Android CTS中neverallow规则生成过程

cts里面selinux相关测试中neverallow测试项占绝大多数，android系统开发者都应该知道，在修改sepolicy时，需要确保不能违反这些neverallow规则，不然会过不了cts。cts中nerverallow测试都是在selinuxneverallowrulestest.java文件中，并且从aosp代码中发现该文件不是人工提交的，而是通过python脚本生成的，为了以后更好的修改sepolicy，就需要了解下selinuxneverallowrulestest.java是如何生成的。

makefile

首先看下selinuxneverallowrulestest.java的生成的makefile.

selinux_general_policy := $(call intermediates-dir-for,etc,general_sepolicy.conf)/general_sepolicy.conf

selinux_neverallow_gen := cts/tools/selinux/selinuxneverallowtestgen.py

selinux_neverallow_gen_data := cts/tools/selinux/selinuxneverallowtestframe.py

local_additional_dependencies := $(compatibility_testcases_out_cts)/sepolicy-analyze

local_generated_sources := $(call local-generated-sources-dir)/android/cts/security/selinuxneverallowrulestest.java # 目标文件

$(local_generated_sources) : private_selinux_general_policy := $(selinux_general_policy)
$(local_generated_sources) : $(selinux_neverallow_gen) $(selinux_general_policy) $(selinux_neverallow_gen_data)
    mkdir -p $(dir $@)
    $< $(private_selinux_general_policy) $@
# $< 为：右边依赖的第一个元素， 即 $(selinux_neverallow_gen) = cts/tools/selinux/selinuxneverallowtestgen.py
# $@ 为：左边目标，即要生成的目标文件selinuxneverallowrulestest.java
# 这条命令相当于 cts/tools/selinux/selinuxneverallowtestgen.py $(call intermediates-dirfor,etc,general_sepolicy.conf)/general_sepolicy.conf selinuxneverallowrulestest.java

include $(build_cts_host_java_library)

从上面可以看到，执行selinuxneverallowtestgen.py general_sepolicy.conf selinuxneverallowrulestest.java会生成selinuxneverallowrulestest.java文件。

general_sepolicy.conf 生成

该文件的生成makfile

# selinux policy embedded into cts.
# cts checks neverallow rules of this policy against the policy of the device under test.
##################################
include $(clear_vars)

local_module := general_sepolicy.conf # 目标文件
local_module_class := etc
local_module_tags := tests

include $(build_system)/base_rules.mk

$(local_built_module): private_mls_sens := $(mls_sens)
$(local_built_module): private_mls_cats := $(mls_cats)
$(local_built_module): private_target_build_variant := user
$(local_built_module): private_tgt_arch := $(my_target_arch)
$(local_built_module): private_with_asan := false
$(local_built_module): private_sepolicy_split := cts
$(local_built_module): private_compatible_property := cts
$(local_built_module): $(call build_policy, $(sepolicy_build_files), \
$(plat_public_policy) $(plat_private_policy)) # plat_public_policy = syetem/sepolicy/public plat_private_policy = system/sepolicy/private
    $(transform-policy-to-conf) # 这里是使用m4将te规则文件都处理合成为目标文件$@，即general_sepolicy.conf
    $(hide) sed '/dontaudit/d' $@ > $@.dontaudit

##################################

可以看到，general_sepolicy.conf 文件是将system/sepolicy/public和system/sepolicy/private规则文件整合在一起，而这些目录包含的是aosp sepolicy大多数配置信息。

selinuxneverallowtestgen.py 脚本逻辑

生成的逻辑都是在该脚本中，下面脚本我调整了顺序，方便说明执行的逻辑，脚本代码

#!/usr/bin/env python

import re
import sys
import selinuxneverallowtestframe

usage = "usage: ./selinuxneverallowtestgen.py <input policy file> <output cts java source>"

if __name__ == "__main__":
    # check usage
    if len(sys.argv) != 3:
        print usage
        exit(1)
    input_file = sys.argv[1]
    output_file = sys.argv[2]

