diff options
author | Treehugger Robot <treehugger-gerrit@google.com> | 2016-04-28 20:20:39 +0000 |
---|---|---|
committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2016-04-28 20:20:39 +0000 |
commit | a96231f250be67dccd12c1cf2049014f55ab6194 (patch) | |
tree | 2c724fa94c970951f420225279f80253e10a3a0d | |
parent | e249caf4b8025d42dc5b8430b5930076c69c5d9e (diff) | |
parent | 7a9c0418f5153976aa47177ed928289d0804dc29 (diff) | |
download | cts-a96231f250be67dccd12c1cf2049014f55ab6194.tar.gz |
Merge "testAllCharacterDevicesAreSecure: move to host side"
-rw-r--r-- | hostsidetests/security/src/android/cts/security/FileSystemPermissionTest.java | 131 | ||||
-rw-r--r-- | tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java | 79 |
2 files changed, 131 insertions, 79 deletions
diff --git a/hostsidetests/security/src/android/cts/security/FileSystemPermissionTest.java b/hostsidetests/security/src/android/cts/security/FileSystemPermissionTest.java new file mode 100644 index 00000000000..56cc87a8176 --- /dev/null +++ b/hostsidetests/security/src/android/cts/security/FileSystemPermissionTest.java @@ -0,0 +1,131 @@ +package android.cts.security; + +import com.android.tradefed.device.ITestDevice; +import com.android.tradefed.device.DeviceNotAvailableException; +import com.android.tradefed.testtype.DeviceTestCase; + +import java.util.Arrays; +import java.util.HashSet; +import java.util.Set; + +public class FileSystemPermissionTest extends DeviceTestCase { + + /** + * A reference to the device under test. + */ + private ITestDevice mDevice; + + /** + * Used to build the find command for finding insecure file system components + */ + private static final String INSECURE_DEVICE_ADB_COMMAND = "find %s -type %s -perm /o=rwx 2>/dev/null"; + + /** + * Whitelist exceptions of allowed world accessbale char files under /dev + */ + private static final Set<String> CHAR_DEV_EXCEPTIONS = new HashSet<String>( + Arrays.asList( + // All exceptions should be alphabetical and associated with a bug number. + "/dev/adsprpc-smd", // b/11710243 + "/dev/alarm", // b/9035217 + "/dev/ashmem", + "/dev/binder", + "/dev/card0", // b/13159510 + "/dev/renderD128", + "/dev/renderD129", // b/23798677 + "/dev/dri/card0", // b/13159510 + "/dev/dri/renderD128", + "/dev/dri/renderD129", // b/23798677 + "/dev/felica", // b/11142586 + "/dev/felica_ant", // b/11142586 + "/dev/felica_cen", // b/11142586 + "/dev/felica_pon", // b/11142586 + "/dev/felica_rfs", // b/11142586 + "/dev/felica_rws", // b/11142586 + "/dev/felica_uicc", // b/11142586 + "/dev/full", + "/dev/galcore", + "/dev/genlock", // b/9035217 + "/dev/graphics/galcore", + "/dev/ion", + "/dev/kgsl-2d0", // b/11271533 + "/dev/kgsl-2d1", // b/11271533 + "/dev/kgsl-3d0", // b/9035217 + "/dev/log/events", // b/9035217 + "/dev/log/main", // b/9035217 + "/dev/log/radio", // b/9035217 + "/dev/log/system", // b/9035217 + "/dev/mali0", // b/9106968 + "/dev/mali", // b/11142586 + "/dev/mm_interlock", // b/12955573 + "/dev/mm_isp", // b/12955573 + "/dev/mm_v3d", // b/12955573 + "/dev/msm_rotator", // b/9035217 + "/dev/null", + "/dev/nvhost-as-gpu", + "/dev/nvhost-ctrl", // b/9088251 + "/dev/nvhost-ctrl-gpu", + "/dev/nvhost-dbg-gpu", + "/dev/nvhost-gpu", + "/dev/nvhost-gr2d", // b/9088251 + "/dev/nvhost-gr3d", // b/9088251 + "/dev/nvhost-tsec", + "/dev/nvhost-prof-gpu", + "/dev/nvhost-vic", + "/dev/nvmap", // b/9088251 + "/dev/ptmx", // b/9088251 + "/dev/pvrsrvkm", // b/9108170 + "/dev/pvr_sync", + "/dev/quadd", + "/dev/random", + "/dev/snfc_cen", // b/11142586 + "/dev/snfc_hsel", // b/11142586 + "/dev/snfc_intu_poll", // b/11142586 + "/dev/snfc_rfs", // b/11142586 + "/dev/tegra-throughput", + "/dev/tiler", // b/9108170 + "/dev/tty", + "/dev/urandom", + "/dev/ump", // b/11142586 + "/dev/xt_qtaguid", // b/9088251 + "/dev/zero", + "/dev/fimg2d", // b/10428016 + "/dev/mobicore-user" // b/10428016 + )); + + @Override + protected void setUp() throws Exception { + super.setUp(); + mDevice = getDevice(); + } + + public void testAllCharacterDevicesAreSecure() throws DeviceNotAvailableException { + Set <String> insecure = getAllInsecureDevicesInDirAndSubdir("/dev", "c"); + Set <String> insecurePts = getAllInsecureDevicesInDirAndSubdir("/dev/pts", "c"); + insecure.removeAll(CHAR_DEV_EXCEPTIONS); + insecure.removeAll(insecurePts); + assertTrue("Found insecure character devices: " + insecure.toString(), + insecure.isEmpty()); + } + + /** + * Searches for all world accessable files, note this may need sepolicy to