Skip to content
Snippets Groups Projects
Select Git revision
  • android-7.1.2_r28_klist
  • master default protected
  • pie-cts-release
  • pie-vts-release
  • pie-cts-dev
  • oreo-mr1-iot-release
  • sdk-release
  • oreo-m6-s4-release
  • oreo-m4-s12-release
  • pie-release
  • pie-r2-release
  • pie-r2-s1-release
  • oreo-vts-release
  • oreo-cts-release
  • oreo-dev
  • oreo-mr1-dev
  • pie-gsi
  • pie-platform-release
  • pie-dev
  • oreo-cts-dev
  • android-o-mr1-iot-release-1.0.4
  • android-9.0.0_r8
  • android-9.0.0_r7
  • android-9.0.0_r6
  • android-9.0.0_r5
  • android-8.1.0_r46
  • android-8.1.0_r45
  • android-n-iot-release-smart-display-r2
  • android-vts-8.1_r5
  • android-cts-8.1_r8
  • android-cts-8.0_r12
  • android-cts-7.1_r20
  • android-cts-7.0_r24
  • android-o-mr1-iot-release-1.0.3
  • android-cts-9.0_r1
  • android-8.1.0_r43
  • android-8.1.0_r42
  • android-n-iot-release-smart-display
  • android-p-preview-5
  • android-9.0.0_r3
40 results
Search by author
  • Any Author
  • Werner Sembach Matombo
  • dex dex dex
2 authors
  1. Sep 28, 2017
  3. Sep 26, 2017
  5. Aug 24, 2017
    • Jeff Vander Stoep's avatar
      add searchpolicy.py for automated tests · dec443e7
      Jeff Vander Stoep authored 
      searchpolicy.py provides a subset of the functionality of sesearch.

The primary benefit being that it's entirely built in-tree and thus
can be packaged for use in automated tests included compatibility
test suites.

Example
searchpolicy.py --libpath out/host/linux-x86/lib64/ --allow --source domain

Bug: 63397379
Test: Identical output with sesearch for the following commands
    --allow --source domain
    --allow --target domain
    --allow --target appdomain -p ioctl,open
    --allow --source lmkd -c file -p ioctl,open
    --allow --source lmkd -c file,dir -p ioctl,open
Change-Id: I89a6c333f1f519d9171fbc1aafe27eaf5ad247f0
      dec443e7
  7. Aug 16, 2017
    • Dan Cashman's avatar
      treble sepolicy tests: Add removed attribute check. · 1c56a76b
      Dan Cashman authored 
      Make sure that any attributes removed from policy are declared
in the mapping file, in case they are relied upon by vendor
policy.

Bug: 36899958
Test: Builds successfull, but not with removed attribute not
in mapping file.
Change-Id: I25526cd88a50e90513ae298ccf4f2660e4627fb4
      1c56a76b
  9. Aug 08, 2017
    • Dan Cashman's avatar
      Add 26.0 api compatibility check infrastructure. · 7f7c3b82
      Dan Cashman authored 
      Add support to the treble_sepolicy_tests suite that explicitly look at
the old and current policy versions, as well as the compatibility file,
to determine if any new types have been added without a compatibility
entry.  This first test catches the most common and likely changes that
could change the type label of an object for which vendor policy may have
needed access.  It also should prove the basis for additional compatibility
checks between old and new policies.

Bug: 36899958
Test: Policy builds and tests pass.
Change-Id: I609c913e6354eb10a04cc1a029ddd9fa0e592a4c
      7f7c3b82
  11. Jun 05, 2017
    • Jeff Vander Stoep's avatar
      Verify correct application of labels and attributes · bdfc0301
      Jeff Vander Stoep authored 
      With project Treble, we're relying heavily on attributes for
permission inheritance and enforcement of separation between
platform and vendor components.

We neead tests that verify those attributes are correctly applied.
This change adds the framework for those tests including a wrapper
around libsepol for loading and querying policy, and a python module
for running tests on policy and file_contexts.

Included with the testing framework is a test asserting that the
coredomain attribute is only applied to core processes. This
verification is done using the following rules:
1. Domain's entrypoint is on /system - coredomain
2. Domain's entrypoint is on /vendor - not coredomain
3. Domain belongs to a whitelist of known coredomains - coredomain

In a subsequent commit these tests will be applied at build time.
However, I first need to fix existing Treble violations exposed by
this test. These tests will also be applied during CTS.

Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \
    treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \
    -f $OUT/vendor/etc/selinux/nonplat_file_contexts \
    -f $OUT/system/etc/selinux/plat_file_contexts
Bug: 37008075
Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9
(cherry picked from commit 0366afdf)
      bdfc0301
  13. May 31, 2017
    • Jeff Vander Stoep's avatar
      Verify correct application of labels and attributes · 0366afdf
      Jeff Vander Stoep authored 
      With project Treble, we're relying heavily on attributes for
permission inheritance and enforcement of separation between
platform and vendor components.

We neead tests that verify those attributes are correctly applied.
This change adds the framework for those tests including a wrapper
around libsepol for loading and querying policy, and a python module
for running tests on policy and file_contexts.

Included with the testing framework is a test asserting that the
coredomain attribute is only applied to core processes. This
verification is done using the following rules:
1. Domain's entrypoint is on /system - coredomain
2. Domain's entrypoint is on /vendor - not coredomain
3. Domain belongs to a whitelist of known coredomains - coredomain

In a subsequent commit these tests will be applied at build time.
However, I first need to fix existing Treble violations exposed by
this test. These tests will also be applied during CTS.

Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \
    treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \
    -f $OUT/vendor/etc/selinux/nonplat_file_contexts \
    -f $OUT/system/etc/selinux/plat_file_contexts
Bug: 37008075
Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9
      0366afdf