    # 这三个变量是同目录下selinuxneverallowtestframe.py文件中的内容，是生成java文件的模版
    src_header = selinuxneverallowtestframe.src_header
    src_body = selinuxneverallowtestframe.src_body
    src_footer = selinuxneverallowtestframe.src_footer

    # grab the neverallow rules from the policy file and transform into tests
    neverallow_rules = extract_neverallow_rules(input_file) # 提取neverallow规则从general_sepolicy.conf中
    i = 0
    for rule in neverallow_rules:
        src_body += neverallow_rule_to_test(rule, i)
        i += 1
    # 然后将neverallow规则写入到selinuxneverallowrulestest.java文件中
    with open(output_file, 'w') as out_file:
        out_file.write(src_header)
        out_file.write(src_body)
        out_file.write(src_footer)

# extract_neverallow_rules - takes an intermediate policy file and pulls out the
# neverallow rules by taking all of the non-commented text between the 'neverallow'
# keyword and a terminating ';'
# returns: a list of rules
def extract_neverallow_rules(policy_file):
    with open(policy_file, 'r') as in_file:
        policy_str = in_file.read()

        # full-treble only tests are inside sections delimited by begin_treble_only
        # and end_treble_only comments.

        # uncomment treble_only section delimiter lines
        remaining = re.sub(
            r'^\s*#\s*(begin_treble_only|end_treble_only|begin_compatible_property_only|end_compatible_property_only)',
            r'\1', # group 引用
            policy_str,
            flags = re.m) # 该方法是将 #开头的注释行任意空格后跟着begin_treble_only、end_treble_only、begin_compatible_property_only和end_compatible_property_only时，替换为这些关键字，即去掉注释
        # remove comments 
        remaining = re.sub(r'#.+?$', r'', remaining, flags = re.m)  # 将文件中的 # 开头注释行去掉
        # match neverallow rules
        lines = re.findall(
            r'^\s*(neverallow\s.+?;|begin_treble_only|end_treble_only|begin_compatible_property_only|end_compatible_property_only)',
            remaining,
            flags = re.m |re.s) # 将neverallow和以这几个关键字开头的行取出来

        # extract neverallow rules from the remaining lines
        # 这些关键字会修饰里面的neverallowrules，若treble_only_depth > 1 说明是适用于treble系统， 若compatible_property_only_depth > 1，说明适用于 compatible_property 系统
        rules = list()
        treble_only_depth = 0
        compatible_property_only_depth = 0
        for line in lines:
            if line.startswith("begin_treble_only"):
                treble_only_depth += 1
                continue
            elif line.startswith("end_treble_only"):
                if treble_only_depth < 1:
                    exit("error: end_treble_only outside of treble_only section")
                treble_only_depth -= 1
                continue
            elif line.startswith("begin_compatible_property_only"):
                compatible_property_only_depth += 1
                continue
            elif line.startswith("end_compatible_property_only"):
                if compatible_property_only_depth < 1:
                    exit("error: end_compatible_property_only outside of compatible_property_only section")
                compatible_property_only_depth -= 1
                continue
            rule = neverallowrule(line)
            rule.treble_only = (treble_only_depth > 0)
            rule.compatible_property_only = (compatible_property_only_depth > 0)
            rules.append(rule)

        if treble_only_depth != 0:
            exit("error: end of input while inside treble_only section")
        if compatible_property_only_depth != 0:
            exit("error: end of input while inside compatible_property_only section")

        return rules

# neverallow_rule_to_test - takes a neverallow statement and transforms it into
# the output necessary to form a cts unit test in a java source file.
# returns: a string representing a generic test method based on this rule.

# 将neverallowrules 替换到java模版中
def neverallow_rule_to_test(rule, test_num):
    squashed_neverallow = rule.statement.replace("\n", " ")
    method  = selinuxneverallowtestframe.src_method
    method = method.replace("testneverallowrules()",
        "testneverallowrules" + str(test_num) + "()")
    method = method.replace("$neverallow_rule_here$", squashed_neverallow)
    method = method.replace(
        "$full_treble_only_bool_here$",
        "true" if rule.treble_only else "false")
    method = method.replace(
        "$compatible_property_only_bool_here$",
        "true" if rule.compatible_property_only else "false")
    return method

