1 /* 2 * Copyright (C) 2017 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package android.security; 18 19 import android.os.Build; 20 21 import com.android.compatibility.common.util.CddTest; 22 import com.android.compatibility.common.util.PropertyUtil; 23 24 import java.io.IOException; 25 26 /** 27 * Verify the selinux domain for apps running with current targetSdkVersion 28 */ 29 public class SELinuxTargetSdkTest extends SELinuxTargetSdkTestBase { 30 /** 31 * Verify that net.dns properties may not be read 32 */ testNoDns()33 public void testNoDns() throws IOException { 34 noDns(); 35 } 36 testNoNetlinkRouteGetlink()37 public void testNoNetlinkRouteGetlink() throws IOException { 38 noNetlinkRouteGetlink(); 39 } 40 testNoNetlinkRouteBind()41 public void testNoNetlinkRouteBind() throws IOException { 42 noNetlinkRouteBind(); 43 } 44 testNoNetlinkRouteGetneigh()45 public void testNoNetlinkRouteGetneigh() throws IOException { 46 checkNetlinkRouteGetneigh(false); 47 } 48 testNoHardwareAddress()49 public void testNoHardwareAddress() throws Exception { 50 checkNetworkInterfaceHardwareAddress_returnsNull(); 51 } 52 testCanNotExecuteFromHomeDir()53 public void testCanNotExecuteFromHomeDir() throws Exception { 54 assertFalse(canExecuteFromHomeDir()); 55 } 56 57 /** 58 * Verify that selinux context is the expected domain based on 59 * targetSdkVersion = current 60 */ testAppDomainContext()61 public void testAppDomainContext() throws IOException { 62 String context = "u:r:untrusted_app:s0:c[0-9]+,c[0-9]+,c[0-9]+,c[0-9]+"; 63 String msg = "Untrusted apps with targetSdkVersion 32 and above " + 64 "must run in the untrusted_app selinux domain and use the levelFrom=all " + 65 "selector in SELinux seapp_contexts which adds four category types " + 66 "to the app's selinux context. This test is targeting API level " + 67 getContext().getApplicationInfo().targetSdkVersion + ".\n" + 68 "Example expected value: u:r:untrusted_app:s0:c89,c256,c512,c768\n" + 69 "Actual value: "; 70 appDomainContext(context, msg); 71 } 72 73 /** 74 * Verify that selinux context is the expected type based on 75 * targetSdkVersion = current 76 */ testAppDataContext()77 public void testAppDataContext() throws Exception { 78 String context = "u:object_r:app_data_file:s0:c[0-9]+,c[0-9]+,c[0-9]+,c[0-9]+"; 79 String msg = "Untrusted apps with targetSdkVersion 29 and above " + 80 "must use the app_data_file selinux context and use the levelFrom=all " + 81 "selector in SELinux seapp_contexts which adds four category types " + 82 "to the app_data_file context.\n" + 83 "Example expected value: u:object_r:app_data_file:s0:c89,c256,c512,c768\n" + 84 "Actual value: "; 85 appDataContext(context, msg); 86 } 87 testDex2oat()88 public void testDex2oat() throws Exception { 89 /* 90 * Apps with a vendor image older than Q may access the dex2oat executable through 91 * selinux policy on the vendor partition because the permission was granted in public 92 * policy for appdomain. 93 */ 94 if (PropertyUtil.isVendorApiLevelNewerThan(28)) { 95 checkDex2oatAccess(false); 96 } 97 } 98 99 /** 100 * Verify that hidden ro props are not accessible. 101 */ 102 @CddTest(requirements = { "9.7/C-1-4" }) testNoHiddenSystemProperties()103 public void testNoHiddenSystemProperties() throws Exception { 104 if (PropertyUtil.isVendorApiLevelAtLeast(Build.VERSION_CODES.UPSIDE_DOWN_CAKE)) { 105 noHiddenSystemProperties(); 106 } 107 } 108 } 109