Merge "Fix SECURITY_MODEL_COMPATIBLE tests" into sc-dev am: 69a9342bb1 am: af0127e9ec
Original change: https://googleplex-android-review.googlesource.com/c/platform/cts/+/15391169
Change-Id: Iad643044a63664ab10473ad7fb3adbf09e01eef9
diff --git a/apps/CtsVerifier/src/com/android/cts/verifier/security/SecurityModeFeatureVerifierActivity.java b/apps/CtsVerifier/src/com/android/cts/verifier/security/SecurityModeFeatureVerifierActivity.java
index 256893b..d7e6ddb 100644
--- a/apps/CtsVerifier/src/com/android/cts/verifier/security/SecurityModeFeatureVerifierActivity.java
+++ b/apps/CtsVerifier/src/com/android/cts/verifier/security/SecurityModeFeatureVerifierActivity.java
@@ -16,8 +16,12 @@
package com.android.cts.verifier.security;
+import static android.os.Build.VERSION;
+import static android.os.Build.VERSION_CODES;
+
import android.content.pm.PackageManager;
import android.os.Bundle;
+import android.os.SystemProperties;
import android.view.View;
import android.view.View.OnClickListener;
import android.widget.Button;
@@ -30,7 +34,8 @@
/**
* This test confirms that handheld and tablet devices correctly declare the
- * {@link PackageManager#FEATURE_SECURITY_MODEL_COMPATIBLE} feature.
+ * {@link PackageManager#FEATURE_SECURITY_MODEL_COMPATIBLE} feature. Only enforced
+ * on devices that launched with SC or later.
*/
public class SecurityModeFeatureVerifierActivity extends PassFailButtons.Activity {
private ImageView mHandheldOrTabletImage;
@@ -38,6 +43,7 @@
private Button mHandheldOrTabletOkButton;
private Button mHandheldOrTabletNaButton;
private boolean mFeatureAvailable;
+ private boolean mDeviceLaunchedBeforeS;
@Override
protected void onCreate(Bundle savedInstanceState) {
@@ -54,6 +60,10 @@
mHandheldOrTabletOkButton = (Button) findViewById(R.id.handheld_or_tablet_yes);
mHandheldOrTabletNaButton = (Button) findViewById(R.id.handheld_or_tablet_not_applicable);
+ final int firstApiLevel =
+ SystemProperties.getInt("ro.product.first_api_level", VERSION.SDK_INT);
+ mDeviceLaunchedBeforeS = firstApiLevel < VERSION_CODES.S;
+
mFeatureAvailable = getPackageManager()
.hasSystemFeature(PackageManager.FEATURE_SECURITY_MODEL_COMPATIBLE);
@@ -67,7 +77,7 @@
mHandheldOrTabletOkButton.setOnClickListener(new OnClickListener() {
@Override
public void onClick(View v) {
- setTestResultAndFinish(mFeatureAvailable);
+ setTestResultAndFinish(mFeatureAvailable || mDeviceLaunchedBeforeS);
}
});
}
diff --git a/hostsidetests/appsecurity/src/android/appsecurity/cts/ApkVerityInstallTest.java b/hostsidetests/appsecurity/src/android/appsecurity/cts/ApkVerityInstallTest.java
index 8c8a7ca..3524357 100644
--- a/hostsidetests/appsecurity/src/android/appsecurity/cts/ApkVerityInstallTest.java
+++ b/hostsidetests/appsecurity/src/android/appsecurity/cts/ApkVerityInstallTest.java
@@ -85,12 +85,13 @@
};
}
+ private int mLaunchApiLevel;
@Before
public void setUp() throws DeviceNotAvailableException {
ITestDevice device = getDevice();
String apkVerityMode = device.getProperty("ro.apk_verity.mode");
- assumeTrue(device.getLaunchApiLevel() >= 30
- || APK_VERITY_STANDARD_MODE.equals(apkVerityMode));
+ mLaunchApiLevel = device.getLaunchApiLevel();
+ assumeTrue(mLaunchApiLevel >= 30 || APK_VERITY_STANDARD_MODE.equals(apkVerityMode));
mDmRequireFsVerity = "true".equals(device.getProperty("pm.dexopt.dm.require_fsverity"));
assumeSecurityModelCompat();
}
@@ -432,8 +433,12 @@
}
private void assumeSecurityModelCompat() throws DeviceNotAvailableException {
- assumeTrue("Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.",
- getDevice().hasFeature("feature:android.hardware.security.model.compatible"));
+ // This feature name check only applies to devices that first shipped with
+ // SC or later.
