Merge "CTS test for Android Security b/277593270" into rvc-dev am: 1ddd892 am: 1991310 am: a7ff1b1 am: 2c15374 am: 1fee24a am: 941c847 am: 6af720e

Treehugger Robot · android-build-merge-worker-robot · commit 0c4e5ba2d9e7 · 2023-09-13T10:30:02.000Z
Original change: https://googleplex-android-review.googlesource.com/c/platform/cts/+/24583552 Change-Id: I267ef6f7354fe741c6efa4ac115fa52017a7b4f7 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21291.java b/hostsidetests/securitybulletin/src/android/security/cts/CVE_2023_21291.java
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import static org.junit.Assume.assumeNoException;
+
+import android.platform.test.annotations.AsbSecurityTest;
+
+import com.android.sts.common.SystemUtil;
+import com.android.sts.common.UserUtils;
+import com.android.sts.common.tradefed.testtype.NonRootSecurityTestCase;
+import com.android.tradefed.device.ITestDevice;
+import com.android.tradefed.testtype.DeviceJUnit4ClassRunner;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(DeviceJUnit4ClassRunner.class)
+public class CVE_2023_21291 extends NonRootSecurityTestCase {
+
+    @AsbSecurityTest(cveBugId = 277593270)
+    @Test
+    public void testPocCVE_2023_21291() {
+        try {
+            // Install application
+            installPackage("CVE-2023-21291.apk", "-g");
+
+            // Create a secondary user cve_2023_21291_user and enable global hidden_api_policy to
+            // access hidden field in DeviceTest
+            ITestDevice device = getDevice();
+            try (AutoCloseable closable =
+                            SystemUtil.withSetting(device, "global", "hidden_api_policy", "1");
+                    AutoCloseable asSecondaryUser =
+                            new UserUtils.SecondaryUser(device)
+                                    .name("cve_2023_21291_user")
+                                    .withUser()) {
+
+                // Run DeviceTest
+                final String testPkg = "android.security.cts.CVE_2023_21291";
+                runDeviceTests(testPkg, testPkg + ".DeviceTest", "testPocCVE_2023_21291");
+            }
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21291/Android.bp b/hostsidetests/securitybulletin/test-apps/CVE-2023-21291/Android.bp
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package {
+    default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+android_test_helper_app {
+    name: "CVE-2023-21291",
+    defaults: ["cts_support_defaults"],
+    srcs: [
+        "src/**/*.java",
+    ],
+    test_suites: [
+        "sts",
+    ],
+    static_libs: [
+        "androidx.test.core",
+        "androidx.test.rules",
+        "compatibility-device-util-axt",
+        "sts-device-util",
+    ],
+}
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21291/AndroidManifest.xml b/hostsidetests/securitybulletin/test-apps/CVE-2023-21291/AndroidManifest.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="android.security.cts.CVE_2023_21291">
+    <uses-permission android:name="android.permission.POST_NOTIFICATIONS" />
+
+    <instrumentation
+            android:name="androidx.test.runner.AndroidJUnitRunner"
+            android:targetPackage="android.security.cts.CVE_2023_21291" />
+</manifest>
diff --git a/hostsidetests/securitybulletin/test-apps/CVE-2023-21291/src/android/security/cts/CVE_2023_21291/DeviceTest.java b/hostsidetests/securitybulletin/test-apps/CVE-2023-21291/src/android/security/cts/CVE_2023_21291/DeviceTest.java
@@ -0,0 +1,176 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2023_21291;
+
+import static android.Manifest.permission.CREATE_USERS;
+import static android.provider.MediaStore.Images.Media.EXTERNAL_CONTENT_URI;
+
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+
+import static com.android.sts.common.SystemUtil.poll;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.app.Instrumentation;
+import android.app.Notification;
+import android.app.NotificationChannel;
+import android.app.NotificationManager;
+import android.app.Person;
+import android.content.ContentProvider;
+import android.content.Context;
+import android.content.pm.UserInfo;
+import android.graphics.drawable.Icon;
+import android.os.UserManager;
+import android.provider.MediaStore;
+import android.service.notification.StatusBarNotification;
+import android.util.Log;
+
+import androidx.test.runner.AndroidJUnit4;
+
+import com.android.compatibility.common.util.SystemUtil;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.util.List;
+
+@RunWith(AndroidJUnit4.class)
+public class DeviceTest {
+
+    @Test
+    public void testPocCVE_2023_21291() {
+        try {
+            Instrumentation instrumentation = getInstrumentation();
+            Context context = instrumentation.getContext();
+            final UserManager userManager = context.getSystemService(UserManager.class);
+
+            // Check if the device supports multiple users or not
+            assumeTrue(
+                    "This device does not support multiple users",
+                    userManager.supportsMultipleUsers());
+
+            // Get the user id of "cve_2023_21291_user"
+            int testUserId =
+                    SystemUtil.runWithShellPermissionIdentity(
+                            () -> {
+                                List<UserInfo> list = userManager.getUsers();
+                                for (UserInfo info : list) {
+                                    if (info.toString().contains("cve_2023_21291_user")) {
+                                        return info.getUserHandle().getIdentifier();
