CTS test for Android Security b/228315522 am: 35f75a622f am: d2b70624f5 am: 7e2e2ef6e5 am: 828d6d8771 am: c79e578f3a am: 5076de2811

Original change: https://googleplex-android-review.googlesource.com/c/platform/cts/+/18871682

Change-Id: I66861f417cdc56f864589e73da547b83c6c6abb8
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

7 files changed, 320 insertions, 0 deletions

diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2022_20349.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2022_20349.java
new file mode 100644
index 00000000000..c4f52254d66
--- /dev/null
+++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2022_20349.java
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static org.junit.Assume.assumeNoException;
+
+import android.platform.test.annotations.AsbSecurityTest;
+
+import com.android.sts.common.tradefed.testtype.StsExtraBusinessLogicHostTestBase;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2022_20349 extends StsExtraBusinessLogicHostTestBase {
+    static final String TEST_PKG = "android.security.cts.CVE_2022_20349";
+    public static final String TEST_DEVICE_ADMIN_RECEIVER = ".PocDeviceAdminReceiver";
+
+    @AsbSecurityTest(cveBugId = 228315522)
+    @Test
+    public void testPocCVE_2022_20349() throws Exception {
+        try {
+            ITestDevice device = getDevice();
+
+            /* Wake up the screen */
+            AdbUtils.runCommandLine("input keyevent KEYCODE_WAKEUP", device);
+            AdbUtils.runCommandLine("input keyevent KEYCODE_MENU", device);
+            AdbUtils.runCommandLine("input keyevent KEYCODE_HOME", device);
+
+            /* Install the test application */
+            installPackage("CVE-2022-20349.apk");
+
+            /* Set Device Admin Component */
+            AdbUtils.runCommandLine(
+                    "dpm set-device-owner '" + TEST_PKG + "/" + TEST_DEVICE_ADMIN_RECEIVER + "'",
+                    device);
+
+            /* Run the test "testBluetoothScanningDisallowed" */
+            runDeviceTests(TEST_PKG, TEST_PKG + ".DeviceTest", "testBluetoothScanningDisallowed");
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2022-20349/Android.bp b/hostsidetests/securitybulletin/test-apps/CVE-2022-20349/Android.bp
new file mode 100644
index 00000000000..2accd9e4dc7
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2022-20349/Android.bp
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_test_helper_app {
+    name: "CVE-2022-20349",
+    defaults: [
+        "cts_support_defaults",
+    ],
+    srcs: [
+        "src/**/*.java",
+    ],
+    test_suites: [
+        "sts",
+    ],
+    static_libs: [
+        "androidx.test.core",
+        "androidx.test.rules",
+        "androidx.test.uiautomator_uiautomator",
+    ],
+    sdk_version: "current",
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2022-20349/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2022-20349/AndroidManifest.xml
new file mode 100644
index 00000000000..a59d1d14fd4
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2022-20349/AndroidManifest.xml
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2022 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="android.security.cts.CVE_2022_20349"
+    android:versionCode="1"
+    android:versionName="1.0">
+    <application>
+        <receiver android:name=".PocDeviceAdminReceiver"
+            android:permission="android.permission.BIND_DEVICE_ADMIN"
+            android:exported="true">
+            <meta-data android:name="android.app.device_admin"
+                android:resource="@xml/device_policies" />
+            <intent-filter>
+                <action android:name="android.app.action.DEVICE_ADMIN_ENABLED" />
+            </intent-filter>
+        </receiver>
+    </application>
+
+   <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"
+        android:targetPackage="android.security.cts.CVE_2022_20349" />
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2022-20349/res/values/strings.xml b/hostsidetests/securitybulletin/test-apps/CVE-2022-20349/res/values/strings.xml
new file mode 100644
index 00000000000..78fc6ccef47
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2022-20349/res/values/strings.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2022 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+<resources>
+    <string name="btScanningPattern">.*bluetooth scanning.*</string>
+    <string name="btScanningTimedOut">Timed out waiting on the text \'Bluetooth scanning\' to appear
+    </string>
+    <string name="failMsg">Device is vulnerable to b/228315522 !!</string>
+    <string name="locationIntentAction">android.settings.LOCATION_SCANNING_SETTINGS</string>
+    <string name="resBtScanning">android:id/title</string>
+    <string name="setUserRestrictionFailed">Failed to set user restriction
+    UserManager.DISALLOW_CONFIG_LOCATION</string>
+</resources>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2022-20349/res/xml/device_policies.xml b/hostsidetests/securitybulletin/test-apps/CVE-2022-20349/res/xml/device_policies.xml
new file mode 100644
index 00000000000..65ce601d65f
