testAllCharacterDevicesAreSecure: move to host side
Move testAllCharacterDevicesAreSecure() to a host side test.
Currently, this CTS test is unable to enumerate devices on /dev
becuase SE Linux policy is blocking it. Rather then open this
access to untrusted_app domain, move the test host side where
shell domain shall be granted access.
bug: 28306036
Change-Id: Ie75366f0efe88a0d265d62b6cdc8014827e2e069
diff --git a/hostsidetests/security/src/android/cts/security/FileSystemPermissionTest.java b/hostsidetests/security/src/android/cts/security/FileSystemPermissionTest.java
new file mode 100644
index 0000000..56cc87a
--- /dev/null
+++ b/hostsidetests/security/src/android/cts/security/FileSystemPermissionTest.java
@@ -0,0 +1,131 @@
+package android.cts.security;
+
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.device.DeviceNotAvailableException;
+import com.android.tradefed.testtype.DeviceTestCase;
+
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+
+public class FileSystemPermissionTest extends DeviceTestCase {
+
+ /**
+ * A reference to the device under test.
+ */
+ private ITestDevice mDevice;
+
+ /**
+ * Used to build the find command for finding insecure file system components
+ */
+ private static final String INSECURE_DEVICE_ADB_COMMAND = "find %s -type %s -perm /o=rwx 2>/dev/null";
+
+ /**
+ * Whitelist exceptions of allowed world accessbale char files under /dev
+ */
+ private static final Set<String> CHAR_DEV_EXCEPTIONS = new HashSet<String>(
+ Arrays.asList(
+ // All exceptions should be alphabetical and associated with a bug number.
+ "/dev/adsprpc-smd", // b/11710243
+ "/dev/alarm", // b/9035217
+ "/dev/ashmem",
+ "/dev/binder",
+ "/dev/card0", // b/13159510
+ "/dev/renderD128",
+ "/dev/renderD129", // b/23798677
+ "/dev/dri/card0", // b/13159510
+ "/dev/dri/renderD128",
+ "/dev/dri/renderD129", // b/23798677
+ "/dev/felica", // b/11142586
+ "/dev/felica_ant", // b/11142586
+ "/dev/felica_cen", // b/11142586
+ "/dev/felica_pon", // b/11142586
+ "/dev/felica_rfs", // b/11142586
+ "/dev/felica_rws", // b/11142586
+ "/dev/felica_uicc", // b/11142586
+ "/dev/full",
+ "/dev/galcore",
+ "/dev/genlock", // b/9035217
+ "/dev/graphics/galcore",
+ "/dev/ion",
+ "/dev/kgsl-2d0", // b/11271533
+ "/dev/kgsl-2d1", // b/11271533
+ "/dev/kgsl-3d0", // b/9035217
+ "/dev/log/events", // b/9035217
+ "/dev/log/main", // b/9035217
+ "/dev/log/radio", // b/9035217
+ "/dev/log/system", // b/9035217
+ "/dev/mali0", // b/9106968
+ "/dev/mali", // b/11142586
+ "/dev/mm_interlock", // b/12955573
+ "/dev/mm_isp", // b/12955573
+ "/dev/mm_v3d", // b/12955573
+ "/dev/msm_rotator", // b/9035217
+ "/dev/null",
+ "/dev/nvhost-as-gpu",
+ "/dev/nvhost-ctrl", // b/9088251
+ "/dev/nvhost-ctrl-gpu",
+ "/dev/nvhost-dbg-gpu",
+ "/dev/nvhost-gpu",
+ "/dev/nvhost-gr2d", // b/9088251
+ "/dev/nvhost-gr3d", // b/9088251
+ "/dev/nvhost-tsec",
+ "/dev/nvhost-prof-gpu",
+ "/dev/nvhost-vic",
+ "/dev/nvmap", // b/9088251
+ "/dev/ptmx", // b/9088251
+ "/dev/pvrsrvkm", // b/9108170
+ "/dev/pvr_sync",
+ "/dev/quadd",
+ "/dev/random",
+ "/dev/snfc_cen", // b/11142586
+ "/dev/snfc_hsel", // b/11142586
+ "/dev/snfc_intu_poll", // b/11142586
+ "/dev/snfc_rfs", // b/11142586
+ "/dev/tegra-throughput",
+ "/dev/tiler", // b/9108170
+ "/dev/tty",
+ "/dev/urandom",
+ "/dev/ump", // b/11142586
+ "/dev/xt_qtaguid", // b/9088251
+ "/dev/zero",
+ "/dev/fimg2d", // b/10428016
+ "/dev/mobicore-user" // b/10428016
+ ));
+
+ @Override
+ protected void setUp() throws Exception {
+ super.setUp();
+ mDevice = getDevice();
+ }
+
+ public void testAllCharacterDevicesAreSecure() throws DeviceNotAvailableException {
+ Set <String> insecure = getAllInsecureDevicesInDirAndSubdir("/dev", "c");
+ Set <String> insecurePts = getAllInsecureDevicesInDirAndSubdir("/dev/pts", "c");
+ insecure.removeAll(CHAR_DEV_EXCEPTIONS);
+ insecure.removeAll(insecurePts);
+ assertTrue("Found insecure character devices: " + insecure.toString(),
+ insecure.isEmpty());
+ }
+
+ /**
+ * Searches for all world accessable files, note this may need sepolicy to search the desired
+ * location and stat files.