search the desired + * location and stat files. + * @path The path to search, must be a directory. + * @type The type of file to search for, must be a valid find command argument to the type + * option. + * @returns The set of insecure fs objects found. + */ + private Set<String> getAllInsecureDevicesInDirAndSubdir(String path, String type) throws DeviceNotAvailableException { + + String cmd = getInsecureDeviceAdbCommand(path, type); + String output = mDevice.executeShellCommand(cmd); + // Splitting an empty string results in an array of an empty string. + String [] found = output.length() > 0 ? output.split("\\s") : new String[0]; + return new HashSet<String>(Arrays.asList(found)); + } + + private static String getInsecureDeviceAdbCommand(String path, String type) { + return String.format(INSECURE_DEVICE_ADB_COMMAND, path, type); + } +} diff --git a/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java b/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java index dfe3f6e3aae..43313d0eae2 100644 --- a/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java +++ b/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java @@ -809,85 +809,6 @@ public class FileSystemPermissionTest extends AndroidTestCase { insecure.isEmpty()); } - private static final Set<File> CHAR_DEV_EXCEPTIONS = new HashSet<File>( - Arrays.asList( - // All exceptions should be alphabetical and associated with a bug number. - new File("/dev/adsprpc-smd"), // b/11710243 - new File("/dev/alarm"), // b/9035217 - new File("/dev/ashmem"), - new File("/dev/binder"), - new File("/dev/card0"), // b/13159510 - new File("/dev/renderD128"), - new File("/dev/renderD129"), // b/23798677 - new File("/dev/dri/card0"), // b/13159510 - new File("/dev/dri/renderD128"), - new File("/dev/dri/renderD129"), // b/23798677 - new File("/dev/felica"), // b/11142586 - new File("/dev/felica_ant"), // b/11142586 - new File("/dev/felica_cen"), // b/11142586 - new File("/dev/felica_pon"), // b/11142586 - new File("/dev/felica_rfs"), // b/11142586 - new File("/dev/felica_rws"), // b/11142586 - new File("/dev/felica_uicc"), // b/11142586 - new File("/dev/full"), - new File("/dev/galcore"), - new File("/dev/genlock"), // b/9035217 - new File("/dev/graphics/galcore"), - new File("/dev/ion"), - new File("/dev/kgsl-2d0"), // b/11271533 - new File("/dev/kgsl-2d1"), // b/11271533 - new File("/dev/kgsl-3d0"), // b/9035217 - new File("/dev/log/events"), // b/9035217 - new File("/dev/log/main"), // b/9035217 - new File("/dev/log/radio"), // b/9035217 - new File("/dev/log/system"), // b/9035217 - new File("/dev/mali0"), // b/9106968 - new File("/dev/mali"), // b/11142586 - new File("/dev/mm_interlock"), // b/12955573 - new File("/dev/mm_isp"), // b/12955573 - new File("/dev/mm_v3d"), // b/12955573 - new File("/dev/msm_rotator"), // b/9035217 - new File("/dev/null"), - new File("/dev/nvhost-as-gpu"), - new File("/dev/nvhost-ctrl"), // b/9088251 - new File("/dev/nvhost-ctrl-gpu"), - new File("/dev/nvhost-dbg-gpu"), - new File("/dev/nvhost-gpu"), - new File("/dev/nvhost-gr2d"), // b/9088251 - new File("/dev/nvhost-gr3d"), // b/9088251 - new File("/dev/nvhost-tsec"), - new File("/dev/nvhost-prof-gpu"), - new File("/dev/nvhost-vic"), - new File("/dev/nvmap"), // b/9088251 - new File("/dev/ptmx"), // b/9088251 - new File("/dev/pvrsrvkm"), // b/9108170 - new File("/dev/pvr_sync"), - new File("/dev/quadd"), - new File("/dev/random"), - new File("/dev/snfc_cen"), // b/11142586 - new File("/dev/snfc_hsel"), // b/11142586 - new File("/dev/snfc_intu_poll"), // b/11142586 - new File("/dev/snfc_rfs"), // b/11142586 - new File("/dev/tegra-throughput"), - new File("/dev/tiler"), // b/9108170 - new File("/dev/tty"), - new File("/dev/urandom"), - new File("/dev/ump"), // b/11142586 - new File("/dev/xt_qtaguid"), // b/9088251 - new File("/dev/zero"), - new File("/dev/fimg2d"), // b/10428016 - new File("/dev/mobicore-user") // b/10428016 - )); - - public void testAllCharacterDevicesAreSecure() throws Exception { - Set<File> insecure = getAllInsecureDevicesInDirAndSubdir(new File("/dev"), FileUtils.S_IFCHR); - Set<File> insecurePts = getAllInsecureDevicesInDirAndSubdir(new File("/dev/pts"), FileUtils.S_IFCHR); - insecure.removeAll(CHAR_DEV_EXCEPTIONS); - insecure.removeAll(insecurePts); - assertTrue("Found insecure character devices: " + insecure.toString(), - insecure.isEmpty()); - } - public void testDevRandomWorldReadableAndWritable() throws Exception { File f = new File("/dev/random"); |