1 /*
2 * Copyright (C) 2019 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <filesystem>
18 #include <fstream>
19
20 #include <gmock/gmock.h>
21 #include <gtest/gtest.h>
22 #include <linux/loop.h>
23 #include <sched.h>
24 #include <sys/mount.h>
25
26 #include <android-base/errors.h>
27 #include <android-base/logging.h>
28 #include <android-base/macros.h>
29 #include <android-base/result.h>
30 #include <android-base/stringprintf.h>
31 #include <android-base/strings.h>
32 #include <android-base/unique_fd.h>
33 #include <android/apex/ApexInfo.h>
34 #include <android/apex/ApexSessionInfo.h>
35 #include <binder/IServiceManager.h>
36 #include <fstab/fstab.h>
37 #include <libdm/dm.h>
38 #include <selinux/android.h>
39
40 #include "apex_file.h"
41 #include "apexd_loop.h"
42 #include "apexd_utils.h"
43 #include "session_state.pb.h"
44
45 #include "com_android_apex.h"
46
47 namespace android {
48 namespace apex {
49 namespace testing {
50
51 template <typename T>
IsOk(const android::base::Result<T> & result)52 inline ::testing::AssertionResult IsOk(const android::base::Result<T>& result) {
53 if (result.ok()) {
54 return ::testing::AssertionSuccess() << " is Ok";
55 } else {
56 return ::testing::AssertionFailure() << " failed with " << result.error();
57 }
58 }
59
IsOk(const android::binder::Status & status)60 inline ::testing::AssertionResult IsOk(const android::binder::Status& status) {
61 if (status.isOk()) {
62 return ::testing::AssertionSuccess() << " is Ok";
63 } else {
64 return ::testing::AssertionFailure()
65 << " failed with " << status.exceptionMessage().c_str();
66 }
67 }
68
69 MATCHER_P(SessionInfoEq, other, "") {
70 using ::testing::AllOf;
71 using ::testing::Eq;
72 using ::testing::Field;
73
74 return ExplainMatchResult(
75 AllOf(
76 Field("sessionId", &ApexSessionInfo::sessionId, Eq(other.sessionId)),
77 Field("isUnknown", &ApexSessionInfo::isUnknown, Eq(other.isUnknown)),
78 Field("isVerified", &ApexSessionInfo::isVerified,
79 Eq(other.isVerified)),
80 Field("isStaged", &ApexSessionInfo::isStaged, Eq(other.isStaged)),
81 Field("isActivated", &ApexSessionInfo::isActivated,
82 Eq(other.isActivated)),
83 Field("isRevertInProgress", &ApexSessionInfo::isRevertInProgress,
84 Eq(other.isRevertInProgress)),
85 Field("isActivationFailed", &ApexSessionInfo::isActivationFailed,
86 Eq(other.isActivationFailed)),
87 Field("isSuccess", &ApexSessionInfo::isSuccess, Eq(other.isSuccess)),
88 Field("isReverted", &ApexSessionInfo::isReverted,
89 Eq(other.isReverted)),
90 Field("isRevertFailed", &ApexSessionInfo::isRevertFailed,
91 Eq(other.isRevertFailed))),
92 arg, result_listener);
93 }
94
95 MATCHER_P(ApexInfoEq, other, "") {
96 using ::testing::AllOf;
97 using ::testing::Eq;
98 using ::testing::Field;
99
100 return ExplainMatchResult(
101 AllOf(Field("moduleName", &ApexInfo::moduleName, Eq(other.moduleName)),
102 Field("modulePath", &ApexInfo::modulePath, Eq(other.modulePath)),
103 Field("preinstalledModulePath", &ApexInfo::preinstalledModulePath,
104 Eq(other.preinstalledModulePath)),
105 Field("versionCode", &ApexInfo::versionCode, Eq(other.versionCode)),
106 Field("isFactory", &ApexInfo::isFactory, Eq(other.isFactory)),
107 Field("isActive", &ApexInfo::isActive, Eq(other.isActive))),
108 arg, result_listener);
109 }
110
111 MATCHER_P(ApexFileEq, other, "") {
112 using ::testing::AllOf;
113 using ::testing::Eq;
114 using ::testing::Property;
115
116 return ExplainMatchResult(
117 AllOf(Property("path", &ApexFile::GetPath, Eq(other.get().GetPath())),
118 Property("image_offset", &ApexFile::GetImageOffset,
119 Eq(other.get().GetImageOffset())),
120 Property("image_size", &ApexFile::GetImageSize,
121 Eq(other.get().GetImageSize())),
122 Property("fs_type", &ApexFile::GetFsType,
123 Eq(other.get().GetFsType())),
124 Property("public_key", &ApexFile::GetBundledPublicKey,
125 Eq(other.get().GetBundledPublicKey())),
126 Property("is_compressed", &ApexFile::IsCompressed,
127 Eq(other.get().IsCompressed()))),
128 arg, result_listener);
129 }
130
CreateSessionInfo(int session_id)131 inline ApexSessionInfo CreateSessionInfo(int session_id) {
132 ApexSessionInfo info;
133 info.sessionId = session_id;
134 info.isUnknown = false;
135 info.isVerified = false;
136 info.isStaged = false;
137 info.isActivated = false;
138 info.isRevertInProgress = false;
139 info.isActivationFailed = false;
140 info.isSuccess = false;
141 info.isReverted = false;
142 info.isRevertFailed = false;
143 return info;
144 }
145
146 } // namespace testing
147
148 // Must be in apex::android namespace, otherwise gtest won't be able to find it.
