commit c666bb982ceebc71e25b360884c5469d5b37c759
author Piyush Mehrotra <piee@google.com> Thu Jul 27 19:27:02 2023 +0000
committer Piyush Mehrotra <piee@google.com> Wed Aug 23 14:57:09 2023 +0000
tree 63664522205a8e95b5f8dcfd21ae460468221f07
parent 307bc9464c8d89a73d018032e076e5fb026b138d

[DO NOT MERGE] Test backupAgentCreated() for caller outside of package

Adds test which checks the behavior when AM.backupAgentCreated() is called for a package which doesn't belong to the caller.

Bug: 289549315
Test: atest android.security.cts.ActivityManagerTest#testActivityManager_backupAgentCreated_rejectIfCallerUidNotEqualsPackageUid
Change-Id: Ifcf46e774109903ab2e977d287b5f8cb40b76838

tests/tests/security/src/android/security/cts/ActivityManagerTest.java

diff --git a/tests/tests/security/src/android/security/cts/ActivityManagerTest.java b/tests/tests/security/src/android/security/cts/ActivityManagerTest.java
index 116d21e..197b1a8 100644
--- a/tests/tests/security/src/android/security/cts/ActivityManagerTest.java
+++ b/tests/tests/security/src/android/security/cts/ActivityManagerTest.java
@@ -262,6 +262,41 @@
         assertNull(activity.mReceivedTransition);
     }
 
+    @AsbSecurityTest(cveBugId = 289549315)
+    @Test
+    public void testActivityManager_backupAgentCreated_rejectIfCallerUidNotEqualsPackageUid()
+            throws Exception {
+        SecurityException securityException = null;
+        Exception unexpectedException = null;
+        try {
+            final Object iam = ActivityManager.class.getDeclaredMethod("getService").invoke(null);
+            Class.forName("android.app.IActivityManager").getDeclaredMethod("backupAgentCreated",
+                            String.class, IBinder.class, int.class)
+                    .invoke(iam, /* agentPackageName*/ "android", /* agent */ null, /* userId */ 0);
+        } catch (SecurityException e) {
+            securityException = e;
+        } catch (InvocationTargetException e) {
+            if (e.getCause() instanceof SecurityException) {
+                securityException = (SecurityException) e.getCause();
+            } else {
+                unexpectedException = e;
+            }
+        } catch (Exception e) {
+            unexpectedException = e;
+        }
+        if (unexpectedException != null) {
+            Log.w("ActivityManagerTest", "Unexpected exception", unexpectedException);
+            fail("ActivityManagerNative.backupAgentCreated() API should have thrown "
+                    + "SecurityException when invoked from process with uid not matching target "
+                    + "package uid.");
+        }
+
+        assertNotNull("Expected SecurityException when caller's uid doesn't match package uid",
+                securityException);
+        assertEquals("android does not belong to uid " + Process.myUid(),
+                securityException.getMessage());
+    }
+
     /**
      * Run ActivityManager.getHistoricalProcessExitReasons once, return the time spent on it.
      */