+ if (mLaunchApiLevel >= 31) {
+ assumeTrue("Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.",
+ getDevice().hasFeature("feature:android.hardware.security.model.compatible"));
+ }
}
void verifyFsverityInstall(boolean incremental, String... files) throws Exception {
diff --git a/hostsidetests/appsecurity/src/android/appsecurity/cts/DirectBootHostTest.java b/hostsidetests/appsecurity/src/android/appsecurity/cts/DirectBootHostTest.java
index bbd0130..0abb593 100644
--- a/hostsidetests/appsecurity/src/android/appsecurity/cts/DirectBootHostTest.java
+++ b/hostsidetests/appsecurity/src/android/appsecurity/cts/DirectBootHostTest.java
@@ -23,9 +23,9 @@
import static org.junit.Assume.assumeFalse;
import static org.junit.Assume.assumeTrue;
-
import android.platform.test.annotations.RequiresDevice;
+import com.android.compatibility.common.util.PropertyUtil;
import com.android.tradefed.device.DeviceNotAvailableException;
import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
import com.android.tradefed.testtype.junit4.BaseHostJUnit4Test;
@@ -203,8 +203,12 @@
getDevice().hasFeature(FEATURE_DEVICE_ADMIN));
assumeTrue("Skipping test: FEATURE_SECURE_LOCK_SCREEN missing.",
getDevice().hasFeature(FEATURE_SECURE_LOCK_SCREEN));
- assumeTrue("Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.",
- getDevice().hasFeature(FEATURE_SECURITY_MODEL_COMPATIBLE));
+ // This feature name check only applies to devices that first shipped with
+ // SC or later.
+ if (PropertyUtil.getFirstApiLevel(getDevice()) >= 31) {
+ assumeTrue("Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.",
+ getDevice().hasFeature("feature:android.hardware.security.model.compatible"));
+ }
}
private boolean isAutomotiveDevice() throws Exception {
diff --git a/hostsidetests/security/src/android/security/cts/KernelConfigTest.java b/hostsidetests/security/src/android/security/cts/KernelConfigTest.java
index 4124125..11be8cb 100644
--- a/hostsidetests/security/src/android/security/cts/KernelConfigTest.java
+++ b/hostsidetests/security/src/android/security/cts/KernelConfigTest.java
@@ -59,11 +59,11 @@
@Before
public void setUp() throws Exception {
- // Assumes every test in this file asserts a requirement of CDD section 9.
- assumeSecurityModelCompat();
mDevice = getDevice();
mBuild = getBuild();
configSet = getDeviceConfig(mDevice, cachedConfigGzSet);
+ // Assumes every test in this file asserts a requirement of CDD section 9.
+ assumeSecurityModelCompat();
}
/*
@@ -406,7 +406,11 @@
}
private void assumeSecurityModelCompat() throws Exception {
- assumeTrue("Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.",
- getDevice().hasFeature("feature:android.hardware.security.model.compatible"));
+ // This feature name check only applies to devices that first shipped with
+ // SC or later.
+ if (PropertyUtil.getFirstApiLevel(mDevice) >= 31) {
+ assumeTrue("Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.",
+ getDevice().hasFeature("feature:android.hardware.security.model.compatible"));
+ }
}
}
diff --git a/hostsidetests/security/src/android/security/cts/MetadataEncryptionTest.java b/hostsidetests/security/src/android/security/cts/MetadataEncryptionTest.java
index f399d7b..20afc7d 100644
--- a/hostsidetests/security/src/android/security/cts/MetadataEncryptionTest.java
+++ b/hostsidetests/security/src/android/security/cts/MetadataEncryptionTest.java
@@ -61,7 +61,11 @@
}
private void assumeSecurityModelCompat() throws Exception {
- assumeTrue("Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.",
- getDevice().hasFeature("feature:android.hardware.security.model.compatible"));
+ // This feature name check only applies to devices that first shipped with
+ // SC or later.
