Snap for 11698527 from 361bb84fa1fbd1df23002a26f519eb348caadb2f to mainline-appsearch-release Change-Id: I225339a1f3f4dbdc3ef19599f8248ce2ddff3a6c
diff --git a/TEST_MAPPING b/TEST_MAPPING index d17b434..0c4e8e6 100644 --- a/TEST_MAPPING +++ b/TEST_MAPPING
@@ -10,6 +10,9 @@ "name": "MicrodroidTestApp" }, { + "name": "MicrodroidTestAppNoPerm" + }, + { "name": "art_standalone_dexpreopt_tests" }, {
diff --git a/service_vm/test_apk/Android.bp b/service_vm/test_apk/Android.bp new file mode 100644 index 0000000..6007d4c --- /dev/null +++ b/service_vm/test_apk/Android.bp
@@ -0,0 +1,16 @@ +package { + default_applicable_licenses: ["Android-Apache-2.0"], +} + +rust_ffi { + name: "libvm_attestation_test_payload", + crate_name: "vm_attestation_test_payload", + srcs: [":empty_rust_lib_rs"], +} + +// Generates an empty file for rust crate. +genrule { + name: "empty_rust_lib_rs", + out: ["empty_file"], + cmd: "echo '#![allow(missing_docs)]' > $(out)", +}
diff --git a/service_vm/test_apk/aidl/Android.bp b/service_vm/test_apk/aidl/Android.bp new file mode 100644 index 0000000..836d495 --- /dev/null +++ b/service_vm/test_apk/aidl/Android.bp
@@ -0,0 +1,15 @@ +package { + default_team: "trendy_team_virtualization", + default_applicable_licenses: ["Android-Apache-2.0"], +} + +aidl_interface { + name: "com.android.virt.vm_attestation.testservice", + srcs: ["com/android/virt/vm_attestation/testservice/**/*.aidl"], + unstable: true, + backend: { + java: { + gen_rpc: true, + }, + }, +}
diff --git a/service_vm/test_apk/aidl/com/android/virt/vm_attestation/testservice/IAttestationService.aidl b/service_vm/test_apk/aidl/com/android/virt/vm_attestation/testservice/IAttestationService.aidl new file mode 100644 index 0000000..e9a7940 --- /dev/null +++ b/service_vm/test_apk/aidl/com/android/virt/vm_attestation/testservice/IAttestationService.aidl
@@ -0,0 +1,42 @@ +/* + * Copyright 2024 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.android.virt.vm_attestation.testservice; + +/** {@hide} */ +interface IAttestationService { + const int PORT = 5679; + + /** + * The result of signing a message with the attested key. + */ + parcelable SigningResult { + /** The DER-encoded ECDSA signature of the message. */ + byte[] signature; + + /** The DER-encoded attestation X509 certificate chain. */ + byte[] certificateChain; + } + + /** + * Requests attestation with {@link AVmPayload_requestAttestation} API and signs the + * given message with the attested key. + * + * @param message the message to sign. + * @return the result of signing the message with the attested key. + */ + SigningResult signWithAttestationKey(in byte[] message); +}
diff --git a/tests/helper/src/java/com/android/microdroid/test/device/MicrodroidDeviceTestBase.java b/tests/helper/src/java/com/android/microdroid/test/device/MicrodroidDeviceTestBase.java index 4e1d238..4e091af 100644 --- a/tests/helper/src/java/com/android/microdroid/test/device/MicrodroidDeviceTestBase.java +++ b/tests/helper/src/java/com/android/microdroid/test/device/MicrodroidDeviceTestBase.java
@@ -46,7 +46,10 @@ import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; +import java.util.Collections; +import java.util.HashSet; import java.util.OptionalLong; +import java.util.Set; import java.util.concurrent.CompletableFuture; import java.util.concurrent.ExecutorService; import java.util.concurrent.Executors; @@ -55,6 +58,10 @@ public abstract class MicrodroidDeviceTestBase { private static final String TAG = "MicrodroidDeviceTestBase"; private final String MAX_PERFORMANCE_TASK_PROFILE = "CPUSET_SP_TOP_APP"; + protected static final String KERNEL_VERSION = SystemProperties.get("ro.kernel.version"); + + protected static final Set<String> SUPPORTED_GKI_VERSIONS = + Collections.unmodifiableSet(new HashSet()); public static boolean isCuttlefish() { return getDeviceProperties().isCuttlefish(); @@ -112,6 +119,13 @@ return new VirtualMachineConfig.Builder(mCtx).setProtectedVm(mProtectedVm); } + /** + * Placeholder method to make AvfRkpdVmAttestationAppTests compile on branch udc-mainline-prod. + */ + public VirtualMachineConfig.Builder newVmConfigBuilderWithPayloadBinary(String binaryPath) { + return newVmConfigBuilder(); + } + protected final boolean isProtectedVm() { return mProtectedVm; } @@ -130,6 +144,10 @@ return vmm.create(name, config); } + public void prepareTestSetup(boolean protectedVm, String gki) { + prepareTestSetup(protectedVm); + } + public void prepareTestSetup(boolean protectedVm) { mCtx = ApplicationProvider.getApplicationContext(); assume().withMessage("Device doesn't support AVF") @@ -150,6 +168,12 @@ } } + protected void assumeSupportedDevice() { + assume().withMessage("Skip on 5.4 kernel. b/218303240") + .that(KERNEL_VERSION) + .isNotEqualTo("5.4"); + } + public abstract static class VmEventListener implements VirtualMachineCallback { private ExecutorService mExecutorService = Executors.newSingleThreadExecutor(); private OptionalLong mVcpuStartedNanoTime = OptionalLong.empty();
