Compliance test added for isolated_app_all
Compliance test is added to analyzes all members of isolated_app_all
and only allows them to have specific differences. Currently only
certain targets and classes are permitted based on the usecase of such
member classses. The list could be expanded based on future requirement
of more functionality yet the change won't be huge to ensure the
properties of sandbox.
Bug: 255597123
Test: m && presubmit
Change-Id: Id579223c585759ab5f6fbd531583d002eb2b14a5
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index c966423..1d380ab 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -27,6 +27,8 @@
DEBUG=False
SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'
+# TODO(b/266998144): consider rename this file.
+
'''
Use file_contexts and policy to verify Treble requirements
are not violated.
@@ -307,6 +309,94 @@
return test_policy.pol.AssertPathTypesDoNotHaveAttr(["/data/vendor/", "/data/vendor_ce/",
"/data/vendor_de/"], [], "core_data_file_type")
+# TODO move this to sepolicy_tests
+def TestIsolatedAttributeConsistency(test_policy):
+ permissionAllowList = {
+ # hardware related
+ "codec2_config_prop" : ["file"],
+ "device_config_nnapi_native_prop":["file"],
+ "dmabuf_system_heap_device":["chr_file"],
+ "hal_allocator_default":["binder", "fd"],
+ "hal_codec2": ["binder", "fd"],
+ "hal_codec2_hwservice":["hwservice_manager"],
+ "hal_graphics_allocator": ["binder", "fd"],
+ "hal_graphics_allocator_service":["service_manager"],
+ "hal_graphics_allocator_hwservice":["hwservice_manager"],
+ "hal_graphics_allocator_server":["binder", "service_manager"],
+ "hal_graphics_mapper_hwservice":["hwservice_manager"],
+ "hal_neuralnetworks": ["binder", "fd"],
+ "hal_neuralnetworks_hwservice":["hwservice_manager"],
+ "hal_omx_hwservice":["hwservice_manager"],
+ "hidl_allocator_hwservice":["hwservice_manager"],
+ "hidl_manager_hwservice":["hwservice_manager"],
+ "hidl_memory_hwservice":["hwservice_manager"],
+ "hidl_token_hwservice":["hwservice_manager"],
+ "hwservicemanager":["binder"],
+ "hwservicemanager_prop":["file"],
+ "hwbinder_device":["chr_file"],
+ "mediacodec":["binder", "fd"],
+ "mediaswcodec":["binder", "fd"],
+ "media_variant_prop":["file"],
+ "nnapi_ext_deny_product_prop":["file"],
+ "ion_device" : ["chr_file"],
+ # system services
+ "audioserver_service":["service_manager"],
+ "cameraserver_service":["service_manager"],
+ "content_capture_service":["service_manager"],
+ "device_state_service":["service_manager"],
+ "hal_neuralnetworks_service":["service_manager"],
+ "servicemanager":["fd"],
+ "speech_recognition_service":["service_manager"],
+ "mediaserver_service" :["service_manager"]
+ }
+
+ def resolveHalServerSubtype(target):
+ # permission given as a client in technical_debt.cil
+ hal_server_attributes = [
+ "hal_codec2_server",
+ "hal_graphics_allocator_server",
+ "hal_neuralnetworks_server"]
+
+ for attr in hal_server_attributes:
+ if target in test_policy.pol.QueryTypeAttribute(Type=attr, IsAttr=True):
+ return attr.rsplit("_", 1)[0]
+ return target
+
+ def checkPermissions(permissions):
+ violated_permissions = []
+ for perm in permissions:
+ tctx, tclass, p = perm.split(":")
+ tctx = resolveHalServerSubtype(tctx)
+ if tctx not in permissionAllowList \
+ or tclass not in permissionAllowList[tctx] \
+ or ( p == "write" and not perm.startswith("hwbinder_device:chr_file") ) \
+ or ( p == "rw_file_perms"):
+ violated_permissions += [perm]
+ return violated_permissions
+
+ ret = ""
+
+ isolatedMemberTypes = test_policy.pol.QueryTypeAttribute(Type="isolated_app_all", IsAttr=True)
+ baseRules = test_policy.pol.QueryExpandedTERule(scontext=["isolated_app"])
+ basePermissionSet = set([":".join([rule.tctx, rule.tclass, perm])
+ for rule in baseRules for perm in rule.perms])
+ for subType in isolatedMemberTypes:
+ if subType == "isolated_app" : continue
+ currentTypeRule = test_policy.pol.QueryExpandedTERule(scontext=[subType])
+ typePermissionSet = set([":".join([rule.tctx, rule.tclass, perm])
+ for rule in currentTypeRule for perm in rule.perms
+ if not rule.tctx in [subType, subType + "_userfaultfd"]])
+ deltaPermissionSet = typePermissionSet.difference(basePermissionSet)
+ violated_permissions = checkPermissions(list(deltaPermissionSet))
+ for perm in violated_permissions:
+ ret += "allow %s %s:%s %s \n" % (subType, *perm.split(":"))
+
+ if ret:
+ ret = ("Found prohibited permission granted for isolated like types. " + \
+ "Please replace your allow statements that involve \"-isolated_app\" with " + \
+ "\"-isolated_app_all\". Violations are shown as the following: \n") + ret
+ return ret
+
###
# extend OptionParser to allow the same option flag to be used multiple times.
# This is used to allow multiple file_contexts files and tests to be
@@ -327,7 +417,8 @@
Tests = {"CoredomainViolations": TestCoredomainViolations,
"CoreDatatypeViolations": TestCoreDataTypeViolations,
"TrebleCompatMapping": TestTrebleCompatMapping,
- "ViolatorAttributes": TestViolatorAttributes}
+ "ViolatorAttributes": TestViolatorAttributes,
+ "IsolatedAttributeConsistency": TestIsolatedAttributeConsistency}
def do_main(libpath):
"""