BannedFilesTest: Assert no su on device
Assert that the "su" command does not exist.
Special note: This will FAIL on userdebug devices, but should
always pass on user devices.
Change-Id: Ia44b5fadf746ab8fbf03bc8bf262e7823e4ca04f
diff --git a/tests/tests/security/src/android/security/cts/BannedFilesTest.java b/tests/tests/security/src/android/security/cts/BannedFilesTest.java
index b4deed5..132d8cb 100644
--- a/tests/tests/security/src/android/security/cts/BannedFilesTest.java
+++ b/tests/tests/security/src/android/security/cts/BannedFilesTest.java
@@ -26,6 +26,26 @@
assertNotSetugid("/system/bin/sync_agent");
}
+ public void testNoSu() {
+ assertFalse("/sbin/su", new File("/sbin/su").exists());
+ assertFalse("/system/bin/su", new File("/system/bin/su").exists());
+ assertFalse("/system/sbin/su", new File("/system/sbin/su").exists());
+ assertFalse("/system/xbin/su", new File("/system/xbin/su").exists());
+ assertFalse("/vendor/bin/su", new File("/vendor/bin/su").exists());
+ }
+
+ public void testNoSuInPath() {
+ String path = System.getenv("PATH");
+ if (path == null) {
+ return;
+ }
+ String[] elems = path.split(":");
+ for (String i : elems) {
+ File f = new File(i, "su");
+ assertFalse(f.getAbsolutePath() + " exists", f.exists());
+ }
+ }
+
/**
* setuid or setgid "ip" command can be used to modify the
* routing tables of a device, potentially allowing a malicious
