diff options
Diffstat (limited to 'core/tests/coretests/src/android/content/pm/SELinuxMMACTests.java')
| -rw-r--r-- | core/tests/coretests/src/android/content/pm/SELinuxMMACTests.java | 365 |
1 files changed, 344 insertions, 21 deletions
diff --git a/core/tests/coretests/src/android/content/pm/SELinuxMMACTests.java b/core/tests/coretests/src/android/content/pm/SELinuxMMACTests.java index f086113..b0a7979 100644 --- a/core/tests/coretests/src/android/content/pm/SELinuxMMACTests.java +++ b/core/tests/coretests/src/android/content/pm/SELinuxMMACTests.java @@ -110,11 +110,12 @@ public class SELinuxMMACTests extends AndroidTestCase { /** * Takes the policy xml file as a resource, the apk as a resource, - * and the expected seinfo string. + * the expected seinfo string, and the expected install value. * We mock a package install here by calling parsePackage. */ - void checkSeinfoWithPolicy(int policyRes, int apkRes, - String expectedSeinfo) { + void checkInstallMMAC(int policyRes, int apkRes, + String expectedSeinfo, + boolean expectedPassed) { // grab policy file Uri policyURI = getResourceURI(policyRes, MAC_INSTALL_TMP); assertNotNull(policyURI); @@ -128,8 +129,10 @@ public class SELinuxMMACTests extends AndroidTestCase { PackageParser.Package pkg = parsePackage(apkURI); assertNotNull(pkg); assertNotNull(pkg.packageName); + // check for correct passed policy value + boolean passed = SELinuxMMAC.passInstallPolicyChecks(pkg); + assertEquals(expectedPassed, passed); // check for correct seinfo label - SELinuxMMAC.assignSeinfoValue(pkg); String seinfo = pkg.applicationInfo.seinfo; if (seinfo == null) seinfo = "null"; @@ -144,7 +147,7 @@ public class SELinuxMMACTests extends AndroidTestCase { * Requested policy file doesn't exist. */ @LargeTest - public void testPOLICY_BADPATH() { + public void testINSTALL_POLICY_BADPATH() { boolean ret = SELinuxMMAC.readInstallPolicy(new File("/d/o/e/s/n/t/e/x/i/s/t")); assertFalse(ret); } @@ -153,44 +156,364 @@ public class SELinuxMMACTests extends AndroidTestCase { * Requested policy file is null object. */ @LargeTest - public void testPOLICY_NULL() { + public void testINSTALL_POLICY_NULL() { boolean ret = SELinuxMMAC.readInstallPolicy(null); assertFalse(ret); } /* - * Parse an apk that should be labeled with signature stanza. + * No need to test a valid install policy file. All the tests + * below test it implicitly. + */ + + /* + * Signature stanza hits. apk is installed from allow-all. + */ + @LargeTest + public void testSIGNATURE_ALLOWALL_INSTALLED() { + checkInstallMMAC(R.raw.mmac_sig_all, R.raw.signed_platform, + "platform", true); + } + + /* + * Signature stanza hits. apk is installed from whitelist. + */ + @LargeTest + public void testSIGNATURE_WHITELIST_INSTALLED() { + checkInstallMMAC(R.raw.mmac_sig_white, R.raw.signed_platform, + "platform", true); + } + + /* + * Signature stanza hits. apk is installed from blacklist. + */ + @LargeTest + public void testSIGNATURE_BLACKLIST_INSTALLED() { + checkInstallMMAC(R.raw.mmac_sig_black, R.raw.signed_platform, + "platform", true); + } + + /* + * Signature stanza hits. apk is installed. null seinfo tag. + */ + @LargeTest + public void testSIGNATURE_INSTALLED_NULL_SEINFO() { + checkInstallMMAC(R.raw.mmac_sig_null, R.raw.signed_platform, + "null", true); + } + + /* + * Signature stanza hits. apk is denied. + * Package stanza allows. + */ + @LargeTest + public void testSIGNATURE_DENIED_PACKAGE_ALLOWS() { + checkInstallMMAC(R.raw.mmac_sig_deny_pkg_allow, R.raw.signed_platform, + "package", true); + } + + /* + * Signature stanza hits. apk is denied. + * Package stanza then denys. + */ + @LargeTest + public void testSIGNATURE_DENIED_PACKAGE_DENY() { + checkInstallMMAC(R.raw.mmac_sig_deny_pkg_deny, R.raw.signed_platform, + "null", false); + } + + /* + * Signature stanza hits. apk is denied. + * Default stanza allows. + */ + @LargeTest + public void testSIGNATURE_DENIED_DEFAULT_ALLOWS() { + checkInstallMMAC(R.raw.mmac_sig_deny_default_allow, R.raw.signed_platform, + "default", true); + } + + /* + * Signature stanza hits yet denys. Default stanza hits and denys. + */ + @LargeTest + public void