tests/tests/security/src/android/security/cts/CVE_2022_20420/CVE_2022_20420.java - platform/cts - Git at Google

 /*
  * Copyright (C) 2022 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package android.security.cts.CVE_2022_20420;

 import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;

 import static org.junit.Assert.assertFalse;
 import static org.junit.Assume.assumeNoException;
 import static org.junit.Assume.assumeTrue;

 import android.app.ActivityManager;
 import android.app.UiAutomation;
 import android.app.admin.DevicePolicyManager;
 import android.content.BroadcastReceiver;
 import android.content.ComponentName;
 import android.content.Context;
 import android.content.Intent;
 import android.content.IntentFilter;
 import android.os.IDeviceIdleController;
 import android.os.PowerExemptionManager;
 import android.os.Process;
 import android.os.ServiceManager;
 import android.platform.test.annotations.AsbSecurityTest;

 import androidx.test.runner.AndroidJUnit4;

 import com.android.sts.common.util.StsExtraBusinessLogicTestCase;

 import org.junit.After;
 import org.junit.Test;
 import org.junit.runner.RunWith;

 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.TimeUnit;

 @RunWith(AndroidJUnit4.class)
 public class CVE_2022_20420 extends StsExtraBusinessLogicTestCase {
     private static final int TIMEOUT_MS = 10000;
     private static final int USER_ID = 0;
     private Context mContext;
     private DevicePolicyManager mPolicyManager;
     private ComponentName mComponentName;
     private UiAutomation mAutomation;

     @After
     public void tearDown() {
         try {
             mAutomation.dropShellPermissionIdentity();
             mPolicyManager.removeActiveAdmin(mComponentName);
         } catch (Exception ignored) {
             // ignore all exceptions as the test has been completed.
         }
     }

     @AsbSecurityTest(cveBugId = 238477311)
     @Test
     public void testDeviceAdminAppRestricted() {
         try {
             // Add test app to Power Save Whitelist.
             mContext = getInstrumentation().getTargetContext();
             mAutomation = getInstrumentation().getUiAutomation();
             mAutomation.adoptShellPermissionIdentity(android.Manifest.permission.DEVICE_POWER,
                     android.Manifest.permission.MANAGE_DEVICE_ADMINS,
                     android.Manifest.permission.INTERACT_ACROSS_USERS_FULL);
             IDeviceIdleController mDeviceIdleService =
                     IDeviceIdleController.Stub.asInterface(ServiceManager.getService("deviceidle"));
             mDeviceIdleService.addPowerSaveWhitelistApp(mContext.getPackageName());

             // Set test app as "Active Admin".
             mPolicyManager = mContext.getSystemService(DevicePolicyManager.class);
             mComponentName = new ComponentName(mContext, PocDeviceAdminReceiver.class);
             mPolicyManager.setActiveAdmin(mComponentName, true, USER_ID);
             CompletableFuture<Boolean> future = new CompletableFuture<>();
             BroadcastReceiver broadcastReceiver = new BroadcastReceiver() {
                 @Override
                 public void onReceive(Context context, Intent intent) {
                     future.complete(true);
                 }
             };
             mContext.registerReceiver(broadcastReceiver,
                     new IntentFilter("broadcastCVE_2022_20420"));
             future.get(TIMEOUT_MS, TimeUnit.MILLISECONDS);

             // Call vulnerable function getBackgroundRestrictionExemptionReason()
             ActivityManager activityManager = mContext.getSystemService(ActivityManager.class);
             int reason = activityManager.getBackgroundRestrictionExemptionReason(Process.myUid());
             assumeTrue(
                     "Reason code other than REASON_ACTIVE_DEVICE_ADMIN/REASON_ALLOWLISTED_PACKAGE"
                             + " returned by getBackgroundRestrictionExemptionReason() = " + reason,
                     reason == PowerExemptionManager.REASON_ACTIVE_DEVICE_ADMIN
                             || reason == PowerExemptionManager.REASON_ALLOWLISTED_PACKAGE);
             assertFalse("Vulnerable to b/238377411 !!",
                     reason == PowerExemptionManager.REASON_ALLOWLISTED_PACKAGE);
         } catch (Exception e) {
             assumeNoException(e);
         }
     }
 }
	/*
	* Copyright (C) 2022 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package android.security.cts.CVE_2022_20420;

