CTS里面SElinux相关测试中neverallow测试项占绝大多数,AndroID系统开发者都应该知道,在修改sepolicy时,需要确保不能违反这些neverallow规则,不然会过不了CTS。CTS中nerverallow测试都是在SElinuxNeverallowRulesTest.java文件中,并且从AOSP代码中发现该文件不是人工提交的,而是通过python脚本生成的,为了以后更好的修改sepolicy,就需要了解下SElinuxNeverallowRulesTest.java是如何生成的。
Makefile首先看下SElinuxNeverallowRulesTest.java的生成的Makefile.
selinux_general_policy := $(call intermediates-dir-for,ETC,general_sepolicy.conf)/general_sepolicy.confselinux_neverallow_gen := cts/tools/selinux/SElinuxNeverallowTestGen.pyselinux_neverallow_gen_data := cts/tools/selinux/SElinuxNeverallowTestFrame.pyLOCAL_ADDITIONAL_DEPENDENCIES := $(COMPATIBIliTY_TESTCASES_OUT_cts)/sepolicy-analyzeLOCAL_GENERATED_SOURCES := $(call local-generated-sources-dir)/androID/cts/security/SElinuxNeverallowRulesTest.java # 目标文件$(LOCAL_GENERATED_SOURCES) : PRIVATE_SEliNUX_GENERAL_POliCY := $(selinux_general_policy)$(LOCAL_GENERATED_SOURCES) : $(selinux_neverallow_gen) $(selinux_general_policy) $(selinux_neverallow_gen_data) mkdir -p $(dir $@) $< $(PRIVATE_SEliNUX_GENERAL_POliCY) $@# $< 为:右边依赖的第一个元素, 即 $(selinux_neverallow_gen) = cts/tools/selinux/SElinuxNeverallowTestGen.py# $@ 为:左边目标,即要生成的目标文件SElinuxNeverallowRulesTest.java# 这条命令相当于 cts/tools/selinux/SElinuxNeverallowTestGen.py $(call intermediates-dirfor,ETC,general_sepolicy.conf)/general_sepolicy.conf SElinuxNeverallowRulesTest.javainclude $(BUILD_CTS_HOST_JAVA_liBRARY)从上面可以看到,执行SElinuxNeverallowTestGen.py general_sepolicy.conf SElinuxNeverallowRulesTest.java会生成SElinuxNeverallowRulesTest.java文件。
general_sepolicy.conf 生成该文件的生成Makfile
# SElinux policy embedded into CTS.# CTS checks neverallow rules of this policy against the policy of the device under test.##################################include $(CLEAR_VARS)LOCAL_MODulE := general_sepolicy.conf # 目标文件LOCAL_MODulE_CLASS := ETCLOCAL_MODulE_Tags := testsinclude $(BUILD_SYstem)/base_rules.mk$(LOCAL_BUILT_MODulE): PRIVATE_MLS_SENS := $(MLS_SENS)$(LOCAL_BUILT_MODulE): PRIVATE_MLS_CATS := $(MLS_CATS)$(LOCAL_BUILT_MODulE): PRIVATE_TARGET_BUILD_VARIANT := user$(LOCAL_BUILT_MODulE): PRIVATE_TGT_ARCH := $(my_target_arch)$(LOCAL_BUILT_MODulE): PRIVATE_WITH_ASAN := false$(LOCAL_BUILT_MODulE): PRIVATE_SEPOliCY_SPliT := cts$(LOCAL_BUILT_MODulE): PRIVATE_COMPATIBLE_PROPERTY := cts$(LOCAL_BUILT_MODulE): $(call build_policy, $(sepolicy_build_files), $(PLAT_PUBliC_POliCY) $(PLAT_PRIVATE_POliCY)) # PLAT_PUBliC_POliCY = syetem/sepolicy/public PLAT_PRIVATE_POliCY = system/sepolicy/private $(transform-policy-to-conf) # 这里是使用m4将te规则文件都处理合成为目标文件$@,即general_sepolicy.conf $(hIDe) sed '/dontaudit/d' $@ > $@.dontaudit##################################可以看到,general_sepolicy.conf 文件是将system/sepolicy/public和system/sepolicy/private规则文件整合在一起,而这些目录包含的是AOSP sepolicy大多数配置信息。
SElinuxNeverallowTestGen.py 脚本逻辑生成的逻辑都是在该脚本中,下面脚本我调整了顺序,方便说明执行的逻辑,脚本代码
#!/usr/bin/env pythonimport reimport sysimport SElinuxNeverallowTestFrameusage = "Usage: ./SElinuxNeverallowTestGen.py <input policy file> <output cts java source>"if __name__ == "__main__": # check usage if len(sys.argv) != 3: print usage exit(1) input_file = sys.argv[1] output_file = sys.argv[2] # 这三个变量是同目录下SElinuxNeverallowTestFrame.py文件中的内容,是生成java文件的模版 src_header = SElinuxNeverallowTestFrame.src_header src_body = SElinuxNeverallowTestFrame.src_body src_footer = SElinuxNeverallowTestFrame.src_footer # grab the neverallow rules from the policy file and transform into tests neverallow_rules = extract_neverallow_rules(input_file) # 提取neverallow规则从general_sepolicy.conf中 i = 0 for rule in neverallow_rules: src_body += neverallow_rule_to_test(rule, i) i += 1 # 然后将neverallow规则写入到SElinuxNeverallowRulesTest.java文件中 with open(output_file, 'w') as out_file: out_file.write(src_header) out_file.write(src_body) out_file.write(src_footer)# extract_neverallow_rules - takes an intermediate policy file and pulls out the# neverallow rules by taking all of the non-commented text between the 'neverallow'# keyword and a terminating ';'# returns: a List of rulesdef extract_neverallow_rules(policy_file): with open(policy_file, 'r') as in_file: policy_str = in_file.read() # full-Treble only tests are insIDe sections delimited by BEGIN_TREBLE_ONLY # and END_TREBLE_ONLY comments. # uncomment TREBLE_ONLY section delimiter lines remaining = re.sub( r'^\s*#\s*(BEGIN_TREBLE_ONLY|END_TREBLE_ONLY|BEGIN_COMPATIBLE_PROPERTY_ONLY|END_COMPATIBLE_PROPERTY_ONLY)', r'', # group 引用 policy_str, flags = re.M) # 该方法是将 #开头的注释行任意空格后跟着BEGIN_TREBLE_ONLY、END_TREBLE_ONLY、BEGIN_COMPATIBLE_PROPERTY_ONLY和END_COMPATIBLE_PROPERTY_ONLY时,替换为这些关键字,即去掉注释 # remove comments remaining = re.sub(r'#.+?$', r'', remaining, flags = re.M) # 将文件中的 # 开头注释行去掉 # match neverallow rules lines = re.findall( r'^\s*(neverallow\s.+?;|BEGIN_TREBLE_ONLY|END_TREBLE_ONLY|BEGIN_COMPATIBLE_PROPERTY_ONLY|END_COMPATIBLE_PROPERTY_ONLY)', remaining, flags = re.M |re.S) # 将neverallow和以这几个关键字开头的行取出来 # extract neverallow rules from the remaining lines # 这些关键字会修饰里面的neverallowrules,若treble_only_depth > 1 说明是适用于treble系统, 若compatible_property_only_depth > 1,说明适用于 compatible_property 系统 rules = List() treble_only_depth = 0 compatible_property_only_depth = 0 for line in lines: if line.startswith("BEGIN_TREBLE_ONLY"): treble_only_depth += 1 continue elif line.startswith("END_TREBLE_ONLY"): if treble_only_depth < 1: exit("ERROR: END_TREBLE_ONLY outsIDe of TREBLE_ONLY section") treble_only_depth -= 1 continue elif line.startswith("BEGIN_COMPATIBLE_PROPERTY_ONLY"): compatible_property_only_depth += 1 continue elif line.startswith("END_COMPATIBLE_PROPERTY_ONLY"): if compatible_property_only_depth < 1: exit("ERROR: END_COMPATIBLE_PROPERTY_ONLY outsIDe of COMPATIBLE_PROPERTY_ONLY section") compatible_property_only_depth -= 1 continue rule = NeverallowRule(line) rule.treble_only = (treble_only_depth > 0) rule.compatible_property_only = (compatible_property_only_depth > 0) rules.append(rule) if treble_only_depth != 0: exit("ERROR: end of input while insIDe TREBLE_ONLY section") if compatible_property_only_depth != 0: exit("ERROR: end of input while insIDe COMPATIBLE_PROPERTY_ONLY section") return rules# neverallow_rule_to_test - takes a neverallow statement and transforms it into# the output necessary to form a cts unit test in a java source file.# returns: a string representing a generic test method based on this rule.# 将neverallowrules 替换到java模版中def neverallow_rule_to_test(rule, test_num): squashed_neverallow = rule.statement.replace("\n", " ") method = SElinuxNeverallowTestFrame.src_method method = method.replace("testNeverallowRules()", "testNeverallowRules" + str(test_num) + "()") method = method.replace("$NEVERALLOW_RulE_HERE$", squashed_neverallow) method = method.replace( "$FulL_TREBLE_ONLY_BOol_HERE$", "true" if rule.treble_only else "false") method = method.replace( "$COMPATIBLE_PROPERTY_ONLY_BOol_HERE$", "true" if rule.compatible_property_only else "false") return methodEND_COMPATIBLE_PROPERTY_ONLY这几个关键字前面的注释去掉,以便后面解析时使用;删除冗余的注释行;