PrintTo(const ApexSessionInfo & session,std::ostream * os)149 inline void PrintTo(const ApexSessionInfo& session, std::ostream* os) {
150 *os << "apex_session: {\n";
151 *os << " sessionId : " << session.sessionId << "\n";
152 *os << " isUnknown : " << session.isUnknown << "\n";
153 *os << " isVerified : " << session.isVerified << "\n";
154 *os << " isStaged : " << session.isStaged << "\n";
155 *os << " isActivated : " << session.isActivated << "\n";
156 *os << " isActivationFailed : " << session.isActivationFailed << "\n";
157 *os << " isSuccess : " << session.isSuccess << "\n";
158 *os << " isReverted : " << session.isReverted << "\n";
159 *os << " isRevertFailed : " << session.isRevertFailed << "\n";
160 *os << "}";
161 }
162
PrintTo(const ApexInfo & apex,std::ostream * os)163 inline void PrintTo(const ApexInfo& apex, std::ostream* os) {
164 *os << "apex_info: {\n";
165 *os << " moduleName : " << apex.moduleName << "\n";
166 *os << " modulePath : " << apex.modulePath << "\n";
167 *os << " preinstalledModulePath : " << apex.preinstalledModulePath << "\n";
168 *os << " versionCode : " << apex.versionCode << "\n";
169 *os << " isFactory : " << apex.isFactory << "\n";
170 *os << " isActive : " << apex.isActive << "\n";
171 *os << "}";
172 }
173
CompareFiles(const std::string & filename1,const std::string & filename2)174 inline android::base::Result<bool> CompareFiles(const std::string& filename1,
175 const std::string& filename2) {
176 std::ifstream file1(filename1, std::ios::binary);
177 std::ifstream file2(filename2, std::ios::binary);
178
179 if (file1.bad() || file2.bad()) {
180 return android::base::Error() << "Could not open one of the file";
181 }
182
183 std::istreambuf_iterator<char> begin1(file1);
184 std::istreambuf_iterator<char> begin2(file2);
185
186 return std::equal(begin1, std::istreambuf_iterator<char>(), begin2);
187 }
188
GetCurrentMountNamespace()189 inline android::base::Result<std::string> GetCurrentMountNamespace() {
190 std::string result;
191 if (!android::base::Readlink("/proc/self/ns/mnt", &result)) {
192 return android::base::ErrnoError() << "Failed to read /proc/self/ns/mnt";
193 }
194 return result;
195 }
196
197 // A helper class to switch back to the original mount namespace of a process
198 // upon exiting current scope.