	import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;

	import static org.junit.Assert.assertFalse;
	import static org.junit.Assume.assumeNoException;
	import static org.junit.Assume.assumeTrue;

	import android.app.ActivityManager;
	import android.app.UiAutomation;
	import android.app.admin.DevicePolicyManager;
	import android.content.BroadcastReceiver;
	import android.content.ComponentName;
	import android.content.Context;
	import android.content.Intent;
	import android.content.IntentFilter;
	import android.os.IDeviceIdleController;
	import android.os.PowerExemptionManager;
	import android.os.Process;
	import android.os.ServiceManager;
	import android.platform.test.annotations.AsbSecurityTest;

	import androidx.test.runner.AndroidJUnit4;

	import com.android.sts.common.util.StsExtraBusinessLogicTestCase;

	import org.junit.After;
	import org.junit.Test;
	import org.junit.runner.RunWith;

	import java.util.concurrent.CompletableFuture;
	import java.util.concurrent.TimeUnit;

	@RunWith(AndroidJUnit4.class)
	public class CVE_2022_20420 extends StsExtraBusinessLogicTestCase {
	private static final int TIMEOUT_MS = 10000;
	private static final int USER_ID = 0;
	private Context mContext;
	private DevicePolicyManager mPolicyManager;
	private ComponentName mComponentName;
	private UiAutomation mAutomation;

	@After
	public void tearDown() {
	try {
	mAutomation.dropShellPermissionIdentity();
	mPolicyManager.removeActiveAdmin(mComponentName);
	} catch (Exception ignored) {
	// ignore all exceptions as the test has been completed.
	}
	}

	@AsbSecurityTest(cveBugId = 238477311)
	@Test
	public void testDeviceAdminAppRestricted() {
	try {
	// Add test app to Power Save Whitelist.
	mContext = getInstrumentation().getTargetContext();
	mAutomation = getInstrumentation().getUiAutomation();
	mAutomation.adoptShellPermissionIdentity(android.Manifest.permission.DEVICE_POWER,
	android.Manifest.permission.MANAGE_DEVICE_ADMINS,
	android.Manifest.permission.INTERACT_ACROSS_USERS_FULL);
	IDeviceIdleController mDeviceIdleService =
	IDeviceIdleController.Stub.asInterface(ServiceManager.getService("deviceidle"));
	mDeviceIdleService.addPowerSaveWhitelistApp(mContext.getPackageName());

	// Set test app as "Active Admin".
	mPolicyManager = mContext.getSystemService(DevicePolicyManager.class);
	mComponentName = new ComponentName(mContext, PocDeviceAdminReceiver.class);
	mPolicyManager.setActiveAdmin(mComponentName, true, USER_ID);
	CompletableFuture<Boolean> future = new CompletableFuture<>();
	BroadcastReceiver broadcastReceiver = new BroadcastReceiver() {
	@Override
	public void onReceive(Context context, Intent intent) {
	future.complete(true);
	}
	};
	mContext.registerReceiver(broadcastReceiver,
	new IntentFilter("broadcastCVE_2022_20420"));
	future.get(TIMEOUT_MS, TimeUnit.MILLISECONDS);

	// Call vulnerable function getBackgroundRestrictionExemptionReason()
	ActivityManager activityManager = mContext.getSystemService(ActivityManager.class);
	int reason = activityManager.getBackgroundRestrictionExemptionReason(Process.myUid());
	assumeTrue(
	"Reason code other than REASON_ACTIVE_DEVICE_ADMIN/REASON_ALLOWLISTED_PACKAGE"
	+ " returned by getBackgroundRestrictionExemptionReason() = " + reason,
	reason == PowerExemptionManager.REASON_ACTIVE_DEVICE_ADMIN
	\|\| reason == PowerExemptionManager.REASON_ALLOWLISTED_PACKAGE);
	assertFalse("Vulnerable to b/238377411 !!",
	reason == PowerExemptionManager.REASON_ALLOWLISTED_PACKAGE);
	} catch (Exception e) {
	assumeNoException(e);
	}
	}
	}