tests/sepolicy_tests.py

# Copyright 2021 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

from optparse import OptionParser
from optparse import Option, OptionValueError
import os
import pkgutil
import policy
import re
import shutil
import sys
import tempfile

SHARED_LIB_EXTENSION = '.dylib' if sys.platform == 'darwin' else '.so'

#############################################################
# Tests
#############################################################
def TestDataTypeViolations(pol):
    return pol.AssertPathTypesHaveAttr(["/data/"], [], "data_file_type")

def TestSystemTypeViolations(pol):
    partitions = ["/system/", "/system_ext/", "/product/"]
    exceptions = [
        # devices before treble don't have a vendor partition
        "/system/vendor/",

        # overlay files are mounted over vendor
        "/product/overlay/",
        "/product/vendor_overlay/",
        "/system/overlay/",
        "/system/product/overlay/",
        "/system/product/vendor_overlay/",
        "/system/system_ext/overlay/",
        "/system_ext/overlay/",

        # adb_keys_file hasn't been a system_file_type
        "/product/etc/security/adb_keys",
        "/system/product/etc/security/adb_keys",
    ]

    return pol.AssertPathTypesHaveAttr(partitions, exceptions, "system_file_type")

def TestBpffsTypeViolations(pol):
    return pol.AssertGenfsFilesystemTypesHaveAttr("bpf", "bpffs_type")

def TestProcTypeViolations(pol):
    return pol.AssertGenfsFilesystemTypesHaveAttr("proc", "proc_type")

def TestSysfsTypeViolations(pol):
    ret = pol.AssertGenfsFilesystemTypesHaveAttr("sysfs", "sysfs_type")
    ret += pol.AssertPathTypesHaveAttr(["/sys/"], ["/sys/kernel/debug/",
                                    "/sys/kernel/tracing"], "sysfs_type")
    return ret

def TestDebugfsTypeViolations(pol):
    ret = pol.AssertGenfsFilesystemTypesHaveAttr("debugfs", "debugfs_type")
    ret += pol.AssertPathTypesHaveAttr(["/sys/kernel/debug/",
                                    "/sys/kernel/tracing"], [], "debugfs_type")
    return ret

def TestTracefsTypeViolations(pol):
    ret = pol.AssertGenfsFilesystemTypesHaveAttr("tracefs", "tracefs_type")
    ret += pol.AssertPathTypesHaveAttr(["/sys/kernel/tracing"], [], "tracefs_type")
    ret += pol.AssertPathTypesDoNotHaveAttr(["/sys/kernel/debug"],
                                            ["/sys/kernel/debug/tracing"], "tracefs_type",
                                            [])
    return ret

def TestVendorTypeViolations(pol):
    partitions = ["/vendor/", "/odm/"]
    exceptions = [
        "/vendor/etc/selinux/",
        "/vendor/odm/etc/selinux/",
        "/odm/etc/selinux/",
    ]
    return pol.AssertPathTypesHaveAttr(partitions, exceptions, "vendor_file_type")

def TestCoreDataTypeViolations(pol):
    ret = pol.AssertPathTypesHaveAttr(["/data/"], ["/data/vendor",
            "/data/vendor_ce", "/data/vendor_de"], "core_data_file_type")
    ret += pol.AssertPathTypesDoNotHaveAttr(["/data/vendor/", "/data/vendor_ce/",
        "/data/vendor_de/"], [], "core_data_file_type")
    return ret

def TestPropertyTypeViolations(pol):
    return pol.AssertPropertyOwnersAreExclusive()

def TestAppDataTypeViolations(pol):
    # Types with the app_data_file_type should only be used for app data files
    # (/data/data/package.name etc) via seapp_contexts, and never applied
    # explicitly to other files.
    partitions = [
        "/data/",
        "/vendor/",
        "/odm/",
        "/product/",
    ]
    exceptions = [
        # These are used for app data files for the corresponding user and
        # assorted other files.
        # TODO(b/172812577): Use different types for the different purposes
        "shell_data_file",
        "bluetooth_data_file",
        "nfc_data_file",
        "radio_data_file",
    ]
    return pol.AssertPathTypesDoNotHaveAttr(partitions, [], "app_data_file_type",
                                            exceptions)
def TestDmaHeapDevTypeViolations(pol):
    return pol.AssertPathTypesHaveAttr(["/dev/dma_heap/"], [],
                                       "dmabuf_heap_device_type")

