Android CTS中neverallow規則生成過程

CTS裏面SELinux相關測試中neverallow測試項佔絕大多數，Android系統開發者都應該知道，在修改sepolicy時，須要確保不能違反這些neverallow規則，否則會過不了CTS。CTS中nerverallow測試都是在SELinuxNeverallowRulesTest.java文件中，而且從AOSP代碼中發現該文件不是人工提交的，而是經過python腳本生成的，爲了之後更好的修改sepolicy，就須要瞭解下SELinuxNeverallowRulesTest.java是如何生成的。

Makefile

首先看下SELinuxNeverallowRulesTest.java的生成的Makefile.

selinux_general_policy := $(call intermediates-dir-for,ETC,general_sepolicy.conf)/general_sepolicy.conf

selinux_neverallow_gen := cts/tools/selinux/SELinuxNeverallowTestGen.py

selinux_neverallow_gen_data := cts/tools/selinux/SELinuxNeverallowTestFrame.py

LOCAL_ADDITIONAL_DEPENDENCIES := $(COMPATIBILITY_TESTCASES_OUT_cts)/sepolicy-analyze

LOCAL_GENERATED_SOURCES := $(call local-generated-sources-dir)/android/cts/security/SELinuxNeverallowRulesTest.java # 目標文件

$(LOCAL_GENERATED_SOURCES) : PRIVATE_SELINUX_GENERAL_POLICY := $(selinux_general_policy)
$(LOCAL_GENERATED_SOURCES) : $(selinux_neverallow_gen) $(selinux_general_policy) $(selinux_neverallow_gen_data)
    mkdir -p $(dir $@)
    $< $(PRIVATE_SELINUX_GENERAL_POLICY) $@
# $< 爲：右邊依賴的第一個元素， 即 $(selinux_neverallow_gen) = cts/tools/selinux/SELinuxNeverallowTestGen.py
# $@ 爲：左邊目標，即要生成的目標文件SELinuxNeverallowRulesTest.java
# 這條命令至關於 cts/tools/selinux/SELinuxNeverallowTestGen.py $(call intermediates-dirfor,ETC,general_sepolicy.conf)/general_sepolicy.conf SELinuxNeverallowRulesTest.java

include $(BUILD_CTS_HOST_JAVA_LIBRARY)

從上面能夠看到，執行SELinuxNeverallowTestGen.py general_sepolicy.conf SELinuxNeverallowRulesTest.java會生成SELinuxNeverallowRulesTest.java文件。

general_sepolicy.conf 生成

該文件的生成Makfile

# SELinux policy embedded into CTS.
# CTS checks neverallow rules of this policy against the policy of the device under test.
##################################
include $(CLEAR_VARS)

LOCAL_MODULE := general_sepolicy.conf # 目標文件
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := tests

include $(BUILD_SYSTEM)/base_rules.mk

$(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS)
$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS)
$(LOCAL_BUILT_MODULE): PRIVATE_TARGET_BUILD_VARIANT := user
$(LOCAL_BUILT_MODULE): PRIVATE_TGT_ARCH := $(my_target_arch)
$(LOCAL_BUILT_MODULE): PRIVATE_WITH_ASAN := false
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_SPLIT := cts
$(LOCAL_BUILT_MODULE): PRIVATE_COMPATIBLE_PROPERTY := cts
$(LOCAL_BUILT_MODULE): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY)) # PLAT_PUBLIC_POLICY = syetem/sepolicy/public PLAT_PRIVATE_POLICY = system/sepolicy/private
    $(transform-policy-to-conf) # 這裏是使用m4將te規則文件都處理合成爲目標文件$@，即general_sepolicy.conf
    $(hide) sed '/dontaudit/d' $@ > $@.dontaudit

##################################

能夠看到，general_sepolicy.conf 文件是將system/sepolicy/public和system/sepolicy/private規則文件整合在一塊兒，而這些目錄包含的是AOSP sepolicy大多數配置信息。

SELinuxNeverallowTestGen.py 腳本邏輯

生成的邏輯都是在該腳本中，下面腳本我調整了順序，方便說明執行的邏輯，腳本代碼

#!/usr/bin/env python

import re
import sys
import SELinuxNeverallowTestFrame

usage = "Usage: ./SELinuxNeverallowTestGen.py <input policy file> <output cts java source>"

if __name__ == "__main__":
    # check usage
    if len(sys.argv) != 3:
        print usage
        exit(1)
    input_file = sys.argv[1]
    output_file = sys.argv[2]

    # 這三個變量是同目錄下SELinuxNeverallowTestFrame.py文件中的內容，是生成java文件的模版
    src_header = SELinuxNeverallowTestFrame.src_header
    src_body = SELinuxNeverallowTestFrame.src_body
    src_footer = SELinuxNeverallowTestFrame.src_footer