取neverallow和上面四个关键字的部分进行解析,并根据下面情况对treble_only和compatible_property_only进行设置;
neverallow 包含在BEGIN_TREBLE_ONLY和END_TREBLE_ONLY之间,treble_only被设置为true;neverallow 包含在BEGIN_COMPATIBLE_PROPERTY_ONLY和END_COMPATIBLE_PROPERTY_ONLY之间,compatible_property_only被设置为true;neverallow 不在任何BEGIN_TREBLE_ONLY/END_TREBLE_ONLY和BEGIN_COMPATIBLE_PROPERTY_ONLY/END_COMPATIBLE_PROPERTY_ONLY之间,则treble_only和compatible_property_only都被设置为false。然后用neverallow部分、treble_only和compatible_property_only值对下面方法模板中的$NEVERALLOW_RulE_HERE$、$FulL_TREBLE_ONLY_BOol_HERE$和$COMPATIBLE_PROPERTY_ONLY_BOol_HERE$分别替换。src_method = """ @RestrictedBuildTest public voID testNeverallowRules() throws Exception { String neverallowRule = "$NEVERALLOW_RulE_HERE$"; boolean fullTrebleOnly = $FulL_TREBLE_ONLY_BOol_HERE$; boolean compatiblePropertyOnly = $COMPATIBLE_PROPERTY_ONLY_BOol_HERE$; if ((fullTrebleOnly) && (!isFullTrebleDevice())) { // This test applIEs only to Treble devices but this device isn't one return; } if ((compatiblePropertyOnly) && (!isCompatiblePropertyEnforcedDevice())) { // This test applIEs only to devices on which compatible property is enforced but this // device isn't one return; } // If sepolicy is split and vendor sepolicy version is behind platform's, // only test against platform policy. file policyfile = (isSepolicySplit() && mvendorSepolicyVersion < P_SEPOliCY_VERSION) ? deviceSystemPolicyfile : devicePolicyfile; /* run sepolicy-analyze neverallow check on policy file using given neverallow rules */ ProcessBuilder pb = new ProcessBuilder(sepolicyAnalyze.getabsolutePath(), policyfile.getabsolutePath(), "neverallow", "-w", "-n", neverallowRule); pb.redirectOutput(ProcessBuilder.Redirect.PIPE); pb.redirectErrorStream(true); Process p = pb.start(); p.waitFor(); BufferedReader result = new BufferedReader(new inputStreamReader(p.getinputStream())); String line; StringBuilder errorString = new StringBuilder(); while ((line = result.readline()) != null) { errorString.append(line); errorString.append("\n"); } assertTrue("The following errors were encountered when valIDating the SElinux" + "neverallow rule:\n" + neverallowRule + "\n" + errorString, errorString.length() == 0); }在修改SElinux后,想确定下是否满足neverallow规则,虽然编译过程中会进行neverallow检查,但由于打包时间比较耗时,如果在本地生成的话,那速度会更快。
本地生成 SElinuxNeverallowRulesTest.java 命令默认是在源码的根目录
make general_sepolicy.conf
cts/tools/selinux/SElinuxNeverallowTestGen.py out/target/product/cepheus/obj/ETC/general_sepolicy.conf_intermediates/general_sepolicy.conf SElinuxNeverallowRulesTest.java
由于某些规则是使用attribute,可能不是很明显,还需要结合其他方法来确定。
总结从生成代码中可以看到,neverallow规则都属于AOSP system/sepolicy/private和system/sepolicy/public中的neverallow,所以在添加规则时不能修改neverallow,也不能违背。
附件cts_neverallow.zip,中包含有:
SElinuxNeverallowTestGen.py 脚本
general_sepolicy.conf
SElinuxNeverallowTestFrame.py Java测试代码模板
first 为SElinuxNeverallowTestGen.py第一步执行的结果
second 为SElinuxNeverallowTestGen.py第二步执行的结果
SElinuxNeverallowRulesTest.java 为生成的文件
后面三个文件是前三个文件所生成,执行命令为:
链接SElinuxNeverallowTestGen.py general_sepolicy.conf SElinuxNeverallowRulesTest.java
https://liwugang.github.io/2019/12/29/CTS-neverallow.HTML
总结以上是内存溢出为你收集整理的Android CTS中neverallow规则生成过程全部内容,希望文章能够帮你解决Android CTS中neverallow规则生成过程所遇到的程序开发问题。
如果觉得内存溢出网站内容还不错,欢迎将内存溢出网站推荐给程序员好友。
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)