def TestCoredomainViolations(test_policy):
    # verify that all domains launched from /system have the coredomain
    # attribute
    ret = ""

    for d in test_policy.alldomains:
        domain = test_policy.alldomains[d]
        if domain.fromSystem and domain.fromVendor:
            ret += "The following domain is system and vendor: " + d + "\n"

    for domain in test_policy.alldomains.values():
        ret += domain.error

    violators = []
    for d in test_policy.alldomains:
        domain = test_policy.alldomains[d]
        if domain.fromSystem and "coredomain" not in domain.attributes:
                violators.append(d);
    if len(violators) > 0:
        ret += "The following domain(s) must be associated with the "
        ret += "\"coredomain\" attribute because they are executed off of "
        ret += "/system:\n"
        ret += " ".join(str(x) for x in sorted(violators)) + "\n"

    # verify that all domains launched form /vendor do not have the coredomain
    # attribute
    violators = []
    for d in test_policy.alldomains:
        domain = test_policy.alldomains[d]
        if domain.fromVendor and "coredomain" in domain.attributes:
            violators.append(d)
    if len(violators) > 0:
        ret += "The following domains must not be associated with the "
        ret += "\"coredomain\" attribute because they are executed off of "
        ret += "/vendor or /system/vendor:\n"
        ret += " ".join(str(x) for x in sorted(violators)) + "\n"

    return ret

def TestViolatorAttribute(test_policy, attribute):
    # TODO(b/113124961): re-enable once all violator attributes are removed.
    return ""

    # ret = ""
    # return ret

    # violators = test_policy.DomainsWithAttribute(attribute)
    # if len(violators) > 0:
    #    ret += "SELinux: The following domains violate the Treble ban "
    #    ret += "against use of the " + attribute + " attribute: "
    #    ret += " ".join(str(x) for x in sorted(violators)) + "\n"
    # return ret

def TestViolatorAttributes(test_policy):
    ret = ""
    ret += TestViolatorAttribute(test_policy, "socket_between_core_and_vendor_violators")
    ret += TestViolatorAttribute(test_policy, "vendor_executes_system_violators")
    return ret

def TestIsolatedAttributeConsistency(test_policy):
    permissionAllowList = {
        # access given from technical_debt.cil
        "codec2_config_prop" : ["file"],
        "device_config_nnapi_native_prop":["file"],
        "gpu_device": ["dir"],
        "hal_allocator_default":["binder", "fd"],
        "hal_codec2": ["binder", "fd"],
        "hal_codec2_hwservice":["hwservice_manager"],
        "hal_graphics_allocator": ["binder", "fd"],
        "hal_graphics_allocator_service":["service_manager"],
        "hal_graphics_allocator_hwservice":["hwservice_manager"],
        "hal_graphics_allocator_server":["binder", "service_manager"],
        "hal_graphics_mapper_hwservice":["hwservice_manager"],
        "hal_graphics_mapper_service":["service_manager"],
        "hal_neuralnetworks": ["binder", "fd"],
        "hal_neuralnetworks_service": ["service_manager"],
        "hal_neuralnetworks_hwservice":["hwservice_manager"],
        "hal_omx_hwservice":["hwservice_manager"],
        "hidl_allocator_hwservice":["hwservice_manager"],
        "hidl_manager_hwservice":["hwservice_manager"],
        "hidl_memory_hwservice":["hwservice_manager"],
        "hidl_token_hwservice":["hwservice_manager"],
        "hwservicemanager":["binder"],
        "hwservicemanager_prop":["file"],
        "mediacodec":["binder", "fd"],
        "mediaswcodec":["binder", "fd"],
        "media_variant_prop":["file"],
        "nnapi_ext_deny_product_prop":["file"],
        "servicemanager":["fd"],
        "sysfs_gpu": ["file"],
        "toolbox_exec": ["file"],
        # extra types being granted to isolated_compute_app
        "isolated_compute_allowed":["service_manager", "chr_file"],
    }