199 class MountNamespaceRestorer final {
200 public:
MountNamespaceRestorer()201 explicit MountNamespaceRestorer() {
202 original_namespace_.reset(open("/proc/self/ns/mnt", O_RDONLY | O_CLOEXEC));
203 if (original_namespace_.get() < 0) {
204 PLOG(ERROR) << "Failed to open /proc/self/ns/mnt";
205 }
206 }
207
~MountNamespaceRestorer()208 ~MountNamespaceRestorer() {
209 if (original_namespace_.get() != -1) {
210 if (setns(original_namespace_.get(), CLONE_NEWNS) == -1) {
211 PLOG(ERROR) << "Failed to switch back to " << original_namespace_.get();
212 }
213 }
214 }
215
216 private:
217 android::base::unique_fd original_namespace_;
218 DISALLOW_COPY_AND_ASSIGN(MountNamespaceRestorer);
219 };
220
GetApexMounts()221 inline std::vector<std::string> GetApexMounts() {
222 std::vector<std::string> apex_mounts;
223 std::string mount_info;
224 if (!android::base::ReadFileToString("/proc/self/mountinfo", &mount_info)) {
225 return apex_mounts;
226 }
227 for (const auto& line : android::base::Split(mount_info, "\n")) {
228 std::vector<std::string> tokens = android::base::Split(line, " ");
229 // line format:
230 // mnt_id parent_mnt_id major:minor source target option propagation_type
231 // ex) 33 260:19 / /apex rw,nosuid,nodev -
232 if (tokens.size() >= 7 && android::base::StartsWith(tokens[4], "/apex/")) {
233 apex_mounts.push_back(tokens[4]);
234 }
235 }
236 return apex_mounts;
237 }
238
239 // Sets up a test environment for unit testing logic around mounting/unmounting
240 // apexes. For examples of usage see apexd_test.cpp
SetUpApexTestEnvironment()241 inline android::base::Result<void> SetUpApexTestEnvironment() {
242 using android::base::ErrnoError;
243
244 // 1. Switch to new mount namespace.
245 if (unshare(CLONE_NEWNS) != 0) {
246 return ErrnoError() << "Failed to unshare";
247 }
248
249 // 2. Make everything private, so that changes don't propagate.
250 if (mount(nullptr, "/", nullptr, MS_PRIVATE | MS_REC, nullptr) == -1) {
251 return ErrnoError() << "Failed to mount / as private";
252 }
253
254 // 3. Unmount all apexes. This needs to happen in two phases:
255 // Note: unlike regular unmount flow in apexd, we don't destroy dm and loop
256 // devices, since that would've propagated outside of the test environment.
257 std::vector<std::string> apex_mounts = GetApexMounts();
258
259 // 3a. First unmount all bind mounds (without @version_code).
260 for (const auto& mount : apex_mounts) {
261 if (mount.find('@') == std::string::npos) {
262 if (umount2(mount.c_str(), 0) != 0) {
263 return ErrnoError() << "Failed to unmount " << mount;
264 }
265 }
266 }
267
268 // 3.b Now unmount versioned mounts.
269 for (const auto& mount : apex_mounts) {
270 if (mount.find('@') != std::string::npos) {
271 if (umount2(mount.c_str(), 0) != 0) {
272 return ErrnoError() << "Failed to unmount " << mount;
273 }
274 }
275 }
276
277 static constexpr const char* kApexMountForTest = "/mnt/scratch-apex";
278
279 // Clean up in case previous test left directory behind.
280 if (access(kApexMountForTest, F_OK) == 0) {
281 if (umount2(kApexMountForTest, MNT_FORCE | UMOUNT_NOFOLLOW) != 0) {
282 PLOG(WARNING) << "Failed to unmount " << kApexMountForTest;
283 }
284 if (rmdir(kApexMountForTest) != 0) {
285 return ErrnoError() << "Failed to rmdir " << kApexMountForTest;
286 }
287 }
288
289 // 4. Create an empty tmpfs that will substitute /apex in tests.
290 if (mkdir(kApexMountForTest, 0755) != 0) {
291 return ErrnoError() << "Failed to mkdir " << kApexMountForTest;
292 }
293
294 if (mount("tmpfs", kApexMountForTest, "tmpfs", 0, nullptr) == -1) {
295 return ErrnoError() << "Failed to mount " << kApexMountForTest;
296 }
297
298 // 5. Overlay it over /apex via bind mount.
299 if (mount(kApexMountForTest, "/apex", nullptr, MS_BIND, nullptr) == -1) {
300 return ErrnoError() << "Failed to bind mount " << kApexMountForTest
301 << " over /apex";
302 }
303
304 // Just in case, run restorecon -R on /apex.
305 if (selinux_android_restorecon("/apex", SELINUX_ANDROID_RESTORECON_RECURSE) <
306 0) {
307 return ErrnoError() << "Failed to restorecon /apex";
308 }
309
310 return {};
311 }
312
313 // Simpler version of loop::CreateLoopDevice. Uses LOOP_SET_FD/LOOP_SET_STATUS64
314 // instead of LOOP_CONFIGURE.
