Android CTS中neverallow规则生成过程
cts里面selinux相关测试中neverallow测试项占绝大多数,android系统开发者都应该知道,在修改sepolicy时,需要确保不能违反这些neverallow规则,不然会过不了cts。cts中nerverallow测试都是在selinuxneverallowrulestest.java文件中,并且从aosp代码中发现该文件不是人工提交的,而是通过python脚本生成的,为了以后更好的修改sepolicy,就需要了解下selinuxneverallowrulestest.java是如何生成的。
makefile
首先看下selinuxneverallowrulestest.java的生成的makefile.
selinux_general_policy := $(call intermediates-dir-for,etc,general_sepolicy.conf)/general_sepolicy.conf selinux_neverallow_gen := cts/tools/selinux/selinuxneverallowtestgen.py selinux_neverallow_gen_data := cts/tools/selinux/selinuxneverallowtestframe.py local_additional_dependencies := $(compatibility_testcases_out_cts)/sepolicy-analyze local_generated_sources := $(call local-generated-sources-dir)/android/cts/security/selinuxneverallowrulestest.java # 目标文件 $(local_generated_sources) : private_selinux_general_policy := $(selinux_general_policy) $(local_generated_sources) : $(selinux_neverallow_gen) $(selinux_general_policy) $(selinux_neverallow_gen_data) mkdir -p $(dir $@) $< $(private_selinux_general_policy) $@ # $< 为:右边依赖的第一个元素, 即 $(selinux_neverallow_gen) = cts/tools/selinux/selinuxneverallowtestgen.py # $@ 为:左边目标,即要生成的目标文件selinuxneverallowrulestest.java # 这条命令相当于 cts/tools/selinux/selinuxneverallowtestgen.py $(call intermediates-dirfor,etc,general_sepolicy.conf)/general_sepolicy.conf selinuxneverallowrulestest.java include $(build_cts_host_java_library)
从上面可以看到,执行selinuxneverallowtestgen.py general_sepolicy.conf selinuxneverallowrulestest.java会生成selinuxneverallowrulestest.java文件。
general_sepolicy.conf 生成
该文件的生成makfile
# selinux policy embedded into cts. # cts checks neverallow rules of this policy against the policy of the device under test. ################################## include $(clear_vars) local_module := general_sepolicy.conf # 目标文件 local_module_class := etc local_module_tags := tests include $(build_system)/base_rules.mk $(local_built_module): private_mls_sens := $(mls_sens) $(local_built_module): private_mls_cats := $(mls_cats) $(local_built_module): private_target_build_variant := user $(local_built_module): private_tgt_arch := $(my_target_arch) $(local_built_module): private_with_asan := false $(local_built_module): private_sepolicy_split := cts $(local_built_module): private_compatible_property := cts $(local_built_module): $(call build_policy, $(sepolicy_build_files), \ $(plat_public_policy) $(plat_private_policy)) # plat_public_policy = syetem/sepolicy/public plat_private_policy = system/sepolicy/private $(transform-policy-to-conf) # 这里是使用m4将te规则文件都处理合成为目标文件$@,即general_sepolicy.conf $(hide) sed '/dontaudit/d' $@ > $@.dontaudit ##################################
可以看到,general_sepolicy.conf 文件是将system/sepolicy/public和system/sepolicy/private规则文件整合在一起,而这些目录包含的是aosp sepolicy大多数配置信息。
selinuxneverallowtestgen.py 脚本逻辑
生成的逻辑都是在该脚本中,下面脚本我调整了顺序,方便说明执行的逻辑,脚本代码
#!/usr/bin/env python import re import sys import selinuxneverallowtestframe usage = "usage: ./selinuxneverallowtestgen.py <input policy file> <output cts java source>" if __name__ == "__main__": # check usage if len(sys.argv) != 3: print usage exit(1) input_file = sys.argv[1] output_file = sys.argv[2] # 这三个变量是同目录下selinuxneverallowtestframe.py文件中的内容,是生成java文件的模版 src_header = selinuxneverallowtestframe.src_header src_body = selinuxneverallowtestframe.src_body src_footer = selinuxneverallowtestframe.src_footer # grab the neverallow rules