    def resolveHalServerSubtype(target):
        # permission given as a client in technical_debt.cil
        hal_server_attributes = [
            "hal_codec2_server",
            "hal_graphics_allocator_server",
            "hal_neuralnetworks_server"]

        for attr in hal_server_attributes:
            if target in test_policy.pol.QueryTypeAttribute(Type=attr, IsAttr=True):
                return attr.rsplit("_", 1)[0]
        return target

    def checkIsolatedComputeAllowed(tctx, tclass):
        # check if the permission is in isolated_compute_allowed
        allowedMemberTypes = test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_service", IsAttr=True) \
            .union(test_policy.pol.QueryTypeAttribute(Type="isolated_compute_allowed_device", IsAttr=True))
        return tctx in allowedMemberTypes and tclass in permissionAllowList["isolated_compute_allowed"]

    def checkPermissions(permissions):
        violated_permissions = []
        for perm in permissions:
            tctx, tclass, p = perm.split(":")
            tctx = resolveHalServerSubtype(tctx)
            # check unwanted permissions
            if not checkIsolatedComputeAllowed(tctx, tclass) and \
                ( tctx not in permissionAllowList \
                    or tclass not in permissionAllowList[tctx] \
                    or ( p == "write") \
                    or ( p == "rw_file_perms") ):
                violated_permissions += [perm]
        return violated_permissions

    ret = ""

    isolatedMemberTypes = test_policy.pol.QueryTypeAttribute(Type="isolated_app_all", IsAttr=True)
    baseRules = test_policy.pol.QueryExpandedTERule(scontext=["isolated_app"])
    basePermissionSet = set([":".join([rule.tctx, rule.tclass, perm])
                            for rule in baseRules for perm in rule.perms])
    for subType in isolatedMemberTypes:
        if subType == "isolated_app" : continue
        currentTypeRule = test_policy.pol.QueryExpandedTERule(scontext=[subType])
        typePermissionSet = set([":".join([rule.tctx, rule.tclass, perm])
                                for rule in currentTypeRule for perm in rule.perms
                                if not rule.tctx in [subType, subType + "_userfaultfd"]])
        deltaPermissionSet = typePermissionSet.difference(basePermissionSet)
        violated_permissions = checkPermissions(list(deltaPermissionSet))
        for perm in violated_permissions:
            ret += "allow %s %s:%s %s \n" % (subType, *perm.split(":"))

    if ret:
        ret = ("Found prohibited permission granted for isolated like types. " + \
            "Please replace your allow statements that involve \"-isolated_app\" with " + \
            "\"-isolated_app_all\". Violations are shown as the following: \n")  + ret
    return ret

def TestDevTypeViolations(pol):
    exceptions = [
        "/dev/socket",
    ]
    exceptionTypes = [
        "boringssl_self_test_marker",  # /dev/boringssl/selftest
        "cgroup_rc_file",              # /dev/cgroup.rc
        "dev_cpu_variant",             # /dev/cpu_variant:{arch}
        "fscklogs",                    # /dev/fscklogs
        "properties_serial",           # /dev/__properties__/properties_serial
        "property_info",               # /dev/__properties__/property_info
        "runtime_event_log_tags_file", # /dev/event-log-tags
    ]
    return pol.AssertPathTypesHaveAttr(["/dev"], exceptions,
                                       "dev_type", exceptionTypes)

###
# extend OptionParser to allow the same option flag to be used multiple times.
# This is used to allow multiple file_contexts files and tests to be
# specified.
#
class MultipleOption(Option):
    ACTIONS = Option.ACTIONS + ("extend",)
    STORE_ACTIONS = Option.STORE_ACTIONS + ("extend",)
    TYPED_ACTIONS = Option.TYPED_ACTIONS + ("extend",)
    ALWAYS_TYPED_ACTIONS = Option.ALWAYS_TYPED_ACTIONS + ("extend",)

    def take_action(self, action, dest, opt, value, values, parser):
        if action == "extend":
            values.ensure_value(dest, []).append(value)
        else:
            Option.take_action(self, action, dest, opt, value, values, parser)

