Add CTS test to ensure bugreports don't generate SELinux denials.
This test takes a bugreport on the device and ensures that it does not
generate any dumpstate-related denials.
Bug: 73256908
Test: Run on Pixels: cts-tradefed run cts -m CtsSecurityHostTestCases
Test: Delete required SELinux rule, run test, and ensure it fails.
Change-Id: Ie4956869b912e01fb81d83ecf438671d355bf498
(cherry picked from commit 90625dfcdcf715068677836cff4ad17c11d6d8d4)
diff --git a/hostsidetests/security/src/android/security/cts/SELinuxHostTest.java b/hostsidetests/security/src/android/security/cts/SELinuxHostTest.java
index 7a9a534..a92ddd9 100644
--- a/hostsidetests/security/src/android/security/cts/SELinuxHostTest.java
+++ b/hostsidetests/security/src/android/security/cts/SELinuxHostTest.java
@@ -51,6 +51,7 @@
import java.util.regex.Pattern;
import java.util.Scanner;
import java.util.Set;
+import java.util.stream.Collectors;
/**
* Host-side SELinux tests.
@@ -800,6 +801,28 @@
+ errorString, errorString.length() == 0);
}
+ /**
+ * Tests that taking a bugreport does not produce any dumpstate-related
+ * SELinux denials.
+ *
+ * @throws Exception
+ */
+ public void testNoBugreportDenials() throws Exception {
+ // Take a bugreport and get its logcat output.
+ mDevice.executeAdbCommand("logcat", "-c");
+ mDevice.executeAdbCommand("bugreport");
+ String log = mDevice.executeAdbCommand("logcat", "-d");
+ // Find all the dumpstate-related types and make a regex that will match them.
+ Set<String> types = sepolicyAnalyzeGetTypesAssociatedWithAttribute("hal_dumpstate_server");
+ types.add("dumpstate");
+ String typeRegex = types.stream().collect(Collectors.joining("|"));
+ Pattern p = Pattern.compile("avc: *denied.*scontext=u:(?:r|object_r):(?:" + typeRegex + "):s0.*");
+ // Fail if logcat contains such a denial.
+ Matcher m = p.matcher(log);
+ if (m.find())
+ fail("Found illegal SELinux denial: " + m.group());
+ }
+
/**
* Tests that important domain labels are being appropriately applied.
*/