from the policy file and transform into tests neverallow_rules = extract_neverallow_rules(input_file) # 提取neverallow规则从general_sepolicy.conf中 i = 0 for rule in neverallow_rules: src_body += neverallow_rule_to_test(rule, i) i += 1 # 然后将neverallow规则写入到selinuxneverallowrulestest.java文件中 with open(output_file, 'w') as out_file: out_file.write(src_header) out_file.write(src_body) out_file.write(src_footer) # extract_neverallow_rules - takes an intermediate policy file and pulls out the # neverallow rules by taking all of the non-commented text between the 'neverallow' # keyword and a terminating ';' # returns: a list of rules def extract_neverallow_rules(policy_file): with open(policy_file, 'r') as in_file: policy_str = in_file.read() # full-treble only tests are inside sections delimited by begin_treble_only # and end_treble_only comments. # uncomment treble_only section delimiter lines remaining = re.sub( r'^\s*#\s*(begin_treble_only|end_treble_only|begin_compatible_property_only|end_compatible_property_only)', r'\1', # group 引用 policy_str, flags = re.m) # 该方法是将 #开头的注释行任意空格后跟着begin_treble_only、end_treble_only、begin_compatible_property_only和end_compatible_property_only时,替换为这些关键字,即去掉注释 # remove comments remaining = re.sub(r'#.+?$', r'', remaining, flags = re.m) # 将文件中的 # 开头注释行去掉 # match neverallow rules lines = re.findall( r'^\s*(neverallow\s.+?;|begin_treble_only|end_treble_only|begin_compatible_property_only|end_compatible_property_only)', remaining, flags = re.m |re.s) # 将neverallow和以这几个关键字开头的行取出来 # extract neverallow rules from the remaining lines # 这些关键字会修饰里面的neverallowrules,若treble_only_depth > 1 说明是适用于treble系统, 若compatible_property_only_depth > 1,说明适用于 compatible_property 系统 rules = list() treble_only_depth = 0 compatible_property_only_depth = 0 for line in lines: if line.startswith("begin_treble_only"): treble_only_depth += 1 continue elif line.startswith("end_treble_only"): if treble_only_depth < 1: exit("error: end_treble_only outside of treble_only section") treble_only_depth -= 1 continue elif line.startswith("begin_compatible_property_only"): compatible_property_only_depth += 1 continue elif line.startswith("end_compatible_property_only"): if compatible_property_only_depth < 1: exit("error: end_compatible_property_only outside of compatible_property_only section") compatible_property_only_depth -= 1 continue rule = neverallowrule(line) rule.treble_only = (treble_only_depth > 0) rule.compatible_property_only = (compatible_property_only_depth > 0) rules.append(rule) if treble_only_depth != 0: exit("error: end of input while inside treble_only section") if compatible_property_only_depth != 0: exit("error: end of input while inside compatible_property_only section") return rules # neverallow_rule_to_test - takes a neverallow statement and transforms it into # the output necessary to form a cts unit test in a java source file. # returns: a string representing a generic test method based on this rule. # 将neverallowrules 替换到java模版中 def neverallow_rule_to_test(rule, test_num): squashed_neverallow = rule.statement.replace("\n", " ") method = selinuxneverallowtestframe.src_method method = method.replace("testneverallowrules()", "testneverallowrules" + str(test_num) + "()") method = method.replace("$neverallow_rule_here$", squashed_neverallow) method = method.replace( "$full_treble_only_bool_here$", "true" if rule.treble_only else "false") method = method.replace( "$compatible_property_only_bool_here$", "true" if rule.compatible_property_only else "false") return method
