GTS-FailGtsSecurityHostTestCases#testNoExemptionsForSocketsBetweenCoreAndVendorBan

Posted 2021-03-05 houser0323

【GTS-Fail】GtsSecurityHostTestCases#testNoExemptionsForSocketsBetweenCoreAndVendorBan

【问题描述】

Gts-7.0-r4工具报出失败项
GtsSecurityHostTestCases
com.google.android.security.gts.SELinuxHostTest#testNoExemptionsForSocketsBetweenCoreAndVendorBan

    <Failure message="junit.framework.AssertionFailedError: Policy exempts domains from ban on socket communications between core and vendor: [hal_audio_default]">
    <StackTrace>junit.framework.AssertionFailedError: Policy exempts domains from ban on socket communications between core and vendor: [hal_audio_default]
    at junit.framework.Assert.fail(Assert.java:57)
    at junit.framework.TestCase.fail(TestCase.java:227)
    at com.google.android.security.gts.SELinuxHostTest.testNoExemptionsForSocketsBetweenCoreAndVendorBan(SELinuxHostTest.java:221)

这里有个坑，报问题的时候说上个版本有，其实最终查证0004版本（2.20前）就有这个失败项了，当时芯片厂商也告知是waiver项了。。。

【问题结论】

是waiver项
失败项是由google的auto-patch代码导致，如果第一次遇到可以咨询aml是否waiver。

AuthBlog：秋城https://www.cnblogs.com/houser0323

【分析详细】

测试逻辑总览
使用linux可执行程序：sepolicy-analyze，对机顶盒中的/sys/fs/selinux/policy文件进行解析，要求不能有返回值，命令是：
sepolicy-analyze policy attribute socket_between_core_and_vendor_violators
即：不允许有type（类型）与该attribute（属性）“socket_between_core_and_vendor_violators”有关联，字面意思：core与vendor的违规socket特权

system/sepolicy/tools/sepolicy-analyze/README

ATTRIBUTE (attribute)
sepolicy-analyze out/target/product//root/sepolicy attribute
Displays the types associated with the specified attribute name.

该权限详细限制在以下代码中有论述，Android TREBLE架构解耦计划相关
system/sepolicy/prebuilts/api/26.0/public/domain.te
system/sepolicy/prebuilts/api/27.0/public/domain.te
system/sepolicy/prebuilts/api/28.0/public/domain.te:
system/sepolicy/public/domain.te

# On full TREBLE devices, socket communications between core components and vendor components are
# not permitted.
full_treble_only(`
  # Most general rules first, more specific rules below.

  # Core domains are not permitted to initiate communications to vendor domain sockets.
  # We are not restricting the use of already established sockets because it is fine for a process
  # to obtain an already established socket via some public/official/stable API and then exchange
  # data with its peer over that socket. The wire format in this scenario is dicatated by the API
  # and thus does not break the core-vendor separation.

梳理测试项逻辑
反编译后定位测试项
./com/google/android/security/gts/SELinuxHostTest.java

    public void testNoExemptionsForVendorExecutingCore() throws Exception {
        if (isFullTrebleDevice()) {
            Set<String> types = sepolicyAnalyzeGetTypesAssociatedWithAttribute("vendor_executes_system_violators");//该语句是测试判断，返回测试结果  
            if (!types.isEmpty()) {
                List<String> sortedTypes = new ArrayList(types);
                Collections.sort(sortedTypes);
                fail("Policy exempts vendor domains from ban on executing files in /system: " + sortedTypes);//此处assert，原因是容器types有东西，东西就是‘[hal_audio_default]’  
            }
        }
    }

看一下方法的测试逻辑：sepolicyAnalyzeGetTypesAssociatedWithAttribute()
通过ProcessBuilder开启一个进程，用于执行linux命令：sepolicy-analyze policy attribute socket_between_core_and_vendor_violators
然后获取这个命令的标准输出进行结果判断

   private Set<String> sepolicyAnalyzeGetTypesAssociatedWithAttribute(String attribute) throws Exception {
        BufferedReader in;
        Throwable th;
        Throwable th2;
        Set<String> types = new HashSet();
        //通过ProcessBuilder开启一个进程，用于执行linux命令：sepolicy-analyze policy attribute socket_between_core_and_vendor_violators  
        ProcessBuilder pb = new ProcessBuilder(new String[]{this.mSepolicyAnalyze.getAbsolutePath(), this.mDevicePolicyFile.getAbsolutePath(), "attribute", attribute});
......
            in = new BufferedReader(new InputStreamReader(p.getInputStream()));
            th = null;
            while (true) {
                try {
                    String type = in.readLine();
                    if (type != null) {
                        types.add(type.trim());//获取有效标准输出，写到结果容器中存储  
                    }}} 
......
        return types;
......
    }

现在基本逻辑就清楚了，只要这个命令执行有结果返回就是不被允许的，现在需要分析这个工具‘sepolicy-analyze’是干嘛的？
在Android工程源码中搜索，我们找到了这个host可执行程序的源码
system/sepolicy/tools/sepolicy-analyze/
结合网络资料以及阅读源码和README文档，澄清测试的命令用途：解析policy文件返回与attribute相关联的type值

system/sepolicy/tools/sepolicy-analyze/README

63 ATTRIBUTE (attribute)
64 sepolicy-analyze out/target/product//root/sepolicy attribute
65
66 Displays the types associated with the specified attribute name.

工程中搜索确认
搜过确认一下到底在哪里使得他们关联的,定位到一下te文件

./system/sepolicy/vendor/hal_audio_default.te:1
type hal_audio_default, domain, socket_between_core_and_vendor_violators;

查证git log，我们发现是如下的commit导致的，是google的auto-path

commit 783f5b52195f0168f4c9db29b5a80ac63fb04020
Author: xxxxxx
Date:   Mon Feb 17 11:33:16 2020 +0800

    auto patch added:CecAudio

diff --git a/vendor/hal_audio_default.te b/vendor/hal_audio_default.te
index 0dc2170..9da0f1b 100644
--- a/vendor/hal_audio_default.te
+++ b/vendor/hal_audio_default.te
@@ -1,4 +1,4 @@
-type hal_audio_default, domain;
+type hal_audio_default, domain, socket_between_core_and_vendor_violators; #此处添加的关联，问题找到了根源  
 hal_server_domain(hal_audio_default, hal_audio)

到此，问题很大概率可确认为Google-waiver，因为引入问题的代码是Google的。接下来需向芯片厂商或Google沟通确认

由于报问题的乌龙，事实是该问题很久之前已澄清过，所以这一通分析并木有什么卵用。。。。。。