    # grab the neverallow rules from the policy file and transform into tests
    neverallow_rules = extract_neverallow_rules(input_file) # 提取neverallow規則從general_sepolicy.conf中
    i = 0
    for rule in neverallow_rules:
        src_body += neverallow_rule_to_test(rule, i)
        i += 1
    # 而後將neverallow規則寫入到SELinuxNeverallowRulesTest.java文件中
    with open(output_file, 'w') as out_file:
        out_file.write(src_header)
        out_file.write(src_body)
        out_file.write(src_footer)

# extract_neverallow_rules - takes an intermediate policy file and pulls out the
# neverallow rules by taking all of the non-commented text between the 'neverallow'
# keyword and a terminating ';'
# returns: a list of rules
def extract_neverallow_rules(policy_file):
    with open(policy_file, 'r') as in_file:
        policy_str = in_file.read()

        # full-Treble only tests are inside sections delimited by BEGIN_TREBLE_ONLY
        # and END_TREBLE_ONLY comments.

        # uncomment TREBLE_ONLY section delimiter lines
        remaining = re.sub(
            r'^\s*#\s*(BEGIN_TREBLE_ONLY|END_TREBLE_ONLY|BEGIN_COMPATIBLE_PROPERTY_ONLY|END_COMPATIBLE_PROPERTY_ONLY)',
            r'\1', # group 引用
            policy_str,
            flags = re.M) # 該方法是將 #開頭的註釋行任意空格後跟着BEGIN_TREBLE_ONLY、END_TREBLE_ONLY、BEGIN_COMPATIBLE_PROPERTY_ONLY和END_COMPATIBLE_PROPERTY_ONLY時，替換爲這些關鍵字，即去掉註釋
        # remove comments 
        remaining = re.sub(r'#.+?$', r'', remaining, flags = re.M)  # 將文件中的 # 開頭註釋行去掉
        # match neverallow rules
        lines = re.findall(
            r'^\s*(neverallow\s.+?;|BEGIN_TREBLE_ONLY|END_TREBLE_ONLY|BEGIN_COMPATIBLE_PROPERTY_ONLY|END_COMPATIBLE_PROPERTY_ONLY)',
            remaining,
            flags = re.M |re.S) # 將neverallow和以這幾個關鍵字開頭的行取出來

        # extract neverallow rules from the remaining lines
        # 這些關鍵字會修飾裏面的neverallowrules，若treble_only_depth > 1 說明是適用於treble系統， 若compatible_property_only_depth > 1，說明適用於 compatible_property 系統
        rules = list()
        treble_only_depth = 0
        compatible_property_only_depth = 0
        for line in lines:
            if line.startswith("BEGIN_TREBLE_ONLY"):
                treble_only_depth += 1
                continue
            elif line.startswith("END_TREBLE_ONLY"):
                if treble_only_depth < 1:
                    exit("ERROR: END_TREBLE_ONLY outside of TREBLE_ONLY section")
                treble_only_depth -= 1
                continue
            elif line.startswith("BEGIN_COMPATIBLE_PROPERTY_ONLY"):
                compatible_property_only_depth += 1
                continue
            elif line.startswith("END_COMPATIBLE_PROPERTY_ONLY"):
                if compatible_property_only_depth < 1:
                    exit("ERROR: END_COMPATIBLE_PROPERTY_ONLY outside of COMPATIBLE_PROPERTY_ONLY section")
                compatible_property_only_depth -= 1
                continue
            rule = NeverallowRule(line)
            rule.treble_only = (treble_only_depth > 0)
            rule.compatible_property_only = (compatible_property_only_depth > 0)
            rules.append(rule)

        if treble_only_depth != 0:
            exit("ERROR: end of input while inside TREBLE_ONLY section")
        if compatible_property_only_depth != 0:
            exit("ERROR: end of input while inside COMPATIBLE_PROPERTY_ONLY section")

        return rules

# neverallow_rule_to_test - takes a neverallow statement and transforms it into
# the output necessary to form a cts unit test in a java source file.
# returns: a string representing a generic test method based on this rule.

# 將neverallowrules 替換到java模版中
def neverallow_rule_to_test(rule, test_num):
    squashed_neverallow = rule.statement.replace("\n", " ")
    method  = SELinuxNeverallowTestFrame.src_method
    method = method.replace("testNeverallowRules()",
        "testNeverallowRules" + str(test_num) + "()")
    method = method.replace("$NEVERALLOW_RULE_HERE$", squashed_neverallow)
    method = method.replace(
        "$FULL_TREBLE_ONLY_BOOL_HERE$",
        "true" if rule.treble_only else "false")
    method = method.replace(
        "$COMPATIBLE_PROPERTY_ONLY_BOOL_HERE$",
        "true" if rule.compatible_property_only else "false")
    return method