+ if (PropertyUtil.getFirstApiLevel(mDevice) >= 31) {
+ assumeTrue("Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.",
+ getDevice().hasFeature("feature:android.hardware.security.model.compatible"));
+ }
}
}
diff --git a/hostsidetests/security/src/android/security/cts/PerfEventParanoidTest.java b/hostsidetests/security/src/android/security/cts/PerfEventParanoidTest.java
index 8db2be3..6122e09 100644
--- a/hostsidetests/security/src/android/security/cts/PerfEventParanoidTest.java
+++ b/hostsidetests/security/src/android/security/cts/PerfEventParanoidTest.java
@@ -42,6 +42,7 @@
private static final String PERF_EVENT_LSM_SYSPROP = "sys.init.perf_lsm_hooks";
private static final int ANDROID_R_API_LEVEL = 30;
+ private static final int ANDROID_S_API_LEVEL = 31;
@Before
public void setUp() throws Exception {
@@ -86,7 +87,11 @@
}
private void assumeSecurityModelCompat() throws DeviceNotAvailableException {
- assumeTrue("Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.",
- getDevice().hasFeature("feature:android.hardware.security.model.compatible"));
+ // This feature name check only applies to devices that first shipped with
+ // SC or later.
+ if (PropertyUtil.getFirstApiLevel(mDevice) >= ANDROID_S_API_LEVEL) {
+ assumeTrue("Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.",
+ getDevice().hasFeature("feature:android.hardware.security.model.compatible"));
+ }
}
}
diff --git a/hostsidetests/security/src/android/security/cts/SELinuxHostTest.java b/hostsidetests/security/src/android/security/cts/SELinuxHostTest.java
index 4b8287f..7fc8431 100644
--- a/hostsidetests/security/src/android/security/cts/SELinuxHostTest.java
+++ b/hostsidetests/security/src/android/security/cts/SELinuxHostTest.java
@@ -155,11 +155,11 @@
@Before
public void setUp() throws Exception {
+ mDevice = getDevice();
+ mBuild = getBuild();
// Assumes every test in this file asserts a requirement of CDD section 9.
assumeSecurityModelCompat();
- mDevice = getDevice();
- mBuild = getBuild();
CompatibilityBuildHelper buildHelper = new CompatibilityBuildHelper(mBuild);
sepolicyAnalyze = copyResourceToTempFile("/sepolicy-analyze");
sepolicyAnalyze.setExecutable(true);
@@ -187,8 +187,12 @@
}
private void assumeSecurityModelCompat() throws Exception {
- assumeTrue("Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.",
- getDevice().hasFeature("feature:android.hardware.security.model.compatible"));
+ // This feature name check only applies to devices that first shipped with
+ // SC or later.