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2022-20349/res/xml/device_policies.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2022 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+<device-admin xmlns:android="http://schemas.android.com/apk/res/android">
+    <uses-policies>
+    </uses-policies>
+</device-admin>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2022-20349/src/android/security/cts/CVE_2022_20349/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2022-20349/src/android/security/cts/CVE_2022_20349/DeviceTest.java
new file mode 100644
index 00000000000..b5083e9671f
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2022-20349/src/android/security/cts/CVE_2022_20349/DeviceTest.java
@@ -0,0 +1,118 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2022_20349;
+
+import static androidx.test.core.app.ApplicationProvider.getApplicationContext;
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.app.admin.DevicePolicyManager;
+import android.content.ComponentName;
+import android.content.Context;
+import android.content.Intent;
+import android.os.UserManager;
+
+import androidx.test.runner.AndroidJUnit4;
+import androidx.test.uiautomator.By;
+import androidx.test.uiautomator.UiDevice;
+import androidx.test.uiautomator.UiObject2;
+import androidx.test.uiautomator.Until;
+
+import org.junit.After;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.util.regex.Pattern;
+
+@RunWith(AndroidJUnit4.class)
+public class DeviceTest {
+    Context mContext;
+    UiDevice mDevice;
+    DevicePolicyManager mDevicePolicyManager;
+    ComponentName mComponentName;
+    static final String USER_RESTRICTION = UserManager.DISALLOW_CONFIG_LOCATION;
+    static final int UI_TIMEOUT_MS = 5000;
+
+    String getStringRes(int key) {
+        return mContext.getResources().getString(key);
+    }
+
+    int getIntegerRes(int key) {
+        return mContext.getResources().getInteger(key);
+    }
+
+    @After
+    public void tearDown() {
+        try {
+            /* Return to home screen after test */
+            mDevice.pressHome();
+
+            /*
+             * Clear user restriction "DISALLOW_CONFIG_LOCATION" set by the test and also clear the
+             * app as device owner.
+             */
+            mDevicePolicyManager.clearUserRestriction(mComponentName, USER_RESTRICTION);
+            mDevicePolicyManager.clearDeviceOwnerApp(mContext.getPackageName());
+        } catch (Exception e) {
+            // ignore the exception as the test is already complete
+        }
+    }
+
+    @Test
+    public void testBluetoothScanningDisallowed() {
+        try {
+            mDevice = UiDevice.getInstance(getInstrumentation());
+            mContext = getApplicationContext();
+            mDevicePolicyManager =
+                    mContext.getSystemService(DevicePolicyManager.class);
+            mComponentName =
+                    new ComponentName(PocDeviceAdminReceiver.class.getPackage().getName(),
+                            PocDeviceAdminReceiver.class.getName());
+            mDevicePolicyManager.addUserRestriction(mComponentName, USER_RESTRICTION);
+            UserManager userManager = mContext.getSystemService(UserManager.class);
+            assumeTrue(getStringRes(R.string.setUserRestrictionFailed),
+                    userManager.getUserRestrictions().getBoolean(USER_RESTRICTION));
+
+            /* Start the window that contains option to toggle "Bluetooth scanning" on/off */
+            Intent intent = new Intent(getStringRes(R.string.locationIntentAction));
+            intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
+            mContext.startActivity(intent);
+
+            /* Wait for the window that contains option to toggle "Bluetooth scanning" */
+            Pattern btScanningPattern = Pattern.compile(getStringRes(R.string.btScanningPattern),
+                    Pattern.CASE_INSENSITIVE);
+            boolean btScanningFound = mDevice.wait(
+                    Until.hasObject(
+                            By.text(btScanningPattern).res(getStringRes(R.string.resBtScanning))),
+                    UI_TIMEOUT_MS);
+            assumeTrue(getStringRes(R.string.btScanningTimedOut), btScanningFound);
+
+            /*
+             * Check if the toggle "Bluetooth scanning" is enabled, it is supposed to be disabled by
+             * the Device Admin in presence of fix
+             */
+            UiObject2 btScanningToggle = mDevice.findObject(
+                    By.text(btScanningPattern).res(getStringRes(R.string.resBtScanning)));
+            assertFalse(getStringRes(R.string.failMsg), btScanningToggle.isEnabled());
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2022-20349/src/android/security/cts/CVE_2022_20349/PocDeviceAdminReceiver.java b/hostsidetests/securitybulletin/test-apps/CVE-2022-20349/src/android/security/cts/CVE_2022_20349/PocDeviceAdminReceiver.java
new file mode 100644
index 00000000000..145307126e7
--- /dev/null
+++ b/hostsidetests/securitybulletin/test-apps/CVE-2022-20349/src/android/security/cts/CVE_2022_20349/PocDeviceAdminReceiver.java
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2022_20349;
+
+import android.app.admin.DeviceAdminReceiver;
+
+public class PocDeviceAdminReceiver extends DeviceAdminReceiver {
+}