總結下腳本功能

1. 將BEGIN_TREBLE_ONLY|END_TREBLE_ONLY|BEGIN_COMPATIBLE_PROPERTY_ONLY|
   END_COMPATIBLE_PROPERTY_ONLY這幾個關鍵字前面的註釋去掉，以便後面解析時使用；
2. 刪除冗餘的註釋行；

3. 取neverallow和上面四個關鍵字的部分進行解析，並根據下面狀況對treble_only和compatible_property_only進行設置；

   • neverallow 包含在BEGIN_TREBLE_ONLY和END_TREBLE_ONLY之間，treble_only被設置爲true；
   • neverallow 包含在BEGIN_COMPATIBLE_PROPERTY_ONLY和END_COMPATIBLE_PROPERTY_ONLY之間，compatible_property_only被設置爲true；
   • neverallow 不在任何BEGIN_TREBLE_ONLY/END_TREBLE_ONLY和BEGIN_COMPATIBLE_PROPERTY_ONLY/END_COMPATIBLE_PROPERTY_ONLY之間，則treble_only和compatible_property_only都被設置爲false。
4. 而後用neverallow部分、treble_only和compatible_property_only值對下面方法模板中的$NEVERALLOW_RULE_HERE$、$FULL_TREBLE_ONLY_BOOL_HERE$和$COMPATIBLE_PROPERTY_ONLY_BOOL_HERE$分別替換。

src_method = """
    @RestrictedBuildTest
    public void testNeverallowRules() throws Exception {
        String neverallowRule = "$NEVERALLOW_RULE_HERE$";
        boolean fullTrebleOnly = $FULL_TREBLE_ONLY_BOOL_HERE$;
        boolean compatiblePropertyOnly = $COMPATIBLE_PROPERTY_ONLY_BOOL_HERE$;

        if ((fullTrebleOnly) && (!isFullTrebleDevice())) {
            // This test applies only to Treble devices but this device isn't one
            return;
        }
        if ((compatiblePropertyOnly) && (!isCompatiblePropertyEnforcedDevice())) {
            // This test applies only to devices on which compatible property is enforced but this
            // device isn't one
            return;
        }

        // If sepolicy is split and vendor sepolicy version is behind platform's,
        // only test against platform policy.
        File policyFile =
                (isSepolicySplit() && mVendorSepolicyVersion < P_SEPOLICY_VERSION) ?
                deviceSystemPolicyFile :
                devicePolicyFile;

        /* run sepolicy-analyze neverallow check on policy file using given neverallow rules */
        ProcessBuilder pb = new ProcessBuilder(sepolicyAnalyze.getAbsolutePath(),
                policyFile.getAbsolutePath(), "neverallow", "-w", "-n",
                neverallowRule);
        pb.redirectOutput(ProcessBuilder.Redirect.PIPE);
        pb.redirectErrorStream(true);
        Process p = pb.start();
        p.waitFor();
        BufferedReader result = new BufferedReader(new InputStreamReader(p.getInputStream()));
        String line;
        StringBuilder errorString = new StringBuilder();
        while ((line = result.readLine()) != null) {
            errorString.append(line);
            errorString.append("\\n");
        }
        assertTrue("The following errors were encountered when validating the SELinux"
                   + "neverallow rule:\\n" + neverallowRule + "\\n" + errorString,
                   errorString.length() == 0);
    }

本地生成 SELinuxNeverallowRulesTest.java 文件

在修改SELinux後，想肯定下是否知足neverallow規則，雖然編譯過程當中會進行neverallow檢查，但因爲打包時間比較耗時，若是在本地生成的話，那速度會更快。

本地生成 SELinuxNeverallowRulesTest.java 命令

默認是在源碼的根目錄

make general_sepolicy.conf

cts/tools/selinux/SELinuxNeverallowTestGen.py out/target/product/cepheus/obj/ETC/general_sepolicy.conf_intermediates/general_sepolicy.conf SELinuxNeverallowRulesTest.java

因爲某些規則是使用attribute，可能不是很明顯，還須要結合其餘方法來肯定。

總結

從生成代碼中能夠看到，neverallow規則都屬於AOSP system/sepolicy/private和system/sepolicy/public中的neverallow，因此在添加規則時不能修改neverallow，也不能違背。

附件

cts_neverallow.zip，中包含有：

SELinuxNeverallowTestGen.py 腳本

general_sepolicy.conf

SELinuxNeverallowTestFrame.py Java測試代碼模板

first 爲SELinuxNeverallowTestGen.py第一步執行的結果

second 爲SELinuxNeverallowTestGen.py第二步執行的結果

SELinuxNeverallowRulesTest.java 爲生成的文件

後面三個文件是前三個文件所生成，執行命令爲：

SELinuxNeverallowTestGen.py general_sepolicy.conf SELinuxNeverallowRulesTest.java

連接

https://liwugang.github.io/2019/12/29/CTS-neverallow.html