apex_sepolicy_tests: check apex roots are search-able
Narrow down the check for apex roots. It was 'read', but 'search' should
be enough.
Bug: 310528686
Test: m
Change-Id: Ibe5f2e948464580832d87e8d8364c33a437efed2
diff --git a/tests/apex_sepolicy_tests.py b/tests/apex_sepolicy_tests.py
index 3c51b67..ab01745 100644
--- a/tests/apex_sepolicy_tests.py
+++ b/tests/apex_sepolicy_tests.py
@@ -59,10 +59,11 @@
Matcher = Is | Glob | Regex
@dataclass
-class AllowRead:
- """Rule checking if scontext can read the entity"""
+class AllowPerm:
+ """Rule checking if scontext has 'perm' to the entity"""
tclass: str
scontext: set[str]
+ perm: str
@dataclass
@@ -71,7 +72,12 @@
pass
-Rule = AllowRead | ResolveType
+Rule = AllowPerm | ResolveType
+
+
+# Helper for 'read'
+def AllowRead(tclass, scontext):
+ return AllowPerm(tclass, scontext, 'read')
def match_path(path: str, matcher: Matcher) -> bool:
@@ -89,17 +95,17 @@
"""Returns error message if scontext can't read the target"""
errors = []
match rule:
- case AllowRead(tclass, scontext):
+ case AllowPerm(tclass, scontext, perm):
# Test every source in scontext(set)
for s in scontext:
te_rules = list(pol.QueryTERule(scontext={s},
tcontext={tcontext},
tclass={tclass},
- perms={'read'}))
+ perms={perm}))
if len(te_rules) > 0:
continue # no errors
- errors.append(f"Error: {path}: {s} can't read. (tcontext={tcontext})")
+ errors.append(f"Error: {path}: {s} can't {perm}. (tcontext={tcontext})")
case ResolveType():
if tcontext not in pol.GetAllTypes(False):
errors.append(f"Error: {path}: tcontext({tcontext}) is unknown")
@@ -122,7 +128,7 @@
(Glob('./etc/vintf/*.xml'), AllowRead('file', {'servicemanager', 'apexd'})),
# ./ and apex_manifest.pb
(Is('./apex_manifest.pb'), AllowRead('file', {'linkerconfig', 'apexd'})),
- (Is('./'), AllowRead('dir', {'linkerconfig', 'apexd'})),
+ (Is('./'), AllowPerm('dir', {'linkerconfig', 'apexd'}, 'search')),
# linker.config.pb
(Is('./etc/linker.config.pb'), AllowRead('file', {'linkerconfig'})),
]
diff --git a/tests/apex_sepolicy_tests_test.py b/tests/apex_sepolicy_tests_test.py
index 6e719ed..3fee43d 100644
--- a/tests/apex_sepolicy_tests_test.py
+++ b/tests/apex_sepolicy_tests_test.py
@@ -96,7 +96,7 @@
self.assert_error('./etc/linker.config.pb u:object_r:vendor_file:s0',
r'Error: .*linkerconfig.* can\'t read')
self.assert_error('./ u:object_r:apex_data_file:s0',
- r'Error: .*linkerconfig.* can\'t read')
+ r'Error: .*linkerconfig.* can\'t search')
def test_unknown_label(self):
self.assert_error('./bin/hw/foo u:object_r:foo_exec:s0',