+ if (PropertyUtil.getFirstApiLevel(mDevice) >= 31) {
+ assumeTrue("Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.",
+ getDevice().hasFeature("feature:android.hardware.security.model.compatible"));
+ }
}
/*
diff --git a/tests/tests/hardware/src/android/hardware/cts/SecurityModelFeatureTest.java b/tests/tests/hardware/src/android/hardware/cts/SecurityModelFeatureTest.java
index 8c562c5..810aebc 100644
--- a/tests/tests/hardware/src/android/hardware/cts/SecurityModelFeatureTest.java
+++ b/tests/tests/hardware/src/android/hardware/cts/SecurityModelFeatureTest.java
@@ -16,10 +16,14 @@
package android.hardware.cts;
+import static android.os.Build.VERSION;
+import static android.os.Build.VERSION_CODES;
+
import static org.junit.Assert.assertTrue;
import static org.junit.Assume.assumeTrue;
import android.content.pm.PackageManager;
+import android.os.SystemProperties;
import androidx.test.InstrumentationRegistry;
import androidx.test.runner.AndroidJUnit4;
@@ -43,6 +47,11 @@
@Before
public void setUp() throws Exception {
+ final int firstApiLevel =
+ SystemProperties.getInt("ro.product.first_api_level", VERSION.SDK_INT);
+ assumeTrue("Skipping test: it only applies to devices that first shipped with S or later.",
+ firstApiLevel >= VERSION_CODES.S);
+
mPackageManager = InstrumentationRegistry.getTargetContext().getPackageManager();
mHasSecurityFeature =
mPackageManager.hasSystemFeature(PackageManager.FEATURE_SECURITY_MODEL_COMPATIBLE);
diff --git a/tests/tests/security/native/encryption/FileBasedEncryptionPolicyTest.cpp b/tests/tests/security/native/encryption/FileBasedEncryptionPolicyTest.cpp
index 7051c99..f852553 100644
--- a/tests/tests/security/native/encryption/FileBasedEncryptionPolicyTest.cpp
+++ b/tests/tests/security/native/encryption/FileBasedEncryptionPolicyTest.cpp
@@ -35,6 +35,7 @@
// The relevant Android API levels
#define Q_API_LEVEL 29
#define R_API_LEVEL 30
+#define S_API_LEVEL 31
static int getFirstApiLevel(void) {
int level = property_get_int32("ro.product.first_api_level", 0);
@@ -201,11 +202,6 @@
// fstab has the correct fileencryption= option for the userdata partition. See
// https://source.android.com/security/encryption/file-based.html
TEST(FileBasedEncryptionPolicyTest, allowedPolicy) {
- if(!deviceSupportsFeature("android.hardware.security.model.compatible")) {
- GTEST_SKIP()
- << "Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.";
- return;
- }
int first_api_level = getFirstApiLevel();
struct fscrypt_get_policy_ex_arg arg;
int res;
@@ -221,6 +217,15 @@
GTEST_LOG_(INFO) << "First API level is " << first_api_level;
+ // This feature name check only applies to devices that first shipped with
+ // SC or later.
+ if(first_api_level >= S_API_LEVEL &&
+ !deviceSupportsFeature("android.hardware.security.model.compatible")) {
+ GTEST_SKIP()
+ << "Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.";
+ return;
+ }
+
// Note: SELinux policy allows the shell domain to use these ioctls, but not
// apps. Therefore this test needs to be a real native test that's run
// through the shell, not a JNI test run through an installed APK.
diff --git a/tests/tests/security/native/verified_boot/VerifiedBootTest.cpp b/tests/tests/security/native/verified_boot/VerifiedBootTest.cpp
index 5341e18..625ef66 100644
--- a/tests/tests/security/native/verified_boot/VerifiedBootTest.cpp
+++ b/tests/tests/security/native/verified_boot/VerifiedBootTest.cpp
@@ -43,12 +43,6 @@
// as current recommendations from NIST for hashing algorithms (SHA-256).
// https://source.android.com/compatibility/11/android-11-cdd#9_10_device_integrity
TEST(VerifiedBootTest, avbHashtreeNotUsingSha1) {
- if(!deviceSupportsFeature("android.hardware.security.model.compatible")) {
- GTEST_SKIP()
- << "Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.";
- return;
- }
-
int first_api_level = getFirstApiLevel();
GTEST_LOG_(INFO) << "First API level is " << first_api_level;
if (first_api_level < S_API_LEVEL) {
@@ -57,6 +51,13 @@
return;
}
+ // This feature name check only applies to devices that first shipped with
+ // SC or later. The check above already screens out pre-S devices.
+ if(!deviceSupportsFeature("android.hardware.security.model.compatible")) {
+ GTEST_SKIP()
+ << "Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.";
+ return;
+ }
android::fs_mgr::Fstab fstab;
ASSERT_TRUE(ReadDefaultFstab(&fstab)) << "Failed to read default fstab";
diff --git a/tests/tests/security/src/android/security/cts/EncryptionTest.java b/tests/tests/security/src/android/security/cts/EncryptionTest.java
index 79a5e70..fbef044 100644
--- a/tests/tests/security/src/android/security/cts/EncryptionTest.java
+++ b/tests/tests/security/src/android/security/cts/EncryptionTest.java
@@ -49,10 +49,14 @@
@Before
public void setUp() throws Exception {
Context context = InstrumentationRegistry.getInstrumentation().getContext();
- // Assumes every test in this file asserts a requirement of CDD section 9.
