Merge "testAllCharacterDevicesAreSecure: move to host side"

author: Treehugger Robot <treehugger-gerrit@google.com> 2016-04-28 20:20:39 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> 2016-04-28 20:20:39 +0000
commit: a96231f250be67dccd12c1cf2049014f55ab6194 (patch)
tree: 2c724fa94c970951f420225279f80253e10a3a0d
parent: e249caf4b8025d42dc5b8430b5930076c69c5d9e (diff)
parent: 7a9c0418f5153976aa47177ed928289d0804dc29 (diff)
download: cts-a96231f250be67dccd12c1cf2049014f55ab6194.tar.gz
2 files changed, 131 insertions, 79 deletions
diff --git a/hostsidetests/security/src/android/cts/security/FileSystemPermissionTest.java b/hostsidetests/security/src/android/cts/security/FileSystemPermissionTest.java
new file mode 100644
index 00000000000..56cc87a8176
--- /dev/null
+++ b/hostsidetests/security/src/android/cts/security/FileSystemPermissionTest.java
@@ -0,0 +1,131 @@
+package android.cts.security;
+
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.device.DeviceNotAvailableException;
+import com.android.tradefed.testtype.DeviceTestCase;
+
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+
+public class FileSystemPermissionTest extends DeviceTestCase {
+
+   /**
+    * A reference to the device under test.
+    */
+    private ITestDevice mDevice;
+
+    /**
+     * Used to build the find command for finding insecure file system components
+     */
+    private static final String INSECURE_DEVICE_ADB_COMMAND = "find %s -type %s -perm /o=rwx 2>/dev/null";
+
+    /**
+     * Whitelist exceptions of allowed world accessbale char files under /dev
+     */
+    private static final Set<String> CHAR_DEV_EXCEPTIONS = new HashSet<String>(
+        Arrays.asList(
+            // All exceptions should be alphabetical and associated with a bug number.
+            "/dev/adsprpc-smd", // b/11710243
+            "/dev/alarm",      // b/9035217
+            "/dev/ashmem",
+            "/dev/binder",
+            "/dev/card0",       // b/13159510
+            "/dev/renderD128",
+            "/dev/renderD129",  // b/23798677
+            "/dev/dri/card0",   // b/13159510
+            "/dev/dri/renderD128",
+            "/dev/dri/renderD129", // b/23798677
+            "/dev/felica",     // b/11142586
+            "/dev/felica_ant", // b/11142586
+            "/dev/felica_cen", // b/11142586
+            "/dev/felica_pon", // b/11142586
+            "/dev/felica_rfs", // b/11142586
+            "/dev/felica_rws", // b/11142586
+            "/dev/felica_uicc", // b/11142586
+            "/dev/full",
+            "/dev/galcore",
+            "/dev/genlock",    // b/9035217
+            "/dev/graphics/galcore",
+            "/dev/ion",
+            "/dev/kgsl-2d0",   // b/11271533
+            "/dev/kgsl-2d1",   // b/11271533
+            "/dev/kgsl-3d0",   // b/9035217
+            "/dev/log/events", // b/9035217
+            "/dev/log/main",   // b/9035217
+            "/dev/log/radio",  // b/9035217
+            "/dev/log/system", // b/9035217
+            "/dev/mali0",       // b/9106968
+            "/dev/mali",        // b/11142586
+            "/dev/mm_interlock", // b/12955573
+            "/dev/mm_isp",      // b/12955573
+            "/dev/mm_v3d",      // b/12955573
+            "/dev/msm_rotator", // b/9035217
+            "/dev/null",
+            "/dev/nvhost-as-gpu",
+            "/dev/nvhost-ctrl", // b/9088251
