#!/usr/bin/env python
|
|
import re
|
import sys
|
import SELinuxNeverallowTestFrame
|
|
usage = "Usage: ./SELinuxNeverallowTestGen.py <input policy file> <output cts java source>"
|
|
|
class NeverallowRule:
|
statement = ''
|
treble_only = False
|
compatible_property_only = False
|
|
def __init__(self, statement):
|
self.statement = statement
|
self.treble_only = False
|
self.compatible_property_only = False
|
|
|
# extract_neverallow_rules - takes an intermediate policy file and pulls out the
|
# neverallow rules by taking all of the non-commented text between the 'neverallow'
|
# keyword and a terminating ';'
|
# returns: a list of rules
|
def extract_neverallow_rules(policy_file):
|
with open(policy_file, 'r') as in_file:
|
policy_str = in_file.read()
|
|
# full-Treble only tests are inside sections delimited by BEGIN_TREBLE_ONLY
|
# and END_TREBLE_ONLY comments.
|
|
# uncomment TREBLE_ONLY section delimiter lines
|
remaining = re.sub(
|
r'^\s*#\s*(BEGIN_TREBLE_ONLY|END_TREBLE_ONLY|BEGIN_COMPATIBLE_PROPERTY_ONLY|END_COMPATIBLE_PROPERTY_ONLY)',
|
r'\1',
|
policy_str,
|
flags = re.M)
|
# remove comments
|
remaining = re.sub(r'#.+?$', r'', remaining, flags = re.M)
|
# match neverallow rules
|
lines = re.findall(
|
r'^\s*(neverallow\s.+?;|BEGIN_TREBLE_ONLY|END_TREBLE_ONLY|BEGIN_COMPATIBLE_PROPERTY_ONLY|END_COMPATIBLE_PROPERTY_ONLY)',
|
remaining,
|
flags = re.M |re.S)
|
|
# extract neverallow rules from the remaining lines
|
rules = list()
|
treble_only_depth = 0
|
compatible_property_only_depth = 0
|
for line in lines:
|
if line.startswith("BEGIN_TREBLE_ONLY"):
|
treble_only_depth += 1
|
continue
|
elif line.startswith("END_TREBLE_ONLY"):
|
if treble_only_depth < 1:
|
exit("ERROR: END_TREBLE_ONLY outside of TREBLE_ONLY section")
|
treble_only_depth -= 1
|
continue
|
elif line.startswith("BEGIN_COMPATIBLE_PROPERTY_ONLY"):
|
compatible_property_only_depth += 1
|
continue
|
elif line.startswith("END_COMPATIBLE_PROPERTY_ONLY"):
|
if compatible_property_only_depth < 1:
|
exit("ERROR: END_COMPATIBLE_PROPERTY_ONLY outside of COMPATIBLE_PROPERTY_ONLY section")
|
compatible_property_only_depth -= 1
|
continue
|
rule = NeverallowRule(line)
|
rule.treble_only = (treble_only_depth > 0)
|
rule.compatible_property_only = (compatible_property_only_depth > 0)
|
rules.append(rule)
|
|
if treble_only_depth != 0:
|
exit("ERROR: end of input while inside TREBLE_ONLY section")
|
if compatible_property_only_depth != 0:
|
exit("ERROR: end of input while inside COMPATIBLE_PROPERTY_ONLY section")
|
|
return rules
|
|
# neverallow_rule_to_test - takes a neverallow statement and transforms it into
|
# the output necessary to form a cts unit test in a java source file.
|
# returns: a string representing a generic test method based on this rule.
|
def neverallow_rule_to_test(rule, test_num):
|
squashed_neverallow = rule.statement.replace("\n", " ")
|
method = SELinuxNeverallowTestFrame.src_method
|
method = method.replace("testNeverallowRules()",
|
"testNeverallowRules" + str(test_num) + "()")
|
method = method.replace("$NEVERALLOW_RULE_HERE$", squashed_neverallow)
|
method = method.replace(
|
"$FULL_TREBLE_ONLY_BOOL_HERE$",
|
"true" if rule.treble_only else "false")
|
method = method.replace(
|
"$COMPATIBLE_PROPERTY_ONLY_BOOL_HERE$",
|
"true" if rule.compatible_property_only else "false")
|
return method
|
|
if __name__ == "__main__":
|
# check usage
|
if len(sys.argv) != 3:
|
print usage
|
exit(1)
|
input_file = sys.argv[1]
|
output_file = sys.argv[2]
|
|
src_header = SELinuxNeverallowTestFrame.src_header
|
src_body = SELinuxNeverallowTestFrame.src_body
|
src_footer = SELinuxNeverallowTestFrame.src_footer
|
|
# grab the neverallow rules from the policy file and transform into tests
|
neverallow_rules = extract_neverallow_rules(input_file)
|
i = 0
|
for rule in neverallow_rules:
|
src_body += neverallow_rule_to_test(rule, i)
|
i += 1
|
|
with open(output_file, 'w') as out_file:
|
out_file.write(src_header)
|
out_file.write(src_body)
|
out_file.write(src_footer)
|
