1 /* 2 * Copyright (C) 2017 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package android.security; 18 19 import android.test.AndroidTestCase; 20 import com.android.compatibility.common.util.PropertyUtil; 21 import java.io.IOException; 22 23 24 /** 25 * Verify the selinux domain for apps running with current targetSdkVersion 26 */ 27 public class SELinuxTargetSdkTest extends SELinuxTargetSdkTestBase 28 { 29 /** 30 * Verify that net.dns properties may not be read 31 */ testNoDns()32 public void testNoDns() throws IOException { 33 noDns(); 34 } 35 testNoNetlinkRouteGetlink()36 public void testNoNetlinkRouteGetlink() throws IOException { 37 noNetlinkRouteGetlink(); 38 } 39 testNoNetlinkRouteBind()40 public void testNoNetlinkRouteBind() throws IOException { 41 noNetlinkRouteBind(); 42 } 43 testNoNetlinkRouteGetneigh()44 public void testNoNetlinkRouteGetneigh() throws IOException { 45 checkNetlinkRouteGetneigh(false); 46 } 47 testNoHardwareAddress()48 public void testNoHardwareAddress() throws Exception { 49 checkNetworkInterfaceHardwareAddress_returnsNull(); 50 } 51 testCanNotExecuteFromHomeDir()52 public void testCanNotExecuteFromHomeDir() throws Exception { 53 assertFalse(canExecuteFromHomeDir()); 54 } 55 56 /** 57 * Verify that selinux context is the expected domain based on 58 * targetSdkVersion = current 59 */ testAppDomainContext()60 public void testAppDomainContext() throws IOException { 61 String context = "u:r:untrusted_app:s0:c[0-9]+,c[0-9]+,c[0-9]+,c[0-9]+"; 62 String msg = "Untrusted apps with targetSdkVersion 32 and above " + 63 "must run in the untrusted_app selinux domain and use the levelFrom=all " + 64 "selector in SELinux seapp_contexts which adds four category types " + 65 "to the app's selinux context. This test is targeting API level " + 66 getContext().getApplicationInfo().targetSdkVersion + ".\n" + 67 "Example expected value: u:r:untrusted_app:s0:c89,c256,c512,c768\n" + 68 "Actual value: "; 69 appDomainContext(context, msg); 70 } 71 72 /** 73 * Verify that selinux context is the expected type based on 74 * targetSdkVersion = current 75 */ testAppDataContext()76 public void testAppDataContext() throws Exception { 77 String context = "u:object_r:app_data_file:s0:c[0-9]+,c[0-9]+,c[0-9]+,c[0-9]+"; 78 String msg = "Untrusted apps with targetSdkVersion 29 and above " + 79 "must use the app_data_file selinux context and use the levelFrom=all " + 80 "selector in SELinux seapp_contexts which adds four category types " + 81 "to the app_data_file context.\n" + 82 "Example expected value: u:object_r:app_data_file:s0:c89,c256,c512,c768\n" + 83 "Actual value: "; 84 appDataContext(context, msg); 85 } 86 testDex2oat()87 public void testDex2oat() throws Exception { 88 /* 89 * Apps with a vendor image older than Q may access the dex2oat executable through 90 * selinux policy on the vendor partition because the permission was granted in public 91 * policy for appdomain. 92 */ 93 if (PropertyUtil.isVendorApiLevelNewerThan(28)) { 94 checkDex2oatAccess(false); 95 } 96 } 97 } 98