diff --git a/tests/hostside/helper/java/com/android/microdroid/test/host/MicrodroidHostTestCaseBase.java b/tests/hostside/helper/java/com/android/microdroid/test/host/MicrodroidHostTestCaseBase.java index 81ccec7..d50237c 100644 --- a/tests/hostside/helper/java/com/android/microdroid/test/host/MicrodroidHostTestCaseBase.java +++ b/tests/hostside/helper/java/com/android/microdroid/test/host/MicrodroidHostTestCaseBase.java
@@ -38,7 +38,7 @@ import java.util.Arrays; public abstract class MicrodroidHostTestCaseBase extends BaseHostJUnit4Test { - protected static final String TEST_ROOT = "/data/local/tmp/virt/"; + protected static final String TEST_ROOT = "/data/local/tmp/virt/tradefed/"; protected static final String LOG_PATH = TEST_ROOT + "log.txt"; protected static final String CONSOLE_PATH = TEST_ROOT + "console.txt"; private static final int TEST_VM_ADB_PORT = 8000;
diff --git a/tests/hostside/java/com/android/microdroid/test/MicrodroidHostTests.java b/tests/hostside/java/com/android/microdroid/test/MicrodroidHostTests.java index 9dbaa5e..75cf61e 100644 --- a/tests/hostside/java/com/android/microdroid/test/MicrodroidHostTests.java +++ b/tests/hostside/java/com/android/microdroid/test/MicrodroidHostTests.java
@@ -513,7 +513,8 @@ mMicrodroidDevice.enableAdbRoot(); CommandRunner microdroid = new CommandRunner(mMicrodroidDevice); - microdroid.run(crashCommand); + // can crash in the middle of crashCommand; fail is ok + microdroid.tryRun(crashCommand); // check until microdroid is shut down CommandRunner android = new CommandRunner(getDevice());
diff --git a/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java b/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java index 180be2f..7071651 100644 --- a/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java +++ b/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
@@ -115,8 +115,6 @@ @Rule public Timeout globalTimeout = Timeout.seconds(300); - private static final String KERNEL_VERSION = SystemProperties.get("ro.kernel.version"); - @Parameterized.Parameters(name = "protectedVm={0}") public static Object[] protectedVmConfigs() { return new Object[] { false, true }; @@ -126,13 +124,11 @@ @Before public void setup() { - grantPermission(VirtualMachine.MANAGE_VIRTUAL_MACHINE_PERMISSION); prepareTestSetup(mProtectedVm); } @After public void tearDown() { - revokePermission(VirtualMachine.MANAGE_VIRTUAL_MACHINE_PERMISSION); revokePermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION); } @@ -210,32 +206,6 @@ } @Test - @CddTest( - requirements = { - "9.17/C-1-1", - "9.17/C-1-2", - "9.17/C-1-4", - }) - public void createVmRequiresPermission() { - assumeSupportedDevice(); - - revokePermission(VirtualMachine.MANAGE_VIRTUAL_MACHINE_PERMISSION); - - VirtualMachineConfig config = - newVmConfigBuilder() - .setPayloadBinaryName("MicrodroidTestNativeLib.so") - .setMemoryBytes(minMemoryRequired()) - .build(); - - SecurityException e = - assertThrows( - SecurityException.class, - () -> forceCreateNewVirtualMachine("test_vm_requires_permission", config)); - assertThat(e).hasMessageThat() - .contains("android.permission.MANAGE_VIRTUAL_MACHINE permission"); - } - - @Test @CddTest(requirements = {"9.17/C-1-1"}) public void autoCloseVm() throws Exception { assumeSupportedDevice(); @@ -578,7 +548,6 @@ // Changes that are currently incompatible for ease of implementation, but this might change // in the future. - assertConfigCompatible(baseline, newBaselineBuilder().setApkPath("/different")).isFalse(); assertConfigCompatible(baseline, newBaselineBuilder().setEncryptedStorageBytes(100_000)) .isFalse(); @@ -2048,11 +2017,4 @@ } return 0; } - - private void assumeSupportedDevice() { - assume() - .withMessage("Skip on 5.4 kernel. b/218303240") - .that(KERNEL_VERSION) - .isNotEqualTo("5.4"); - } }
diff --git a/tests/testapk_no_perm/Android.bp b/tests/testapk_no_perm/Android.bp new file mode 100644 index 0000000..22616de --- /dev/null +++ b/tests/testapk_no_perm/Android.bp
