Merge "Add tests for kernel selinux file api." into oc-dev

8 files changed, 292 insertions, 0 deletions

diff --git a/api/selinux/Android.mk b/api/selinux/Android.mk
new file mode 100644
index 00000000..244af93d
--- /dev/null
+++ b/api/selinux/Android.mk
@@ -0,0 +1,25 @@
+#
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+LOCAL_PATH := $(call my-dir)
+
+include $(call all-subdir-makefiles)
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := VtsKernelSelinuxFileApi
+VTS_CONFIG_SRC_DIR := testcases/kernel/api/selinux
+include test/vts/tools/build/Android.host_config.mk
diff --git a/api/selinux/AndroidTest.xml b/api/selinux/AndroidTest.xml
new file mode 100644
index 00000000..1e4e018c
--- /dev/null
+++ b/api/selinux/AndroidTest.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright (C) 2017 The Android Open Source Project
+
+     Licensed under the Apache License, Version 2.0 (the "License");
+     you may not use this file except in compliance with the License.
+     You may obtain a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+     Unless required by applicable law or agreed to in writing, software
+     distributed under the License is distributed on an "AS IS" BASIS,
+     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+     See the License for the specific language governing permissions and
+     limitations under the License.
+-->
+<configuration description="Config for VTS KernelSelinuxFileApiTest test cases">
+    <target_preparer class="com.android.compatibility.common.tradefed.targetprep.VtsFilePusher">
+        <option name="push-group" value="HostDrivenTest.push" />
+    </target_preparer>
+    <target_preparer class="com.android.tradefed.targetprep.VtsPythonVirtualenvPreparer">
+    </target_preparer>
+    <test class="com.android.tradefed.testtype.VtsMultiDeviceTest">
+        <option name="test-module-name" value="VtsKernelSelinuxFileApi" />
+        <option name="test-case-path" value="vts/testcases/kernel/api/selinux/VtsKernelSelinuxFileApiTest" />
+    </test>
+</configuration>
diff --git a/api/selinux/KernelSelinuxFileTestBase.py b/api/selinux/KernelSelinuxFileTestBase.py
new file mode 100644
index 00000000..d48e0075
--- /dev/null
+++ b/api/selinux/KernelSelinuxFileTestBase.py
@@ -0,0 +1,60 @@
+#!/usr/bin/env python
+#
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+from abc import ABCMeta
+from abc import abstractmethod
+
+from vts.utils.python.file import file_utils
+
+class KernelSelinuxFileTestBase(object):
+    """Abstract test for the formatting of a selinux file.
+
+    Individual files can inherit from this class and define the correct path,
+    file content, and permissions.
+    """
+    __metaclass__ = ABCMeta
+
+    @abstractmethod
+    def get_path(self):
+        """Return the full path of this selinux file."""
+        pass
+
+    def result_correct(self, file_contents):
+        """Return True if the file contents are correct.
+
+        Subclasses define the requirements for the selinux file and validate
+        that the contents of a file are correct.
+
+        Args:
+            file_contents: String, the contents of an selinux file
+
+        Returns:
+            True if the contents are correct, False otherwise.
+        """
+        return True
+
+    def get_permission_checker(self):
+        """Gets the function handle to use for validating file permissions.
+
+        Return the function that will check if the permissions are correct.
+        By default, return the IsReadOnly function from file_utils.
+
+        Returns:
+            function which takes one argument (the unix file permission bits
+            in octal format) and returns True if the permissions are correct,
+            False otherwise.
+        """
+        return file_utils.IsReadOnly
diff --git a/api/selinux/SelinuxCheckReqProtTest.py b/api/selinux/SelinuxCheckReqProtTest.py
new file mode 100644
index 00000000..5d091a53
--- /dev/null
+++ b/api/selinux/SelinuxCheckReqProtTest.py
@@ -0,0 +1,42 @@
+#
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+from vts.testcases.kernel.api.selinux import KernelSelinuxFileTestBase
+from vts.utils.python.file import file_utils
+
+
+class SelinuxCheckReqProt(KernelSelinuxFileTestBase.KernelSelinuxFileTestBase):
+    """Validate /sys/fs/selinux/checkreqprot content and permissions.
+
+    The contents are binary 0/1 and the file should be read/write.
+    """
+
+    def get_path(self):
+        return "/sys/fs/selinux/checkreqprot"
+
+    def result_correct(self, file_content):
+        """Return True if the file contents are simply 0/1.
+
+        Args:
+            file_contents: String, the contents of the checkreqprot file
+
+        Returns:
+            True if the contents are 0/1, False otherwise.
+        """
+        return file_content == "0" or file_content == "1"
+
+    def get_permission_checker(self):
+        """Gets the function handle to validate r/w file permissions."""