+ * @path The path to search, must be a directory.
+ * @type The type of file to search for, must be a valid find command argument to the type
+ * option.
+ * @returns The set of insecure fs objects found.
+ */
+ private Set<String> getAllInsecureDevicesInDirAndSubdir(String path, String type) throws DeviceNotAvailableException {
+
+ String cmd = getInsecureDeviceAdbCommand(path, type);
+ String output = mDevice.executeShellCommand(cmd);
+ // Splitting an empty string results in an array of an empty string.
+ String [] found = output.length() > 0 ? output.split("\\s") : new String[0];
+ return new HashSet<String>(Arrays.asList(found));
+ }
+
+ private static String getInsecureDeviceAdbCommand(String path, String type) {
+ return String.format(INSECURE_DEVICE_ADB_COMMAND, path, type);
+ }
+}
diff --git a/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java b/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java
index dfe3f6e..43313d0 100644
--- a/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java
+++ b/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java
@@ -809,85 +809,6 @@
insecure.isEmpty());
}
- private static final Set<File> CHAR_DEV_EXCEPTIONS = new HashSet<File>(
- Arrays.asList(
- // All exceptions should be alphabetical and associated with a bug number.
- new File("/dev/adsprpc-smd"), // b/11710243
- new File("/dev/alarm"), // b/9035217
- new File("/dev/ashmem"),
- new File("/dev/binder"),
- new File("/dev/card0"), // b/13159510
- new File("/dev/renderD128"),
- new File("/dev/renderD129"), // b/23798677
- new File("/dev/dri/card0"), // b/13159510
- new File("/dev/dri/renderD128"),
- new File("/dev/dri/renderD129"), // b/23798677
- new File("/dev/felica"), // b/11142586
- new File("/dev/felica_ant"), // b/11142586
- new File("/dev/felica_cen"), // b/11142586
- new File("/dev/felica_pon"), // b/11142586
- new File("/dev/felica_rfs"), // b/11142586
- new File("/dev/felica_rws"), // b/11142586
- new File("/dev/felica_uicc"), // b/11142586
- new File("/dev/full"),
- new File("/dev/galcore"),
- new File("/dev/genlock"), // b/9035217
- new File("/dev/graphics/galcore"),
- new File("/dev/ion"),
- new File("/dev/kgsl-2d0"), // b/11271533
- new File("/dev/kgsl-2d1"), // b/11271533
- new File("/dev/kgsl-3d0"), // b/9035217
- new File("/dev/log/events"), // b/9035217
- new File("/dev/log/main"), // b/9035217
- new File("/dev/log/radio"), // b/9035217
- new File("/dev/log/system"), // b/9035217
- new File("/dev/mali0"), // b/9106968
- new File("/dev/mali"), // b/11142586
- new File("/dev/mm_interlock"), // b/12955573
- new File("/dev/mm_isp"), // b/12955573
- new File("/dev/mm_v3d"), // b/12955573
- new File("/dev/msm_rotator"), // b/9035217
- new File("/dev/null"),
- new File("/dev/nvhost-as-gpu"),
- new File("/dev/nvhost-ctrl"), // b/9088251
- new File("/dev/nvhost-ctrl-gpu"),
- new File("/dev/nvhost-dbg-gpu"),
- new File("/dev/nvhost-gpu"),
- new File("/dev/nvhost-gr2d"), // b/9088251
- new File("/dev/nvhost-gr3d"), // b/9088251
- new File("/dev/nvhost-tsec"),
- new File("/dev/nvhost-prof-gpu"),
- new File("/dev/nvhost-vic"),
- new File("/dev/nvmap"), // b/9088251
- new File("/dev/ptmx"), // b/9088251
- new File("/dev/pvrsrvkm"), // b/9108170
- new File("/dev/pvr_sync"),
- new File("/dev/quadd"),
- new File("/dev/random"),
- new File("/dev/snfc_cen"), // b/11142586
- new File("/dev/snfc_hsel"), // b/11142586
- new File("/dev/snfc_intu_poll"), // b/11142586
- new File("/dev/snfc_rfs"), // b/11142586
- new File("/dev/tegra-throughput"),
- new File("/dev/tiler"), // b/9108170
- new File("/dev/tty"),
- new File("/dev/urandom"),
- new File("/dev/ump"), // b/11142586
- new File("/dev/xt_qtaguid"), // b/9088251
- new File("/dev/zero"),
- new File("/dev/fimg2d"), // b/10428016
- new File("/dev/mobicore-user") // b/10428016
- ));
-
- public void testAllCharacterDevicesAreSecure() throws Exception {
- Set<File> insecure = getAllInsecureDevicesInDirAndSubdir(new File("/dev"), FileUtils.S_IFCHR);
- Set<File> insecurePts = getAllInsecureDevicesInDirAndSubdir(new File("/dev/pts"), FileUtils.S_IFCHR);
- insecure.removeAll(CHAR_DEV_EXCEPTIONS);
- insecure.removeAll(insecurePts);
- assertTrue("Found insecure character devices: " + insecure.toString(),
- insecure.isEmpty());
- }
-
public void testDevRandomWorldReadableAndWritable() throws Exception {
File f = new File("/dev/random");