testSIGNATURE_DENY_DEFAULT_DENY() { + checkInstallMMAC(R.raw.mmac_sig_deny_default_deny, R.raw.signed_platform, + "null", false); + } + + /* + * Signature stanza hits. apk is denied. + * No other policy present. + */ + @LargeTest + public void testSIGNATURE_DENIED_NOOTHER_POLICY() { + checkInstallMMAC(R.raw.mmac_sig_deny_noother, R.raw.signed_platform, + "null", false); + } + + /* + * Package stanza hits. apk is installed from allow-all. + */ + @LargeTest + public void testPACKAGE_ALLOWALL_INSTALLED() { + checkInstallMMAC(R.raw.mmac_pkg_all, R.raw.signed_platform, + "package", true); + } + + /* + * Package stanza hits. apk is installed from whitelist. + */ + @LargeTest + public void testPACKAGE_WHITELIST_INSTALLED() { + checkInstallMMAC(R.raw.mmac_pkg_white, R.raw.signed_platform, + "package", true); + } + + /* + * Package stanza hits. apk is installed from blacklist. + */ + @LargeTest + public void testPACKAGE_BLACKLIST_INSTALLED() { + checkInstallMMAC(R.raw.mmac_pkg_black, R.raw.signed_platform, + "package", true); + } + + /* + * Package stanza hits. apk is installed. seinfo is null. */ @LargeTest - public void testSIGNATURE_LABEL() { - checkSeinfoWithPolicy(R.raw.mac_permissions_signature, R.raw.signed_platform, - "platform"); + public void testPACKAGE_INSTALLED_NULL_SEINFO() { + checkInstallMMAC(R.raw.mmac_pkg_null_seinfo, R.raw.signed_platform, + "null", true); } /* - * Parse an apk that should be labeled with default stanza. + * Package stanza hits. apk is denied on whitelist. */ @LargeTest - public void testDEFAULT_LABEL() { - checkSeinfoWithPolicy(R.raw.mac_permissions_default, R.raw.signed_platform, - "default"); + public void testPACKAGE_WHITELIST_DENIED() { + checkInstallMMAC(R.raw.mmac_pkg_deny_white, R.raw.signed_platform, + "null", false); } /* - * Parse an apk that should be labeled with package stanza. + * Package stanza hits. apk is denied on blacklist. */ @LargeTest - public void testPACKAGENAME_LABEL() { - checkSeinfoWithPolicy(R.raw.mac_permissions_package_name, R.raw.signed_platform, - "per-package"); + public void testPACKAGE_BLACKLIST_DENIED() { + checkInstallMMAC(R.raw.mmac_pkg_deny_black, R.raw.signed_platform, + "null", false); } /* - * Parse an apk that should not be labeled. No matching entry in policy. + * Default stanza hits. apk is installed from allowall. + */ + @LargeTest + public void testDEFAULT_ALLOWALL_INSTALLED() { + checkInstallMMAC(R.raw.mmac_default_all, R.raw.signed_platform, + "default", true); + } + + /* + * Default stanza hits. apk is installed from whitelist. + */ + @LargeTest + public void testDEFAULT_WHITELIST_INSTALLED() { + checkInstallMMAC(R.raw.mmac_default_white, R.raw.signed_platform, + "default", true); + } + + /* + * Default stanza hits. apk is installed from blacklist. + */ + @LargeTest + public void testDEFAULT_BLACKLIST_INSTALLED() { + checkInstallMMAC(R.raw.mmac_default_black, R.raw.signed_platform, + "default", true); + } + + /* + * Default stanza hits. apk installed. null seinfo. + */ + @LargeTest + public void testDEFAULT_INSTALLED_NULL_SEINFO() { + checkInstallMMAC(R.raw.mmac_default_null_seinfo, R.raw.signed_platform, + "null", true); + } + + /* + * Default stanza hits. apk is denied on whitelist. + */ + @LargeTest + public void testDEFAULT_WHITELIST_DENIED() { + checkInstallMMAC(R.raw.mmac_default_white_deny, R.raw.signed_platform, + "null", false); + } + + /* + * Default stanza hits. apk is denied on blacklist. + */ + @LargeTest + public void testDEFAULT_BLACKLIST_DENIED() { + checkInstallMMAC(R.raw.mmac_default_black_deny, R.raw.signed_platform, + "null", false); + } + + /* + * No matching entry in policy. */ @LargeTest public void testNO_MATCHING_POLICY() { - checkSeinfoWithPolicy(R.raw.mac_permissions_no_match, R.raw.signed_platform, - "null"); + checkInstallMMAC(R.raw.mmac_no_match, R.raw.signed_platform, + "null", false); + } + + /* + * Signature catches yet there is a package stanza inside that allows + * based on allow-all. + */ + @LargeTest + public void testPACKAGE_INSIDE_SIG_ALLOW_ALL() { + checkInstallMMAC(R.raw.mmac_inside_pkg_allow_all, R.raw.signed_platform, + "insidepackage", true); + } + + /* + * Signature catches yet there is a