315 // TODO(b/191244059) use loop::CreateLoopDevice
CreateLoopDeviceForTest(const std::string & filepath)316 inline base::Result<loop::LoopbackDeviceUniqueFd> CreateLoopDeviceForTest(
317 const std::string& filepath) {
318 base::unique_fd ctl_fd(open("/dev/loop-control", O_RDWR | O_CLOEXEC));
319 if (ctl_fd.get() == -1) {
320 return base::ErrnoError() << "Failed to open loop-control";
321 }
322 int num = ioctl(ctl_fd.get(), LOOP_CTL_GET_FREE);
323 if (num == -1) {
324 return base::ErrnoError() << "Failed LOOP_CTL_GET_FREE";
325 }
326 auto loop_device = loop::WaitForDevice(num);
327 if (!loop_device.ok()) {
328 return loop_device.error();
329 }
330 base::unique_fd target_fd(open(filepath.c_str(), O_RDONLY | O_CLOEXEC));
331 if (target_fd.get() == -1) {
332 return base::ErrnoError() << "Failed to open " << filepath;
333 }
334 struct loop_info64 li = {};
335 strlcpy((char*)li.lo_crypt_name, filepath.c_str(), LO_NAME_SIZE);
336 li.lo_flags |= LO_FLAGS_AUTOCLEAR;
337 if (ioctl(loop_device->device_fd.get(), LOOP_SET_FD, target_fd.get()) == -1) {
338 return base::ErrnoError() << "Failed to LOOP_SET_FD";
339 }
340 if (ioctl(loop_device->device_fd.get(), LOOP_SET_STATUS64, &li) == -1) {
341 return base::ErrnoError() << "Failed to LOOP_SET_STATUS64";
342 }
343 return loop_device;
344 }
345
MountViaLoopDevice(const std::string & filepath,const std::string & mount_point)346 inline base::Result<loop::LoopbackDeviceUniqueFd> MountViaLoopDevice(
347 const std::string& filepath, const std::string& mount_point) {
348 auto loop_device = CreateLoopDeviceForTest(filepath);
349 if (loop_device.ok()) {
350 close(open(mount_point.c_str(), O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC,
351 0644));
352 if (0 != mount(loop_device->name.c_str(), mount_point.c_str(), nullptr,
353 MS_BIND, nullptr)) {
354 return base::ErrnoError() << "can't mount.";
355 }
356 }
357 return loop_device;
358 }
359
WriteBlockApex(const std::string & apex_file,const std::string & apex_path)360 inline base::Result<loop::LoopbackDeviceUniqueFd> WriteBlockApex(
361 const std::string& apex_file, const std::string& apex_path) {
362 std::string intermediate_path = apex_path + ".intermediate";
363 std::filesystem::copy(apex_file, intermediate_path);
364 return MountViaLoopDevice(intermediate_path, apex_path);
365 }
366
GetBlockDeviceForApex(const std::string & package_id)367 inline android::base::Result<std::string> GetBlockDeviceForApex(
368 const std::string& package_id) {
369 using android::fs_mgr::Fstab;
370 using android::fs_mgr::GetEntryForMountPoint;
371 using android::fs_mgr::ReadFstabFromFile;
372
373 std::string mount_point = std::string(kApexRoot) + "/" + package_id;
374 Fstab fstab;
375 if (!ReadFstabFromFile("/proc/mounts", &fstab)) {
376 return android::base::Error() << "Failed to read /proc/mounts";
377 }
378 auto entry = GetEntryForMountPoint(&fstab, mount_point);
379 if (entry == nullptr) {
380 return android::base::Error()
381 << "Can't find " << mount_point << " in /proc/mounts";
382 }
383 return entry->blk_device;
384 }
385
ReadDevice(const std::string & block_device)386 inline android::base::Result<void> ReadDevice(const std::string& block_device) {
387 static constexpr int kBlockSize = 4096;
388 static constexpr size_t kBufSize = 1024 * kBlockSize;
389 std::vector<uint8_t> buffer(kBufSize);
390
391 android::base::unique_fd fd(
392 TEMP_FAILURE_RETRY(open(block_device.c_str(), O_RDONLY | O_CLOEXEC)));
393 if (fd.get() == -1) {
394 return android::base::ErrnoError() << "Can't open " << block_device;
395 }
396
397 while (true) {
398 int n = read(fd.get(), buffer.data(), kBufSize);