TEST_NAMES = [ name for name in dir() if name.startswith('Test') ]

def do_main(libpath):
    """
    Args:
        libpath: string, path to libsepolwrap.so
    """
    usage = "sepolicy_tests -f vendor_file_contexts -f "
    usage +="plat_file_contexts -p policy [--test test] [--help]"
    parser = OptionParser(option_class=MultipleOption, usage=usage)
    parser.add_option("-f", "--file_contexts", dest="file_contexts",
            metavar="FILE", action="extend", type="string")
    parser.add_option("-p", "--policy", dest="policy", metavar="FILE")
    parser.add_option("-t", "--test", dest="test", action="extend",
            help="Test options include "+str(TEST_NAMES))

    (options, args) = parser.parse_args()

    if not options.policy:
        sys.exit("Must specify monolithic policy file\n" + parser.usage)
    if not os.path.exists(options.policy):
        sys.exit("Error: policy file " + options.policy + " does not exist\n"
                + parser.usage)

    if not options.file_contexts:
        sys.exit("Error: Must specify file_contexts file(s)\n" + parser.usage)
    for f in options.file_contexts:
        if not os.path.exists(f):
            sys.exit("Error: File_contexts file " + f + " does not exist\n" +
                    parser.usage)

    pol = policy.Policy(options.policy, options.file_contexts, libpath)
    test_policy = policy.TestPolicy()
    test_policy.setup(pol)

    results = ""
    # If an individual test is not specified, run all tests.
    if options.test is None or "TestBpffsTypeViolations" in options.test:
        results += TestBpffsTypeViolations(pol)
    if options.test is None or "TestDataTypeViolations" in options.test:
        results += TestDataTypeViolations(pol)
    if options.test is None or "TestProcTypeViolations" in options.test:
        results += TestProcTypeViolations(pol)
    if options.test is None or "TestSysfsTypeViolations" in options.test:
        results += TestSysfsTypeViolations(pol)
    if options.test is None or "TestSystemTypeViolations" in options.test:
        results += TestSystemTypeViolations(pol)
    if options.test is None or "TestDebugfsTypeViolations" in options.test:
        results += TestDebugfsTypeViolations(pol)
    if options.test is None or "TestTracefsTypeViolations" in options.test:
        results += TestTracefsTypeViolations(pol)
    if options.test is None or "TestVendorTypeViolations" in options.test:
        results += TestVendorTypeViolations(pol)
    if options.test is None or "TestCoreDataTypeViolations" in options.test:
        results += TestCoreDataTypeViolations(pol)
    if options.test is None or "TestPropertyTypeViolations" in options.test:
        results += TestPropertyTypeViolations(pol)
    if options.test is None or "TestAppDataTypeViolations" in options.test:
        results += TestAppDataTypeViolations(pol)
    if options.test is None or "TestDmaHeapDevTypeViolations" in options.test:
        results += TestDmaHeapDevTypeViolations(pol)
    if options.test is None or "TestCoredomainViolations" in options.test:
        results += TestCoredomainViolations(test_policy)
    if options.test is None or "TestViolatorAttributes" in options.test:
        results += TestViolatorAttributes(test_policy)
    if options.test is None or "TestIsolatedAttributeConsistency" in options.test:
        results += TestIsolatedAttributeConsistency(test_policy)

    # dev type test won't be run as default
    if options.test and "TestDevTypeViolations" in options.test:
        results += TestDevTypeViolations(pol)

    if len(results) > 0:
        sys.exit(results)

if __name__ == '__main__':
    temp_dir = tempfile.mkdtemp()
    try:
        libname = "libsepolwrap" + SHARED_LIB_EXTENSION
        libpath = os.path.join(temp_dir, libname)
        with open(libpath, "wb") as f:
            blob = pkgutil.get_data("sepolicy_tests", libname)
            if not blob:
                sys.exit("Error: libsepolwrap does not exist. Is this binary corrupted?\n")
            f.write(blob)
        do_main(libpath)
    finally:
        shutil.rmtree(temp_dir)