package stanza inside that allows + * based on whitelist. + */ + @LargeTest + public void testPACKAGE_INSIDE_SIG_ALLOW_WHITE() { + checkInstallMMAC(R.raw.mmac_inside_pkg_allow_white, R.raw.signed_platform, + "insidepackage", true); + } + + /* + * Signature catches yet there is a package stanza inside that allows + * based on blacklist. + */ + @LargeTest + public void testPACKAGE_INSIDE_SIG_ALLOW_BLACK() { + checkInstallMMAC(R.raw.mmac_inside_pkg_allow_black, R.raw.signed_platform, + "insidepackage", true); + } + + /* + * Signature catches yet there is a package stanza inside that denies + * based on blacklist. Stand alone package stanza then allows. + */ + @LargeTest + public void testPACKAGE_INSIDE_SIG_DENY_PKG_OUT_ALLOWS() { + checkInstallMMAC(R.raw.mmac_inside_pkg_deny_pkg, R.raw.signed_platform, + "package", true); + } + + /* + * Signature catches yet there is a package stanza inside that denies + * based on whitelist. default stanza catches and allows. + */ + @LargeTest + public void testPACKAGE_INSIDE_SIG_DENY_DEFAULT_ALLOWS() { + checkInstallMMAC(R.raw.mmac_inside_pkg_deny_default, R.raw.signed_platform, + "default", true); + } + + /* + * Signature catches yet there is a package stanza inside that denies. + * No other policy catches. app is denied. + */ + @LargeTest + public void testPACKAGE_INSIDE_SIG_DENY_NOOTHER() { + checkInstallMMAC(R.raw.mmac_inside_pkg_deny_noother, R.raw.signed_platform, + "null", false); + } + + /* + * Signature catches yet there is a package stanza inside that allows. + * However, the seingo tag is null. + */ + @LargeTest + public void testPACKAGE_INSIDE_SIG_ALLOWS_NULL_SEINFO() { + checkInstallMMAC(R.raw.mmac_inside_pkg_allow_null_seinfo, R.raw.signed_platform, + "null", true); + } + + /* + * Signature stanza has inner package stanza. Outer sig stanza + * has no rules. Check app signed with same key, diff pkg name, doesn't + * catch on outer signer stanza. Catches on default though. + */ + @LargeTest + public void testPACKAGE_SAME_CERT_DIFF_NAME_SKIPS_OUTER() { + checkInstallMMAC(R.raw.mmac_diff_name_skip_outer, R.raw.signed_platform_2, + "default", true); + } + + /* + * Signature stanza has inner package stanza. Outer sig stanza + * has no rules. Check app catches on inner. + */ + @LargeTest + public void testPACKAGE_INNER_HITS_NO_OUTER_RULES() { + checkInstallMMAC(R.raw.mmac_outer_no_rule_catch_inner, R.raw.signed_platform, + "insidepackage", true); + } + + /* + * Signature stanza has inner package stanza with no seinfo tag. + * Outer sig stanza has no rules but seinfo tag. Check app labeled null. + */ + @LargeTest + public void testPACKAGE_INSIDE_SIG_ALLOWS_NULL_SEINFO_OUTER_SEINFO_MISSED() { + checkInstallMMAC(R.raw.mmac_inner_seinfo_null_outer_seinfo, R.raw.signed_platform, + "null", true); + } + + /* + * Signature stanza has inner package stanza. Outer sig stanza + * has blacklist. Check app signed with same key, diff pkg name, + * denied on outer signer stanza. Catches on default though. + */ + @LargeTest + public void testPACKAGE_SAME_CERT_DIFF_NAME_DENIED_OUTER() { + checkInstallMMAC(R.raw.mmac_diff_name_deny_outer, R.raw.signed_platform_2, + "default", true); + } + + /* + * Signature stanza has inner package stanza. Check that app + * with same package name, diff key, catches on another cert. + */ + @LargeTest + public void testPACKAGE_DIFF_CERT_SAME_NAME() { + checkInstallMMAC(R.raw.mmac_same_name_diff_cert, R.raw.signed_media, + "media", true); + } + + /* + * Default stanza with inner package that hits. Outer not empty. + */ + @LargeTest + public void testPACKAGE_INNER_DEFAULT() { + checkInstallMMAC(R.raw.mmac_default_inner_pkg, R.raw.signed_media, + "insidedefault", true); + } + + /* + * Default stanza with inner package that hits. Outer empty. + */ + @LargeTest + public void testPACKAGE_INNER_DEFAULT_OUTER_EMPTY() { + checkInstallMMAC(R.raw.mmac_default_inner_pkg_out_empty, R.raw.signed_media, + "insidedefault", true); + } + + /* + * Default stanza with inner package that denies. + */ + @LargeTest + public void testPACKAGE_INNER_DEFAULT_DENY() { + checkInstallMMAC(R.raw.mmac_default_inner_pkg_deny, R.raw.signed_media, + "null", false); } } |