+            "/dev/nvhost-ctrl-gpu",
+            "/dev/nvhost-dbg-gpu",
+            "/dev/nvhost-gpu",
+            "/dev/nvhost-gr2d", // b/9088251
+            "/dev/nvhost-gr3d", // b/9088251
+            "/dev/nvhost-tsec",
+            "/dev/nvhost-prof-gpu",
+            "/dev/nvhost-vic",
+            "/dev/nvmap",       // b/9088251
+            "/dev/ptmx",        // b/9088251
+            "/dev/pvrsrvkm",    // b/9108170
+            "/dev/pvr_sync",
+            "/dev/quadd",
+            "/dev/random",
+            "/dev/snfc_cen",    // b/11142586
+            "/dev/snfc_hsel",   // b/11142586
+            "/dev/snfc_intu_poll", // b/11142586
+            "/dev/snfc_rfs",    // b/11142586
+            "/dev/tegra-throughput",
+            "/dev/tiler",       // b/9108170
+            "/dev/tty",
+            "/dev/urandom",
+            "/dev/ump",         // b/11142586
+            "/dev/xt_qtaguid",  // b/9088251
+            "/dev/zero",
+            "/dev/fimg2d",      // b/10428016
+            "/dev/mobicore-user" // b/10428016
+    ));
+
+    @Override
+    protected void setUp() throws Exception {
+        super.setUp();
+        mDevice = getDevice();
+    }
+
+    public void testAllCharacterDevicesAreSecure() throws DeviceNotAvailableException {
+        Set <String> insecure = getAllInsecureDevicesInDirAndSubdir("/dev", "c");
+        Set <String> insecurePts = getAllInsecureDevicesInDirAndSubdir("/dev/pts", "c");
+        insecure.removeAll(CHAR_DEV_EXCEPTIONS);
+        insecure.removeAll(insecurePts);
+        assertTrue("Found insecure character devices: " + insecure.toString(),
+                insecure.isEmpty());
+    }
+
+    /**
+     * Searches for all world accessable files, note this may need sepolicy to search the desired
+     * location and stat files.
+     * @path The path to search, must be a directory.
+     * @type The type of file to search for, must be a valid find command argument to the type
+     *       option.
+     * @returns The set of insecure fs objects found.
+     */
+    private Set<String> getAllInsecureDevicesInDirAndSubdir(String path, String type) throws DeviceNotAvailableException {
+
+        String cmd = getInsecureDeviceAdbCommand(path, type);
+        String output = mDevice.executeShellCommand(cmd);
+        // Splitting an empty string results in an array of an empty string.
+        String [] found = output.length() > 0 ? output.split("\\s") : new String[0];
+        return new HashSet<String>(Arrays.asList(found));
+    }
+
+    private static String getInsecureDeviceAdbCommand(String path, String type) {
+        return String.format(INSECURE_DEVICE_ADB_COMMAND, path, type);
+    }
+}
diff --git a/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java b/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java
index dfe3f6e3aae..43313d0eae2 100644
--- a/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java
+++ b/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java
@@ -809,85 +809,6 @@ public class FileSystemPermissionTest extends AndroidTestCase {
                 insecure.isEmpty());
     }
 
-    private static final Set<File> CHAR_DEV_EXCEPTIONS = new HashSet<File>(
-            Arrays.asList(
-                // All exceptions should be alphabetical and associated with a bug number.