399 if (n < 0) {
400 return android::base::ErrnoError() << "Failed to read " << block_device;
401 }
402 if (n == 0) {
403 break;
404 }
405 }
406 return {};
407 }
408
ListChildLoopDevices(const std::string & name)409 inline android::base::Result<std::vector<std::string>> ListChildLoopDevices(
410 const std::string& name) {
411 using android::base::Error;
412 using android::dm::DeviceMapper;
413
414 DeviceMapper& dm = DeviceMapper::Instance();
415 std::string dm_path;
416 if (!dm.GetDmDevicePathByName(name, &dm_path)) {
417 return Error() << "Failed to get path of dm device " << name;
418 }
419 // It's a little bit sad we can't use ConsumePrefix here :(
420 constexpr std::string_view kDevPrefix = "/dev/";
421 if (!android::base::StartsWith(dm_path, kDevPrefix)) {
422 return Error() << "Illegal path " << dm_path;
423 }
424 dm_path = dm_path.substr(kDevPrefix.length());
425 std::vector<std::string> children;
426 std::string dir = "/sys/" + dm_path + "/slaves";
427 auto status = WalkDir(dir, [&](const auto& entry) {
428 std::error_code ec;
429 if (entry.is_symlink(ec)) {
430 children.push_back("/dev/block/" + entry.path().filename().string());
431 }
432 });
433 if (!status.ok()) {
434 return status.error();
435 }
436 return children;
437 }
438
439 } // namespace apex
440 } // namespace android
441
442 namespace com {
443 namespace android {
444 namespace apex {
445
446 namespace testing {
447
448 // "preinstalledModulePath" is an optional in ApexInfoList.xsd.
449 // getPreinstalledModulePath() should be called when hasPreinstalledModulePath()
450 // returns true. Introducing a simple wrapper which returns optional<string>.
getPreinstalledModulePath(const ApexInfo & obj)451 inline std::optional<std::string> getPreinstalledModulePath(
452 const ApexInfo& obj) {
453 if (obj.hasPreinstalledModulePath()) {
454 return obj.getPreinstalledModulePath();
455 }
456 return std::nullopt;
457 }
458
459 MATCHER_P(ApexInfoXmlEq, other, "") {
460 using ::testing::AllOf;
461 using ::testing::Eq;
462 using ::testing::ExplainMatchResult;
463 using ::testing::Field;
464 using ::testing::Property;
465 using ::testing::ResultOf;
466
467 return ExplainMatchResult(
468 AllOf(
469 Property("moduleName", &ApexInfo::getModuleName,
470 Eq(other.getModuleName())),
471 Property("modulePath", &ApexInfo::getModulePath,
472 Eq(other.getModulePath())),
473 ResultOf(&getPreinstalledModulePath,
474 Eq(getPreinstalledModulePath(other))),
475 Property("versionCode", &ApexInfo::getVersionCode,
476 Eq(other.getVersionCode())),
477 Property("isFactory", &ApexInfo::getIsFactory,
478 Eq(other.getIsFactory())),
479 Property("isActive", &ApexInfo::getIsActive, Eq(other.getIsActive())),
480 Property("lastUpdateMillis", &ApexInfo::getLastUpdateMillis,
481 Eq(other.getLastUpdateMillis()))),
482 arg, result_listener);
483 }
484
485 } // namespace testing
486
487 // Must be in com::android::apex namespace for gtest to pick it up.
PrintTo(const ApexInfo & apex,std::ostream * os)488 inline void PrintTo(const ApexInfo& apex, std::ostream* os) {
489 *os << "apex_info: {\n";
490 *os << " moduleName : " << apex.getModuleName() << "\n";
491 *os << " modulePath : " << apex.getModulePath() << "\n";
492 if (apex.hasPreinstalledModulePath()) {
493 *os << " preinstalledModulePath : " << apex.getPreinstalledModulePath()
494 << "\n";
495 }
496 *os << " versionCode : " << apex.getVersionCode() << "\n";
497 *os << " isFactory : " << apex.getIsFactory() << "\n";
498 *os << " isActive : " << apex.getIsActive() << "\n";
499 *os << "}";
500 }
501
502 } // namespace apex
503 } // namespace android
504 } // namespace com
505