diff options
| author | TreeHugger Robot <treehugger-gerrit@google.com> | 2023-03-28 09:18:54 +0000 |
|---|---|---|
| committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2023-03-28 09:18:54 +0000 |
| commit | 1267e3a5b1fff029d79c04eb3d1125815fe13329 (patch) | |
| tree | 204e0dbd5d46466992043c4701f31b25e876d8f2 | |
| parent | 95ab65371d441892bab67ce7c0b41245e2135c61 (diff) | |
| parent | 08c5805764eb865eb0519d6fc603ef7b69818b72 (diff) | |
| download | cts-1267e3a5b1fff029d79c04eb3d1125815fe13329.tar.gz | |
Merge "CTS test for Android Security b/258653813" into rvc-dev am: 308e52d769 am: 06baae8978 am: 08c5805764
Original change: https://googleplex-android-review.googlesource.com/c/platform/cts/+/21114946
Change-Id: Ie12c5a8a15603e4cfef543171e4bfa9a776d7af8
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
8 files changed, 390 insertions, 0 deletions
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_20955.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_20955.java new file mode 100644 index 00000000000..96f2257ed15 --- /dev/null +++ b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_20955.java @@ -0,0 +1,81 @@ +/* + * Copyright (C) 2023 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts; + +import static org.junit.Assume.assumeNoException; +import static org.junit.Assume.assumeTrue; + +import android.platform.test.annotations.AsbSecurityTest; + +import com.android.sts.common.tradefed.testtype.NonRootSecurityTestCase; +import com.android.tradefed.device.ITestDevice; +import com.android.tradefed.testtype.DeviceJUnit4ClassRunner; + +import org.junit.Test; +import org.junit.runner.RunWith; + +@RunWith(DeviceJUnit4ClassRunner.class) +public class CVE_2023_20955 extends NonRootSecurityTestCase { + + // b/258653813 + // Vulnerable app : Settings.apk + // Vulnerable package : com.android.settings + // Is Play Managed : No + @AsbSecurityTest(cveBugId = 240663194) + @Test + public void testPocCVE_2023_20955() { + int userId = -1; + ITestDevice device = null; + final String testPkg = "android.security.cts.CVE_2023_20955_test"; + final String componentName = testPkg + "/.PocDeviceAdminReceiver"; + try { + device = getDevice(); + + // Install the test app + installPackage("CVE-2023-20955-test.apk", "-t"); + + // Set test app as device owner + assumeTrue("Failed to set test app as device owner", + device.setDeviceOwner(componentName, 0)); + + // Create a new user + userId = device.createUser("CTSUser"); + assumeTrue("Failed to create a user. ITestDevice.createUser() returned -1", + userId != -1); + + // Install test helper app for all users + installPackage("CVE-2023-20955-test-helper.apk", "--user all"); + + // Run device test to check if App Info window allows uninstall for all users if + // DevicePolicyManager has restricted it. + runDeviceTests(testPkg, testPkg + ".DeviceTest", + "testAppInfoUninstallForAllUsersDisabled"); + } catch (Exception e) { + assumeNoException(e); + } finally { + try { + // Remove user + device.removeUser(userId); + + // Remove test app as device owner + device.removeAdmin(componentName, 0); + } catch (Exception e) { + // ignore + } + } + } +} diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-20955/Android.bp b/hostsidetests/securitybulletin/test-apps/CVE-2023-20955/Android.bp new file mode 100644 index 00000000000..e856574ef9c --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-20955/Android.bp @@ -0,0 +1,54 @@ +/* + * Copyright (C) 2023 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package { + default_applicable_licenses: ["Android-Apache-2.0"], +} + +android_test_helper_app { + name: "CVE-2023-20955-test", + defaults: [ + "cts_support_defaults", + ], + srcs: [ + "test-app/src/**/*.java", + ], + test_suites: [ + "sts", + ], + static_libs: [ + "androidx.test.core", + "androidx.test.rules", + "androidx.test.uiautomator_uiautomator", + ], + resource_dirs: [ + "test-app/res", + ], + manifest: "test-app/AndroidManifest.xml", + sdk_version: "current", +} + +android_test_helper_app { + name: "CVE-2023-20955-test-helper", + defaults: [ + "cts_support_defaults", + ], + test_suites: [ + "sts", + ], + manifest: "test-helper-app/AndroidManifest.xml", + sdk_version: "current", +} diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-20955/test-app/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-20955/test-app/AndroidManifest.xml new file mode 100644 index 00000000000..2d74f5492fc --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-20955/test-app/AndroidManifest.xml @@ -0,0 +1,33 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- + Copyright 2023 The Android Open Source Project + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + --> + +<manifest xmlns:android="http://schemas.android.com/apk/res/android" + package="android.security.cts.CVE_2023_20955_test"> + <application android:testOnly="true"> + <receiver android:name=".PocDeviceAdminReceiver" + android:permission="android.permission.BIND_DEVICE_ADMIN" + android:exported="true"> + <meta-data android:name="android.app.device_admin" + android:resource="@xml/device_policies" /> + <intent-filter> + <action android:name="android.app.action.DEVICE_ADMIN_ENABLED" /> + </intent-filter> + </receiver> + </application> + <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner" + android:targetPackage="android.security.cts.CVE_2023_20955_test" /> +</manifest> diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-20955/test-app/res/values/strings.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-20955/test-app/res/values/strings.xml new file mode 100644 index 00000000000..194436bd2b9 --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-20955/test-app/res/values/strings.xml @@ -0,0 +1,29 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- + Copyright 2023 The Android Open Source Project + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + --> + +<resources> + <string name="failMsg">Vulnerable to b/258653813 !!</string> + <string name="msgNotFoundTxt">Did not find an object with selector %1$s on the screen</string> + <string name="msgSetUserRestrictionFailed">Failed to set user restriction DISALLOW_APPS_CONTROL + </string> + <string name="patternMoreOptions">.*more options.*</string> + <string name="patternUninstall">.*uninstall.*</string> + <string name="patternUninstallAllUsers">.*uninstall for all users.*</string> + <string name="pkgNameHelper">android.security.cts.CVE_2023_20955_test_helper</string> + <string name="pkgNameInstaller">com.android.packageinstaller</string> + <string name="uriScheme">package</string> +</resources> diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-20955/test-app/res/xml/device_policies.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-20955/test-app/res/xml/device_policies.xml new file mode 100644 index 00000000000..ed5352d7c0f --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-20955/test-app/res/xml/device_policies.xml @@ -0,0 +1,20 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- + Copyright 2023 The Android Open Source Project + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + --> + +<device-admin> + <uses-policies /> +</device-admin> diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-20955/test-app/src/android/security/cts/CVE_2023_20955_test/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-20955/test-app/src/android/security/cts/CVE_2023_20955_test/DeviceTest.java new file mode 100644 index 00000000000..8b769040010 --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-20955/test-app/src/android/security/cts/CVE_2023_20955_test/DeviceTest.java @@ -0,0 +1,131 @@ +/* + * Copyright (C) 2023 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts.CVE_2023_20955_test; + +import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation; + +import static org.junit.Assert.assertFalse; +import static org.junit.Assume.assumeNoException; +import static org.junit.Assume.assumeTrue; + +import android.app.admin.DevicePolicyManager; +import android.content.ComponentName; +import android.content.Context; +import android.content.Intent; +import android.content.pm.PackageManager; +import android.net.Uri; +import android.os.UserManager; +import android.provider.Settings; +import android.widget.ImageButton; + +import androidx.test.runner.AndroidJUnit4; +import androidx.test.uiautomator.By; +import androidx.test.uiautomator.BySelector; +import androidx.test.uiautomator.UiDevice; +import androidx.test.uiautomator.Until; + +import org.junit.Test; +import org.junit.runner.RunWith; + +import java.util.regex.Pattern; + +@RunWith(AndroidJUnit4.class) +public class DeviceTest { + private static final int TIMEOUT_MS = 5000; + private Context mContext; + private UiDevice mDevice; + + private void waitAndClick(BySelector selector) { + assumeTrue(mContext.getString(R.string.msgNotFoundTxt, selector.toString()), + mDevice.wait(Until.hasObject(selector), TIMEOUT_MS)); + mDevice.findObject(selector).click(); + } + + @Test + public void testAppInfoUninstallForAllUsersDisabled() { + try { + mContext = getInstrumentation().getTargetContext(); + mDevice = UiDevice.getInstance(getInstrumentation()); + + // Restrict current user to disallow controlling apps + ComponentName deviceAdminComponent = + new ComponentName(mContext, PocDeviceAdminReceiver.class); + DevicePolicyManager policyManager = null; + policyManager = mContext.getSystemService(DevicePolicyManager.class); + policyManager.addUserRestriction(deviceAdminComponent, + UserManager.DISALLOW_APPS_CONTROL); + + // Waiting for user restriction to be added + boolean disallowAppsControlVal = + (boolean) policyManager.getUserRestrictions(deviceAdminComponent) + .getBoolean(UserManager.DISALLOW_APPS_CONTROL); + while (!disallowAppsControlVal && System.currentTimeMillis() < TIMEOUT_MS) { + disallowAppsControlVal = policyManager.getUserRestrictions(deviceAdminComponent) + .getBoolean(UserManager.DISALLOW_APPS_CONTROL); + Thread.sleep(100); + } + assumeTrue(mContext.getString(R.string.msgSetUserRestrictionFailed), + disallowAppsControlVal); + + // Launching "application info" window for test helper app + Uri pkgUri = Uri.fromParts(mContext.getString(R.string.uriScheme), + mContext.getString(R.string.pkgNameHelper), null); + Intent intent = new Intent(Settings.ACTION_APPLICATION_DETAILS_SETTINGS, pkgUri); + intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK | Intent.FLAG_ACTIVITY_CLEAR_TASK); + mContext.startActivity(intent); + + // Wait for the application info window and click on 3 dots with: + // content description = "More options" + Pattern descPattern = Pattern.compile(mContext.getString(R.string.patternMoreOptions), + Pattern.CASE_INSENSITIVE); + waitAndClick(By.clazz(ImageButton.class).desc(descPattern)); + + // Wait for a menu to appear. When it appears, click on the text "Uninstall for all + // users". + Pattern textPattern = + Pattern.compile(mContext.getString(R.string.patternUninstallAllUsers), + Pattern.CASE_INSENSITIVE); + waitAndClick(By.text(textPattern)); + + // Retrieve the package name of installer app + Intent packageInstallerIntent = new Intent(Intent.ACTION_DELETE, pkgUri); + ComponentName componentName = + packageInstallerIntent.resolveActivity(mContext.getPackageManager()); + String pkgNameInstaller = mContext.getString(R.string.pkgNameInstaller); + if (componentName != null && componentName.getPackageName() != null) { + pkgNameInstaller = componentName.getPackageName(); + } + + // Wait for UI with package = "com.android.packageinstaller" (AOSP), text containing + // "uninstall". If found, it indicates vulnerable behaviour and anyone can uninstall + // app for all users despite the user restrictions. + textPattern = Pattern.compile(mContext.getString(R.string.patternUninstall), + Pattern.CASE_INSENSITIVE); + assertFalse(mContext.getString(R.string.failMsg), mDevice + .wait(Until.hasObject(By.pkg(pkgNameInstaller).text(textPattern)), TIMEOUT_MS)); + } catch (Exception e) { + assumeNoException(e); + } finally { + try { + // Go to the home screen + mDevice.pressHome(); + } catch (Exception e) { + // ignore + } + } + } +} diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-20955/test-app/src/android/security/cts/CVE_2023_20955_test/PocDeviceAdminReceiver.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-20955/test-app/src/android/security/cts/CVE_2023_20955_test/PocDeviceAdminReceiver.java new file mode 100644 index 00000000000..7141a402e65 --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-20955/test-app/src/android/security/cts/CVE_2023_20955_test/PocDeviceAdminReceiver.java @@ -0,0 +1,22 @@ +/* + * Copyright (C) 2023 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.security.cts.CVE_2023_20955_test; + +import android.app.admin.DeviceAdminReceiver; + +public class PocDeviceAdminReceiver extends DeviceAdminReceiver { +} diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-20955/test-helper-app/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-20955/test-helper-app/AndroidManifest.xml new file mode 100644 index 00000000000..73420e4b366 --- /dev/null +++ b/hostsidetests/securitybulletin/test-apps/CVE-2023-20955/test-helper-app/AndroidManifest.xml @@ -0,0 +1,20 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- + Copyright 2023 The Android Open Source Project + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + --> + +<manifest package="android.security.cts.CVE_2023_20955_test_helper"> + <application /> +</manifest> |