/apex_sepolicy_tests.py

@@ -119,6 +119,8 @@
             return path.startswith('./bin/') and not path.endswith('/')
         case MatchPred(pred):
             return pred(path)
+        case _:
+            sys.exit(f'unknown matcher: {matcher}')
 
 
 def check_rule(pol, path: str, tcontext: str, rule: Rule) -> List[str]:
@@ -186,15 +188,15 @@
 
 def system_vendor_rule(partition):
     exceptions = [
-        "./etc/linkerconfig.pb"
+        "./etc/linker.config.pb"
     ]
     def pred(path):
         return path not in exceptions
 
-    return pred, HasAttr(base_attr_for(partition))
+    return MatchPred(pred), HasAttr(base_attr_for(partition))
 
 
-def check_line(pol: policy.Policy, line: str, rules) -> List[str]:
+def check_line(pol: policy.Policy, line: str, rules, ignore_unknown_context=False) -> List[str]:
     """Parses a file_contexts line and runs checks"""
     # skip empty/comment line
     line = line.strip()
@@ -210,6 +212,9 @@
         return [f"Error: invalid file_contexts: {line}"]
     tcontext = context.split(':')[2]
 
+    if ignore_unknown_context and tcontext not in pol.GetAllTypes(False):
+        return []
+
     # check rules
     errors = []
     for matcher, rule in rules:
@@ -240,18 +245,19 @@
     policy_path = extract_data('precompiled_sepolicy', work_dir)
     pol = policy.Policy(policy_path, None, lib_path)
 
+    # ignore unknown contexts unless --all is specified
+    ignore_unknown_context = True
     if args.all:
-        rules = all_rules
-    else:
-        rules = generic_rules
+        ignore_unknown_context = False
 
+    rules = all_rules
     if args.partition:
         rules.append(system_vendor_rule(args.partition))
 
     errors = []
     with open(args.file_contexts, 'rt', encoding='utf-8') as file_contexts:
         for line in file_contexts:
-            errors.extend(check_line(pol, line, rules))
+            errors.extend(check_line(pol, line, rules, ignore_unknown_context))
     if len(errors) > 0:
         sys.exit('\n'.join(errors))