总结下脚本功能

1. 将begin_treble_only|end_treble_only|begin_compatible_property_only|
   end_compatible_property_only这几个关键字前面的注释去掉，以便后面解析时使用；
2. 删除冗余的注释行；

3. 取neverallow和上面四个关键字的部分进行解析，并根据下面情况对treble_only和compatible_property_only进行设置；

   • neverallow 包含在begin_treble_only和end_treble_only之间，treble_only被设置为true；
   • neverallow 包含在begin_compatible_property_only和end_compatible_property_only之间，compatible_property_only被设置为true；
   • neverallow 不在任何begin_treble_only/end_treble_only和begin_compatible_property_only/end_compatible_property_only之间，则treble_only和compatible_property_only都被设置为false。
4. 然后用neverallow部分、treble_only和compatible_property_only值对下面方法模板中的$neverallow_rule_here$、$full_treble_only_bool_here$和$compatible_property_only_bool_here$分别替换。

src_method = """
    @restrictedbuildtest
    public void testneverallowrules() throws exception {
        string neverallowrule = "$neverallow_rule_here$";
        boolean fulltrebleonly = $full_treble_only_bool_here$;
        boolean compatiblepropertyonly = $compatible_property_only_bool_here$;

        if ((fulltrebleonly) && (!isfulltrebledevice())) {
            // this test applies only to treble devices but this device isn't one
            return;
        }
        if ((compatiblepropertyonly) && (!iscompatiblepropertyenforceddevice())) {
            // this test applies only to devices on which compatible property is enforced but this
            // device isn't one
            return;
        }

        // if sepolicy is split and vendor sepolicy version is behind platform's,
        // only test against platform policy.
        file policyfile =
                (issepolicysplit() && mvendorsepolicyversion < p_sepolicy_version) ?
                devicesystempolicyfile :
                devicepolicyfile;

        /* run sepolicy-analyze neverallow check on policy file using given neverallow rules */
        processbuilder pb = new processbuilder(sepolicyanalyze.getabsolutepath(),
                policyfile.getabsolutepath(), "neverallow", "-w", "-n",
                neverallowrule);
        pb.redirectoutput(processbuilder.redirect.pipe);
        pb.redirecterrorstream(true);
        process p = pb.start();
        p.waitfor();
        bufferedreader result = new bufferedreader(new inputstreamreader(p.getinputstream()));
        string line;
        stringbuilder errorstring = new stringbuilder();
        while ((line = result.readline()) != null) {
            errorstring.append(line);
            errorstring.append("\\n");
        }
        asserttrue("the following errors were encountered when validating the selinux"
                   + "neverallow rule:\\n" + neverallowrule + "\\n" + errorstring,
                   errorstring.length() == 0);
    }

本地生成 selinuxneverallowrulestest.java 文件

在修改selinux后，想确定下是否满足neverallow规则，虽然编译过程中会进行neverallow检查，但由于打包时间比较耗时，如果在本地生成的话，那速度会更快。

本地生成 selinuxneverallowrulestest.java 命令

默认是在源码的根目录

make general_sepolicy.conf

cts/tools/selinux/selinuxneverallowtestgen.py out/target/product/cepheus/obj/etc/general_sepolicy.conf_intermediates/general_sepolicy.conf selinuxneverallowrulestest.java

由于某些规则是使用attribute，可能不是很明显，还需要结合其他方法来确定。

总结

从生成代码中可以看到，neverallow规则都属于aosp system/sepolicy/private和system/sepolicy/public中的neverallow，所以在添加规则时不能修改neverallow，也不能违背。

附件

，中包含有：

selinuxneverallowtestgen.py 脚本

general_sepolicy.conf

selinuxneverallowtestframe.py java测试代码模板

first 为selinuxneverallowtestgen.py第一步执行的结果

second 为selinuxneverallowtestgen.py第二步执行的结果

selinuxneverallowrulestest.java 为生成的文件

后面三个文件是前三个文件所生成，执行命令为：

selinuxneverallowtestgen.py general_sepolicy.conf selinuxneverallowrulestest.java

链接

https://liwugang.github.io/2019/12/29/cts-neverallow.html