@@ -0,0 +1,26 @@ +package { + default_applicable_licenses: ["Android-Apache-2.0"], +} + +android_test { + name: "MicrodroidTestAppNoPerm", + static_libs: [ + "MicrodroidDeviceTestHelper", + "MicrodroidTestHelper", + "androidx.test.runner", + "androidx.test.ext.junit", + "com.android.microdroid.testservice-java", + "truth", + "compatibility-common-util-devicesidelib", + ], + jni_libs: [ + "MicrodroidTestNativeLib", + ], + test_suites: [ + "general-tests", + "cts", + ], + srcs: ["src/java/**/*.java"], + defaults: ["MicrodroidTestAppsDefaults"], + min_sdk_version: "33", +}
diff --git a/tests/testapk_no_perm/AndroidManifest.xml b/tests/testapk_no_perm/AndroidManifest.xml new file mode 100644 index 0000000..44aa92a --- /dev/null +++ b/tests/testapk_no_perm/AndroidManifest.xml
@@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- Copyright (C) 2024 The Android Open Source Project + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> + +<manifest xmlns:android="http://schemas.android.com/apk/res/android" + package="com.android.microdroid.test_no_perm"> + <uses-sdk android:minSdkVersion="33" android:targetSdkVersion="33" /> + <uses-feature android:name="android.software.virtualization_framework" android:required="false" /> + <application /> + <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner" + android:targetPackage="com.android.microdroid.test_no_perm" + android:label="No Permission Microdroid Test" /> +</manifest>
diff --git a/tests/testapk_no_perm/AndroidTest.xml b/tests/testapk_no_perm/AndroidTest.xml new file mode 100644 index 0000000..d4a818f --- /dev/null +++ b/tests/testapk_no_perm/AndroidTest.xml
@@ -0,0 +1,31 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- Copyright (C) 2024 The Android Open Source Project + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<configuration description="Runs Microdroid Tests with no permission"> + <option name="test-suite-tag" value="cts" /> + <option name="config-descriptor:metadata" key="component" value="security" /> + <option name="config-descriptor:metadata" key="parameter" value="not_instant_app" /> + <option name="config-descriptor:metadata" key="parameter" value="not_multi_abi" /> + <option name="config-descriptor:metadata" key="parameter" value="secondary_user" /> + <target_preparer class="com.android.tradefed.targetprep.suite.SuiteApkInstaller"> + <option name="test-file-name" value="MicrodroidTestAppNoPerm.apk" /> + </target_preparer> + <test class="com.android.tradefed.testtype.AndroidJUnitTest" > + <option name="package" value="com.android.microdroid.test_no_perm" /> + <option name="runner" value="androidx.test.runner.AndroidJUnitRunner" /> + <option name="shell-timeout" value="300000" /> + <option name="test-timeout" value="300000" /> + </test> +</configuration>
diff --git a/tests/testapk_no_perm/src/java/com/android/microdroid/test/MicrodroidTestAppNoPerm.java b/tests/testapk_no_perm/src/java/com/android/microdroid/test/MicrodroidTestAppNoPerm.java new file mode 100644 index 0000000..539f344 --- /dev/null +++ b/tests/testapk_no_perm/src/java/com/android/microdroid/test/MicrodroidTestAppNoPerm.java
@@ -0,0 +1,75 @@ +/* + * Copyright 2024 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.android.microdroid.test; + +import android.system.virtualmachine.VirtualMachineConfig; + +import com.android.compatibility.common.util.CddTest; +import com.android.compatibility.common.util.ApiTest; +import com.android.microdroid.test.device.MicrodroidDeviceTestBase; + +import static com.google.common.truth.Truth.assertThat; +import static org.junit.Assert.assertThrows; + +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; + +/** + * Test that the android.permission.MANAGE_VIRTUAL_MACHINE is enforced and that an app cannot launch + * a VM without said permission. + */ +@RunWith(Parameterized.class) +public class MicrodroidTestAppNoPerm extends MicrodroidDeviceTestBase { + @Parameterized.Parameters(name = "protectedVm={0}") + public static Object[] protectedVmConfigs() { + return new Object[] { false, true }; + } + + @Parameterized.Parameter public boolean mProtectedVm; + + @Before + public void setup() { + prepareTestSetup(mProtectedVm); + } + + @Test + @CddTest( + requirements = { + "9.17/C-1-1", + "9.17/C-1-2", + "9.17/C-1-4", + }) + @ApiTest(apis = {"android.system.virtualmachine.VirtualMachineManager#RequiresPermission"}) + public void createVmRequiresPermission() { + assumeSupportedDevice(); + + VirtualMachineConfig config = + newVmConfigBuilder() + .setPayloadBinaryName("MicrodroidTestNativeLib.so") + .build(); + + SecurityException e = + assertThrows( + SecurityException.class, + () -> forceCreateNewVirtualMachine("test_vm_requires_permission", config)); + assertThat(e) + .hasMessageThat() + .contains("android.permission.MANAGE_VIRTUAL_MACHINE permission"); + } +}