1 /** 2 * Copyright (C) 2021 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package com.android.cts.rolesecuritytest; 18 19 import static org.junit.Assert.assertFalse; 20 import static org.junit.Assert.assertNotEquals; 21 import static org.junit.Assume.*; 22 23 import android.app.Instrumentation; 24 import android.app.role.RoleManager; 25 import android.content.Context; 26 import android.os.Build; 27 import android.os.UserHandle; 28 29 import androidx.test.core.app.ApplicationProvider; 30 import androidx.test.InstrumentationRegistry; 31 import androidx.test.runner.AndroidJUnit4; 32 33 import com.android.compatibility.common.util.mainline.MainlineModule; 34 import com.android.compatibility.common.util.mainline.ModuleDetector; 35 36 import java.lang.reflect.Field; 37 import java.lang.reflect.Method; 38 39 import org.junit.Before; 40 import org.junit.runner.RunWith; 41 import org.junit.Test; 42 43 @RunWith(AndroidJUnit4.class) 44 public class DeviceTest { 45 private Instrumentation mInstrumentation; 46 47 @Before setup()48 public void setup() { 49 mInstrumentation = InstrumentationRegistry.getInstrumentation(); 50 } 51 52 @Test cannotGetSmsRoleHolderForAnotherUser()53 public void cannotGetSmsRoleHolderForAnotherUser() throws Exception { 54 assumeFalse(ModuleDetector 55 .moduleIsPlayManaged(getInstrumentation().getContext().getPackageManager(), 56 MainlineModule.PERMISSION_CONTROLLER)); 57 assertNotEquals("This test should be run in a secondary user", UserHandle.USER_SYSTEM, 58 UserHandle.myUserId()); 59 if (Build.VERSION.SDK_INT < Build.VERSION_CODES.Q) { 60 return; 61 } 62 boolean exploitSuccessful = false; 63 try { 64 final Context context = ApplicationProvider.getApplicationContext(); 65 final RoleManager roleManager = context.getSystemService(RoleManager.class); 66 final Field serviceField = roleManager.getClass().getDeclaredField("mService"); 67 serviceField.setAccessible(true); 68 final Object roleService = serviceField.get(roleManager); 69 final String getSmsRoleHolderMethodName = Build.VERSION.SDK_INT >= Build.VERSION_CODES.S 70 ? "getSmsRoleHolder" : "getDefaultSmsPackage"; 71 final Method getSmsRoleHolderMethod = roleService.getClass().getMethod( 72 getSmsRoleHolderMethodName, int.class); 73 getSmsRoleHolderMethod.invoke(roleService, UserHandle.USER_SYSTEM); 74 exploitSuccessful = true; 75 } catch (Exception e) { 76 e.printStackTrace(); 77 } 78 assertFalse("Exploit succeeded", exploitSuccessful); 79 } 80 getInstrumentation()81 private Instrumentation getInstrumentation() { 82 return mInstrumentation; 83 } 84 } 85