-                new File("/dev/adsprpc-smd"), // b/11710243
-                new File("/dev/alarm"),      // b/9035217
-                new File("/dev/ashmem"),
-                new File("/dev/binder"),
-                new File("/dev/card0"),       // b/13159510
-                new File("/dev/renderD128"),
-                new File("/dev/renderD129"),  // b/23798677
-                new File("/dev/dri/card0"),   // b/13159510
-                new File("/dev/dri/renderD128"),
-                new File("/dev/dri/renderD129"), // b/23798677
-                new File("/dev/felica"),     // b/11142586
-                new File("/dev/felica_ant"), // b/11142586
-                new File("/dev/felica_cen"), // b/11142586
-                new File("/dev/felica_pon"), // b/11142586
-                new File("/dev/felica_rfs"), // b/11142586
-                new File("/dev/felica_rws"), // b/11142586
-                new File("/dev/felica_uicc"), // b/11142586
-                new File("/dev/full"),
-                new File("/dev/galcore"),
-                new File("/dev/genlock"),    // b/9035217
-                new File("/dev/graphics/galcore"),
-                new File("/dev/ion"),
-                new File("/dev/kgsl-2d0"),   // b/11271533
-                new File("/dev/kgsl-2d1"),   // b/11271533
-                new File("/dev/kgsl-3d0"),   // b/9035217
-                new File("/dev/log/events"), // b/9035217
-                new File("/dev/log/main"),   // b/9035217
-                new File("/dev/log/radio"),  // b/9035217
-                new File("/dev/log/system"), // b/9035217
-                new File("/dev/mali0"),       // b/9106968
-                new File("/dev/mali"),        // b/11142586
-                new File("/dev/mm_interlock"), // b/12955573
-                new File("/dev/mm_isp"),      // b/12955573
-                new File("/dev/mm_v3d"),      // b/12955573
-                new File("/dev/msm_rotator"), // b/9035217
-                new File("/dev/null"),
-                new File("/dev/nvhost-as-gpu"),
-                new File("/dev/nvhost-ctrl"), // b/9088251
-                new File("/dev/nvhost-ctrl-gpu"),
-                new File("/dev/nvhost-dbg-gpu"),
-                new File("/dev/nvhost-gpu"),
-                new File("/dev/nvhost-gr2d"), // b/9088251
-                new File("/dev/nvhost-gr3d"), // b/9088251
-                new File("/dev/nvhost-tsec"),
-                new File("/dev/nvhost-prof-gpu"),
-                new File("/dev/nvhost-vic"),
-                new File("/dev/nvmap"),       // b/9088251
-                new File("/dev/ptmx"),        // b/9088251
-                new File("/dev/pvrsrvkm"),    // b/9108170
-                new File("/dev/pvr_sync"),
-                new File("/dev/quadd"),
-                new File("/dev/random"),
-                new File("/dev/snfc_cen"),    // b/11142586
-                new File("/dev/snfc_hsel"),   // b/11142586
-                new File("/dev/snfc_intu_poll"), // b/11142586
-                new File("/dev/snfc_rfs"),    // b/11142586
-                new File("/dev/tegra-throughput"),
-                new File("/dev/tiler"),       // b/9108170
-                new File("/dev/tty"),
-                new File("/dev/urandom"),
-                new File("/dev/ump"),         // b/11142586
-                new File("/dev/xt_qtaguid"),  // b/9088251
-                new File("/dev/zero"),
-                new File("/dev/fimg2d"),      // b/10428016
-                new File("/dev/mobicore-user") // b/10428016
-            ));
-
-    public void testAllCharacterDevicesAreSecure() throws Exception {
-        Set<File> insecure = getAllInsecureDevicesInDirAndSubdir(new File("/dev"), FileUtils.S_IFCHR);
-        Set<File> insecurePts = getAllInsecureDevicesInDirAndSubdir(new File("/dev/pts"), FileUtils.S_IFCHR);
-        insecure.removeAll(CHAR_DEV_EXCEPTIONS);
-        insecure.removeAll(insecurePts);
-        assertTrue("Found insecure character devices: " + insecure.toString(),
-                insecure.isEmpty());
-    }
-
     public void testDevRandomWorldReadableAndWritable() throws Exception {
         File f = new File("/dev/random");
author	Treehugger Robot <treehugger-gerrit@google.com>	2016-04-28 20:20:39 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	2016-04-28 20:20:39 +0000
commit	a96231f250be67dccd12c1cf2049014f55ab6194 (patch)
tree	2c724fa94c970951f420225279f80253e10a3a0d
parent	e249caf4b8025d42dc5b8430b5930076c69c5d9e (diff)
parent	7a9c0418f5153976aa47177ed928289d0804dc29 (diff)
download	cts-a96231f250be67dccd12c1cf2049014f55ab6194.tar.gz