commit 92bfb372fc5c2e1ebf9991aee40a0357a67d7768
author Jooyung Han <jooyung@google.com> Fri Sep 08 14:28:40 2023 +0900
committer Jooyung Han <jooyung@google.com> Mon Sep 11 13:39:09 2023 +0900
tree 3b95b71d9a8ee877eaa54d63a2d9f94a1a1db050
parent 3778cd476584bb3c4c410062503b65870268dd20

APEX file_context should have valid labels

A new test mode (--all) tests if every file context label used in APEX
is "known". It should fail if unknown label is used in APEX.

Bug: 299391194
Test: atest apex_sepolicy_tests_test
Change-Id: Ie467019a6dc74bba9901ba8d705b31e6de24cd62

tests/apex_sepolicy_tests.py

diff --git a/tests/apex_sepolicy_tests.py b/tests/apex_sepolicy_tests.py
index 518ebbc..3c51b67 100644
--- a/tests/apex_sepolicy_tests.py
+++ b/tests/apex_sepolicy_tests.py
@@ -65,7 +65,13 @@
     scontext: set[str]
 
 
-Rule = AllowRead
+@dataclass
+class ResolveType:
+    """Rule checking if type can be resolved"""
+    pass
+
+
+Rule = AllowRead | ResolveType
 
 
 def match_path(path: str, matcher: Matcher) -> bool:
@@ -94,10 +100,18 @@
                     continue  # no errors
 
                 errors.append(f"Error: {path}: {s} can't read. (tcontext={tcontext})")
+        case ResolveType():
+            if tcontext not in pol.GetAllTypes(False):
+                errors.append(f"Error: {path}: tcontext({tcontext}) is unknown")
     return errors
 
 
-rules = [
+target_specific_rules = [
+    (Glob('*'), ResolveType()),
+]
+
+
+generic_rules = [
     # permissions
     (Is('./etc/permissions/'), AllowRead('dir', {'system_server'})),
     (Glob('./etc/permissions/*.xml'), AllowRead('file', {'system_server'})),
@@ -114,7 +128,10 @@
 ]
 
 
-def check_line(pol: policy.Policy, line: str) -> List[str]:
+all_rules = target_specific_rules + generic_rules
+
+
+def check_line(pol: policy.Policy, line: str, rules) -> List[str]:
     """Parses a file_contexts line and runs checks"""
     # skip empty/comment line
     line = line.strip()
@@ -151,6 +168,7 @@
 def do_main(work_dir):
     """Do testing"""
     parser = argparse.ArgumentParser()
+    parser.add_argument('--all', action='store_true', help='tests ALL aspects')
     parser.add_argument('-f', '--file_contexts', help='output of "deapexer list -Z"')
     args = parser.parse_args()
 
@@ -158,10 +176,15 @@
     policy_path = extract_data('precompiled_sepolicy', work_dir)
     pol = policy.Policy(policy_path, None, lib_path)
 
+    if args.all:
+        rules = all_rules
+    else:
+        rules = generic_rules
+
     errors = []
     with open(args.file_contexts, 'rt', encoding='utf-8') as file_contexts:
         for line in file_contexts:
-            errors.extend(check_line(pol, line))
+            errors.extend(check_line(pol, line, rules))
     if len(errors) > 0:
         sys.exit('\n'.join(errors))