+                                    }
+                                }
+                                return -1;
+                            },
+                            CREATE_USERS);
+            assumeTrue("Unable to find the user cve_2023_21291_user", testUserId != -1);
+
+            // Insert a placeholder content in the new user and query it to see if it has been
+            // inserted successfully
+            final String imagesContentUri = EXTERNAL_CONTENT_URI.toString();
+            assumeTrue(
+                    "Failed to insert a placeholder content in the test user",
+                    poll(
+                            () -> {
+                                try {
+                                    SystemUtil.runShellCommand(
+                                            instrumentation,
+                                            String.format(
+                                                    "content insert --user %d --uri %s --bind "
+                                                            + "_display_name:s:cve_2023_21291.jpg",
+                                                    testUserId, imagesContentUri));
+                                    return SystemUtil.runShellCommand(
+                                                    instrumentation,
+                                                    String.format(
+                                                            "content query " + "--user %d --uri %s",
+                                                            testUserId, imagesContentUri))
+                                            .contains("Row");
+                                } catch (Exception e) {
+                                    Log.i("CVE-2023-21291", "Got an exception: " + e);
+                                }
+                                return false;
+                            }));
+
+            // Create notificationManager
+            NotificationManager notificationManager =
+                    context.getSystemService(NotificationManager.class);
+
+            // Create notificationChannel
+            String channelId = "cve_2023_21291_channel_id";
+            notificationManager.createNotificationChannel(
+                    new NotificationChannel(
+                            channelId,
+                            "cve_2023_21291_channel_name" /* notification channel name */,
+                            NotificationManager.IMPORTANCE_DEFAULT));
+
+            // Post the Notification and check if any security exception is caught
+            try {
+                notificationManager.notify(
+                        0 /* notification id */,
+                        new Notification.Builder(context)
+                                .setChannelId(channelId)
+                                .setStyle(
+                                        new Notification.MessagingStyle(
+                                                        new Person.Builder()
+                                                                .setName("cve_2023_21291_person")
+                                                                .build())
+                                                .setShortcutIcon(
+                                                        Icon.createWithContentUri(
+                                                                ContentProvider.maybeAddUserId(
+                                                                        EXTERNAL_CONTENT_URI,
+                                                                        testUserId))))
+                                .setSmallIcon(
+                                        Icon.createWithData(
+                                                new byte[0] /* data */,
+                                                0 /* offset */,
+                                                0 /* length */))
+                                .build());
+            } catch (SecurityException securityException) {
+                if (securityException
+                        .getLocalizedMessage()
+                        .toLowerCase()
+                        .contains(MediaStore.Images.Media.EXTERNAL_CONTENT_URI.toString())) {
+                    // Ignore exception thrown with fix and exit the test
+                    return;
+                } else {
+                    throw securityException;
+                }
+            }
+
+            // Check if notification gets posted or not, fail the test if notification gets posted
+            assertFalse(
+                    "Device is vulnerable to b/277593270 hence images belonging to another user on"
+                            + " the same device can be displayed in conversation notifications",
+                    poll(
+                            () -> {
+                                StatusBarNotification[] activeNotifications =
+                                        notificationManager.getActiveNotifications();
+                                for (StatusBarNotification notification : activeNotifications) {
+                                    if (notification
+                                            .getPackageName()
+                                            .equals(context.getPackageName())) {
+                                        return true;
+                                    }
+                                }
+                                return false;
+                            }));
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+}