+        return file_utils.IsReadWrite
diff --git a/api/selinux/SelinuxNullTest.py b/api/selinux/SelinuxNullTest.py
new file mode 100644
index 00000000..611e492f
--- /dev/null
+++ b/api/selinux/SelinuxNullTest.py
@@ -0,0 +1,31 @@
+#
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+from vts.testcases.kernel.api.selinux import KernelSelinuxFileTestBase
+from vts.utils.python.file import file_utils
+
+
+class SelinuxNull(KernelSelinuxFileTestBase.KernelSelinuxFileTestBase):
+    """Validate /sys/fs/selinux/null permissions.
+
+    The file should be read/write; there are no tests for content format.
+    """
+
+    def get_path(self):
+        return "/sys/fs/selinux/null"
+
+    def get_permission_checker(self):
+        """Gets the function handle to validate r/w file permissions."""
+        return file_utils.IsReadWrite
diff --git a/api/selinux/SelinuxPolicyTest.py b/api/selinux/SelinuxPolicyTest.py
new file mode 100644
index 00000000..9c793362
--- /dev/null
+++ b/api/selinux/SelinuxPolicyTest.py
@@ -0,0 +1,27 @@
+#
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+from vts.testcases.kernel.api.selinux import KernelSelinuxFileTestBase
+from vts.utils.python.file import file_utils
+
+
+class SelinuxPolicy(KernelSelinuxFileTestBase.KernelSelinuxFileTestBase):
+    """Validate /sys/fs/selinux/policy permissions.
+
+    The file permission should be read-only. No content testing at this time.
+    """
+
+    def get_path(self):
+        return "/sys/fs/selinux/policy"
diff --git a/api/selinux/VtsKernelSelinuxFileApiTest.py b/api/selinux/VtsKernelSelinuxFileApiTest.py
new file mode 100644
index 00000000..d35e33b3
--- /dev/null
+++ b/api/selinux/VtsKernelSelinuxFileApiTest.py
@@ -0,0 +1,81 @@
+#!/usr/bin/env python
+#
+# Copyright (C) 2017 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+import logging
+
+from vts.runners.host import asserts
+from vts.runners.host import base_test
+from vts.runners.host import const
+from vts.runners.host import test_runner
+from vts.testcases.kernel.api.selinux import SelinuxCheckReqProtTest
+from vts.testcases.kernel.api.selinux import SelinuxPolicyTest
+from vts.testcases.kernel.api.selinux import SelinuxNullTest
+from vts.utils.python.controllers import android_device
+from vts.utils.python.file import file_utils
+
+TEST_OBJECTS = {
+    SelinuxCheckReqProtTest.SelinuxCheckReqProt(),
+    SelinuxPolicyTest.SelinuxPolicy(),
+    SelinuxNullTest.SelinuxNull()
+}
+
+class VtsKernelSelinuxFileApiTest(base_test.BaseTestClass):
+    """Test cases which check content of selinuxfs files.
+    """
+
+    def setUpClass(self):
+        self.dut = self.registerController(android_device)[0]
+        self.dut.shell.InvokeTerminal(
+            "KernelSelinuxFileApiTest")  # creates a remote shell instance.
+        self.shell = self.dut.shell.KernelSelinuxFileApiTest
+
+    def runSelinuxFileTest(self, test_object):
+        """Reads the file and checks that its content and permissions are valid.
+
+        Args:
+            test_object: inherits KernelSelinuxFileTestBase, contains the test functions
+        """
+        logging.info("Testing existence of %s" % (test_object.get_path()))
+
+        asserts.assertTrue(
+            file_utils.Exists(test_object.get_path(), self.shell),
+            "%s: File does not exist." % test_object.get_path())
+
+        logging.info("Testing permissions of %s" % (test_object.get_path()))
+        try:
+            permissions = file_utils.GetPermission(
+                test_object.get_path(), self.shell)
+            asserts.assertTrue(test_object.get_permission_checker()(permissions),
+                               "%s: File has invalid permissions (%s)" %
+                               (test_object.get_path(), permissions))
+        except (ValueError, IOError) as e:
+            asserts.fail("Failed to assert permissions: %s" % str(e))
+
+        logging.info("Testing format of %s" % (test_object.get_path()))
+        file_content = file_utils.ReadFileContent(
+            test_object.get_path(), self.shell)
+        asserts.assertTrue(
+            test_object.result_correct(file_content), "Results not valid!")
+
+    def generateProcFileTests(self):
+        """Run all selinux file tests."""
+        self.runGeneratedTests(test_func=self.runSelinuxFileTest,
+                settings=TEST_OBJECTS,
+                name_func=lambda test_obj: "test" + test_obj.__class__.__name__)
+
+if __name__ == "__main__":
+    test_runner.main()
diff --git a/api/selinux/__init__.py b/api/selinux/__init__.py
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/api/selinux/__init__.py