aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJeff Vander Stoep2017-05-25 11:53:47 -0500
committerSandeep Patil2017-06-05 10:09:05 -0500
commitbdfc0301a1a5b6c6060fca429521816ac9c86928 (patch)
tree802189232f1fcb28b44adee97e65a84769f67ccb /Android.bp
parentf378708c5cd51ccd0a5a2c0ea0af55678442fce1 (diff)
downloadsystem-sepolicy-bdfc0301a1a5b6c6060fca429521816ac9c86928.tar.gz
system-sepolicy-bdfc0301a1a5b6c6060fca429521816ac9c86928.tar.xz
system-sepolicy-bdfc0301a1a5b6c6060fca429521816ac9c86928.zip
Verify correct application of labels and attributes
With project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf14000da84e5350fff169346594639488)
Diffstat (limited to 'Android.bp')
-rw-r--r--Android.bp1
1 files changed, 1 insertions, 0 deletions
diff --git a/Android.bp b/Android.bp
new file mode 100644
index 00000000..9952a8fd
--- /dev/null
+++ b/Android.bp
@@ -0,0 +1 @@
subdirs = ["tests"]