Scope ProcessMustUseSeccompTest
On non-treble devices enforce that media.codec uses seccomp.
On Treble devices enforce that omx HAL (previously media.codec)
uses seccomp.
Only enforce that configstore HAL has a seccomp filter on
arm64 devices.
Bug: 65446454
Bug: 65446707
Test: On bullhead
cts-tradefed run cts -m CtsSecurityHostTestCases
-t android.security.cts.ProcessMustUseSeccompTest
ProcessMustUseSeccompTest#testConfigStoreHalHasSeccompFilter pass
ProcessMustUseSeccompTest#testMediaextractorHasSeccompFilter pass
ProcessMustUseSeccompTest#testOmxHalHasSeccompFilter pass
Change-Id: Ifd802592c9ce900c537627268c721aed1fbdec91
diff --git a/common/host-side/util/src/com/android/compatibility/common/util/CpuFeatures.java b/common/host-side/util/src/com/android/compatibility/common/util/CpuFeatures.java
new file mode 100644
index 0000000..5f7fae2
--- /dev/null
+++ b/common/host-side/util/src/com/android/compatibility/common/util/CpuFeatures.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.android.compatibility.common.util;
+import com.android.tradefed.device.CollectingOutputReceiver;
+
+import com.android.tradefed.device.DeviceNotAvailableException;
+import com.android.tradefed.device.ITestDevice;
+
+/**
+ * Host-side utility class for reading properties and gathering information for testing
+ * Android device compatibility.
+ */
+public class CpuFeatures {
+
+ /**
+ * Return true if architecture is arm64.
+ */
+ public static boolean isArm64(ITestDevice device) throws DeviceNotAvailableException {
+
+ CollectingOutputReceiver Out = new CollectingOutputReceiver();
+ device.executeShellCommand("uname -m", Out);
+ String arch = Out.getOutput().trim();
+ return arch.contains("aarch64");
+ }
+}
diff --git a/hostsidetests/security/src/android/cts/security/ProcessMustUseSeccompTest.java b/hostsidetests/security/src/android/cts/security/ProcessMustUseSeccompTest.java
index dcd6522..eccd117 100644
--- a/hostsidetests/security/src/android/cts/security/ProcessMustUseSeccompTest.java
+++ b/hostsidetests/security/src/android/cts/security/ProcessMustUseSeccompTest.java
@@ -15,6 +15,8 @@
*/
package android.security.cts;
+import com.android.compatibility.common.util.CpuFeatures;
+import com.android.compatibility.common.util.PropertyUtil;
import com.android.tradefed.device.CollectingOutputReceiver;
import com.android.tradefed.device.DeviceNotAvailableException;
import com.android.tradefed.device.ITestDevice;
@@ -41,6 +43,10 @@
super.tearDown();
}
+ private boolean isFullTrebleDevice() throws DeviceNotAvailableException {
+ return PropertyUtil.getFirstApiLevel(mDevice) > 25;
+ }
+
/*
* Get the PID of process "Name" using "Cmd". If prefix == True only do
* prefix matching. This is used for HALs which are versioned
@@ -104,7 +110,9 @@
}
public void testConfigStoreHalHasSeccompFilter() throws DeviceNotAvailableException {
- assertSeccompFilter("android.hardware.configstore", LSHAL_CMD, true);
+ if (CpuFeatures.isArm64(mDevice)) {
+ assertSeccompFilter("android.hardware.configstore", LSHAL_CMD, true);
+ }
}
public void testMediaextractorHasSeccompFilter() throws DeviceNotAvailableException {
@@ -112,6 +120,10 @@
}
public void testOmxHalHasSeccompFilter() throws DeviceNotAvailableException {
- assertSeccompFilter("android.hardware.media.omx", LSHAL_CMD, true);
+ if (isFullTrebleDevice()) {
+ assertSeccompFilter("android.hardware.media.omx", LSHAL_CMD, true);
+ } else {
+ assertSeccompFilter("media.codec", PS_CMD, false);
+ }
}
}