1 /*
2  * Copyright (C) 2020 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 package android.security;
18 
19 import android.test.AndroidTestCase;
20 import com.android.compatibility.common.util.PropertyUtil;
21 import java.io.IOException;
22 
23 /**
24  * Verify the selinux domain for apps running with targetSdkVersion==29
25  */
26 public class SELinuxTargetSdkTest extends SELinuxTargetSdkTestBase
27 {
28     /**
29      * Verify that net.dns properties may not be read
30      */
testNoDns()31     public void testNoDns() throws IOException {
32         noDns();
33     }
34 
testDex2oat()35     public void testDex2oat() throws Exception {
36         /*
37          * Apps with a vendor image older than Q may access the dex2oat executable through
38          * selinux policy on the vendor partition because the permission was granted in public
39          * policy for appdomain.
40          */
41         if (PropertyUtil.isVendorApiLevelNewerThan(28)) {
42             checkDex2oatAccess(false);
43         }
44     }
45 
testNetlinkRouteGetlinkSucceeds()46     public void testNetlinkRouteGetlinkSucceeds() throws IOException {
47         checkNetlinkRouteGetlink(true);
48     }
49 
testNetlinkRouteBindSucceeds()50     public void testNetlinkRouteBindSucceeds() throws IOException {
51         checkNetlinkRouteBind(true);
52     }
53 
testCanNotExecuteFromHomeDir()54     public void testCanNotExecuteFromHomeDir() throws Exception {
55         assertFalse(canExecuteFromHomeDir());
56     }
57 
58     /**
59      * Verify that selinux context is the expected domain based on
60      * targetSdkVersion = 29
61      */
testAppDomainContext()62     public void testAppDomainContext() throws IOException {
63         String context = "u:r:untrusted_app_29:s0:c[0-9]+,c[0-9]+,c[0-9]+,c[0-9]+";
64         String msg = "Untrusted apps with targetSdkVersion 29 " +
65             "must run in the untrusted_app selinux domain and use the levelFrom=all " +
66             "selector in SELinux seapp_contexts which adds four category types " +
67             "to the app's selinux context.\n" +
68             "Example expected value: u:r:untrusted_app:s0:c89,c256,c512,c768\n" +
69             "Actual value: ";
70         appDomainContext(context, msg);
71     }
72 
73     /**
74      * Verify that selinux context is the expected type based on
75      * targetSdkVersion = 29
76      */
testAppDataContext()77     public void testAppDataContext() throws Exception {
78         String context = "u:object_r:app_data_file:s0:c[0-9]+,c[0-9]+,c[0-9]+,c[0-9]+";
79         String msg = "Untrusted apps with targetSdkVersion 29 " +
80             "must use the app_data_file selinux context and use the levelFrom=all " +
81             "selector in SELinux seapp_contexts which adds four category types " +
82             "to the app_data_file context.\n" +
83             "Example expected value: u:object_r:app_data_file:s0:c89,c256,c512,c768\n" +
84             "Actual value: ";
85         appDataContext(context, msg);
86     }
87 
testNetworkInterface()88     public void testNetworkInterface() throws Exception {
89         checkNetworkInterface_returnsHardwareAddresses();
90     }
91 }
92