总结下脚本功能
- 将begin_treble_only|end_treble_only|begin_compatible_property_only|
end_compatible_property_only这几个关键字前面的注释去掉,以便后面解析时使用; - 删除冗余的注释行;
-
取neverallow和上面四个关键字的部分进行解析,并根据下面情况对treble_only和compatible_property_only进行设置;
- neverallow 包含在begin_treble_only和end_treble_only之间,treble_only被设置为true;
- neverallow 包含在begin_compatible_property_only和end_compatible_property_only之间,compatible_property_only被设置为true;
- neverallow 不在任何begin_treble_only/end_treble_only和begin_compatible_property_only/end_compatible_property_only之间,则treble_only和compatible_property_only都被设置为false。
- 然后用neverallow部分、treble_only和compatible_property_only值对下面方法模板中的$neverallow_rule_here$、$full_treble_only_bool_here$和$compatible_property_only_bool_here$分别替换。
src_method = """ @restrictedbuildtest public void testneverallowrules() throws exception { string neverallowrule = "$neverallow_rule_here$"; boolean fulltrebleonly = $full_treble_only_bool_here$; boolean compatiblepropertyonly = $compatible_property_only_bool_here$; if ((fulltrebleonly) && (!isfulltrebledevice())) { // this test applies only to treble devices but this device isn't one return; } if ((compatiblepropertyonly) && (!iscompatiblepropertyenforceddevice())) { // this test applies only to devices on which compatible property is enforced but this // device isn't one return; } // if sepolicy is split and vendor sepolicy version is behind platform's, // only test against platform policy. file policyfile = (issepolicysplit() && mvendorsepolicyversion < p_sepolicy_version) ? devicesystempolicyfile : devicepolicyfile; /* run sepolicy-analyze neverallow check on policy file using given neverallow rules */ processbuilder pb = new processbuilder(sepolicyanalyze.getabsolutepath(), policyfile.getabsolutepath(), "neverallow", "-w", "-n", neverallowrule); pb.redirectoutput(processbuilder.redirect.pipe); pb.redirecterrorstream(true); process p = pb.start(); p.waitfor(); bufferedreader result = new bufferedreader(new inputstreamreader(p.getinputstream())); string line; stringbuilder errorstring = new stringbuilder(); while ((line = result.readline()) != null) { errorstring.append(line); errorstring.append("\\n"); } asserttrue("the following errors were encountered when validating the selinux" + "neverallow rule:\\n" + neverallowrule + "\\n" + errorstring, errorstring.length() == 0); }
本地生成 selinuxneverallowrulestest.java 文件
在修改selinux后,想确定下是否满足neverallow规则,虽然编译过程中会进行neverallow检查,但由于打包时间比较耗时,如果在本地生成的话,那速度会更快。
本地生成 selinuxneverallowrulestest.java 命令
默认是在源码的根目录
make general_sepolicy.conf
cts/tools/selinux/selinuxneverallowtestgen.py out/target/product/cepheus/obj/etc/general_sepolicy.conf_intermediates/general_sepolicy.conf selinuxneverallowrulestest.java
由于某些规则是使用attribute,可能不是很明显,还需要结合其他方法来确定。
总结
从生成代码中可以看到,neverallow规则都属于aosp system/sepolicy/private和system/sepolicy/public中的neverallow,所以在添加规则时不能修改neverallow,也不能违背。
附件
,中包含有:
selinuxneverallowtestgen.py 脚本
general_sepolicy.conf
selinuxneverallowtestframe.py java测试代码模板
first 为selinuxneverallowtestgen.py第一步执行的结果
second 为selinuxneverallowtestgen.py第二步执行的结果
selinuxneverallowrulestest.java 为生成的文件
后面三个文件是前三个文件所生成,执行命令为:
selinuxneverallowtestgen.py general_sepolicy.conf selinuxneverallowrulestest.java
链接
https://liwugang.github.io/2019/12/29/cts-neverallow.html