- assumeTrue("Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.",
- context.getPackageManager()
- .hasSystemFeature(PackageManager.FEATURE_SECURITY_MODEL_COMPATIBLE));
+ // This feature name check only applies to devices that first shipped with
+ // SC or later.
+ if (PropertyUtil.getFirstApiLevel() >= Build.VERSION_CODES.S) {
+ // Assumes every test in this file asserts a requirement of CDD section 9.
+ assumeTrue("Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.",
+ !context.getPackageManager()
+ .hasSystemFeature(PackageManager.FEATURE_SECURITY_MODEL_COMPATIBLE));
+ }
}
private void handleUnencryptedDevice() {
diff --git a/tests/tests/security/src/android/security/cts/FileIntegrityManagerTest.java b/tests/tests/security/src/android/security/cts/FileIntegrityManagerTest.java
index f011f50..64b3c33 100644
--- a/tests/tests/security/src/android/security/cts/FileIntegrityManagerTest.java
+++ b/tests/tests/security/src/android/security/cts/FileIntegrityManagerTest.java
@@ -22,6 +22,7 @@
import android.content.Context;
import android.content.pm.PackageManager;
+import android.os.Build;
import android.platform.test.annotations.AppModeFull;
import android.platform.test.annotations.RestrictedBuildTest;
import android.security.FileIntegrityManager;
@@ -59,10 +60,14 @@
@Before
public void setUp() throws Exception {
mContext = InstrumentationRegistry.getInstrumentation().getContext();
- // Assumes every test in this file asserts a requirement of CDD section 9.
- assumeTrue("Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.",
- mContext.getPackageManager()
- .hasSystemFeature(PackageManager.FEATURE_SECURITY_MODEL_COMPATIBLE));
+ // This feature name check only applies to devices that first shipped with
+ // SC or later.
+ if (PropertyUtil.getFirstApiLevel() >= Build.VERSION_CODES.S) {
+ // Assumes every test in this file asserts a requirement of CDD section 9.
+ assumeTrue("Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.",
+ mContext.getPackageManager()
+ .hasSystemFeature(PackageManager.FEATURE_SECURITY_MODEL_COMPATIBLE));
+ }
mFileIntegrityManager = mContext.getSystemService(FileIntegrityManager.class);
mCertFactory = CertificateFactory.getInstance("X.509");
diff --git a/tests/tests/security/src/android/security/cts/VerifiedBootTest.java b/tests/tests/security/src/android/security/cts/VerifiedBootTest.java
index 8cf63bd..6342bf4 100644
--- a/tests/tests/security/src/android/security/cts/VerifiedBootTest.java
+++ b/tests/tests/security/src/android/security/cts/VerifiedBootTest.java
@@ -41,10 +41,14 @@
@Before
public void setUp() throws Exception {
mContext = InstrumentationRegistry.getInstrumentation().getContext();
- // Assumes every test in this file asserts a requirement of CDD section 9.
- assumeTrue("Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.",
- mContext.getPackageManager()
- .hasSystemFeature(PackageManager.FEATURE_SECURITY_MODEL_COMPATIBLE));
+ // This feature name check only applies to devices that first shipped with
+ // SC or later.
+ if (PropertyUtil.getFirstApiLevel() >= Build.VERSION_CODES.S) {
+ // Assumes every test in this file asserts a requirement of CDD section 9.
+ assumeTrue("Skipping test: FEATURE_SECURITY_MODEL_COMPATIBLE missing.",
+ mContext.getPackageManager()
+ .hasSystemFeature(PackageManager.FEATURE_SECURITY_MODEL_COMPATIBLE));
+ }
}
private static boolean isLowRamExempt(PackageManager pm) {