Remove DeviceConfig dependency for SelinuxFrameworksTests (3a1f110a) · Commits · e / os / android_frameworks_base

services/core/java/com/android/server/selinux/SelinuxAuditLogBuilder.java

+2 −10

Original line number	Diff line number	Diff line
		@@ -15,7 +15,6 @@
		*/
		package com.android.server.selinux;

		import android.provider.DeviceConfig;
		import android.text.TextUtils;
		import android.util.Slog;

		@@ -34,10 +33,6 @@ class SelinuxAuditLogBuilder {

		private static final String TAG = "SelinuxAuditLogs";

		// This config indicates which Selinux logs for source domains to collect. The string will be
		// inserted into a regex, so it must follow the regex syntax. For example, a valid value would
		// be "system_server\|untrusted_app".
		@VisibleForTesting static final String CONFIG_SELINUX_AUDIT_DOMAIN = "selinux_audit_domain";
		private static final Matcher NO_OP_MATCHER = Pattern.compile("no-op^").matcher("");
		private static final String TCONTEXT_PATTERN =
		"u:object_r:(?<ttype>\\w+):s0(:c)?(?<tcategories>((,c)?\\d+)+)*";
		@@ -50,7 +45,7 @@ class SelinuxAuditLogBuilder {
		private Iterator<String> mTokens;
		private final SelinuxAuditLog mAuditLog = new SelinuxAuditLog();

		SelinuxAuditLogBuilder() {
		SelinuxAuditLogBuilder(String auditDomain) {
		Matcher scontextMatcher = NO_OP_MATCHER;
		Matcher tcontextMatcher = NO_OP_MATCHER;
		Matcher pathMatcher = NO_OP_MATCHER;
		@@ -59,10 +54,7 @@ class SelinuxAuditLogBuilder {
		Pattern.compile(
		TextUtils.formatSimple(
		"u:r:(?<stype>%s):s0(:c)?(?<scategories>((,c)?\\d+)+)*",
		DeviceConfig.getString(
		DeviceConfig.NAMESPACE_ADSERVICES,
		CONFIG_SELINUX_AUDIT_DOMAIN,
		"no_match^")))
		auditDomain))
		.matcher("");
		tcontextMatcher = Pattern.compile(TCONTEXT_PATTERN).matcher("");
		pathMatcher = Pattern.compile(PATH_PATTERN).matcher("");

services/core/java/com/android/server/selinux/SelinuxAuditLogsCollector.java

+27 −2

Original line number	Diff line number	Diff line
		@@ -15,6 +15,7 @@
		*/
		package com.android.server.selinux;

		import android.provider.DeviceConfig;
		import android.util.EventLog;
		import android.util.EventLog.Event;
		import android.util.Log;
		@@ -32,6 +33,7 @@ import java.util.ArrayList;
		import java.util.List;
		import java.util.Queue;
		import java.util.concurrent.atomic.AtomicBoolean;
		import java.util.function.Supplier;
		import java.util.regex.Matcher;
		import java.util.regex.Pattern;

		@@ -43,9 +45,16 @@ class SelinuxAuditLogsCollector {

		private static final String SELINUX_PATTERN = "^.\\bavc:\\s+(?<denial>.)$";

		// This config indicates which Selinux logs for source domains to collect. The string will be
		// inserted into a regex, so it must follow the regex syntax. For example, a valid value would
		// be "system_server\|untrusted_app".
		@VisibleForTesting static final String CONFIG_SELINUX_AUDIT_DOMAIN = "selinux_audit_domain";
		@VisibleForTesting static final String DEFAULT_SELINUX_AUDIT_DOMAIN = "no_match^";

		@VisibleForTesting
		static final Matcher SELINUX_MATCHER = Pattern.compile(SELINUX_PATTERN).matcher("");

		private final Supplier<String> mAuditDomainSupplier;
		private final RateLimiter mRateLimiter;
		private final QuotaLimiter mQuotaLimiter;

		@@ -53,11 +62,26 @@ class SelinuxAuditLogsCollector {

		AtomicBoolean mStopRequested = new AtomicBoolean(false);

		SelinuxAuditLogsCollector(RateLimiter rateLimiter, QuotaLimiter quotaLimiter) {
		SelinuxAuditLogsCollector(
		Supplier<String> auditDomainSupplier,
		RateLimiter rateLimiter,
		QuotaLimiter quotaLimiter) {
		mAuditDomainSupplier = auditDomainSupplier;
		mRateLimiter = rateLimiter;
		mQuotaLimiter = quotaLimiter;
		}

		SelinuxAuditLogsCollector(RateLimiter rateLimiter, QuotaLimiter quotaLimiter) {
		this(
		() ->
		DeviceConfig.getString(
		DeviceConfig.NAMESPACE_ADSERVICES,
		CONFIG_SELINUX_AUDIT_DOMAIN,
		DEFAULT_SELINUX_AUDIT_DOMAIN),
		rateLimiter,
		quotaLimiter);
		}

		public void setStopRequested(boolean stopRequested) {
		mStopRequested.set(stopRequested);
		}
		@@ -108,7 +132,8 @@ class SelinuxAuditLogsCollector {
		}

		private boolean writeAuditLogs(Queue<Event> logLines) {
		final SelinuxAuditLogBuilder auditLogBuilder = new SelinuxAuditLogBuilder();
		final SelinuxAuditLogBuilder auditLogBuilder =
		new SelinuxAuditLogBuilder(mAuditDomainSupplier.get());
		int auditsWritten = 0;

		while (!mStopRequested.get() && !logLines.isEmpty()) {

services/tests/selinux/src/com/android/server/selinux/SelinuxAuditLogsBuilderTest.java

+5 −31

Original line number	Diff line number	Diff line
		@@ -15,18 +15,14 @@
		*/
		package com.android.server.selinux;

		import static com.android.compatibility.common.util.SystemUtil.runWithShellPermissionIdentity;
		import static com.android.server.selinux.SelinuxAuditLogBuilder.toCategories;

		import static com.google.common.truth.Truth.assertThat;

		import android.provider.DeviceConfig;

		import androidx.test.ext.junit.runners.AndroidJUnit4;

		import com.android.server.selinux.SelinuxAuditLogBuilder.SelinuxAuditLog;

		import org.junit.After;
		import org.junit.Before;
		import org.junit.Test;
		import org.junit.runner.RunWith;
		@@ -45,24 +41,12 @@ public class SelinuxAuditLogsBuilderTest {

		@Before
		public void setUp() {
		runWithShellPermissionIdentity(
		() ->
		DeviceConfig.setLocalOverride(
		DeviceConfig.NAMESPACE_ADSERVICES,
		SelinuxAuditLogBuilder.CONFIG_SELINUX_AUDIT_DOMAIN,
		TEST_DOMAIN));

		mAuditLogBuilder = new SelinuxAuditLogBuilder();
		mAuditLogBuilder = new SelinuxAuditLogBuilder(TEST_DOMAIN);
		mScontextMatcher = mAuditLogBuilder.mScontextMatcher;
		mTcontextMatcher = mAuditLogBuilder.mTcontextMatcher;
		mPathMatcher = mAuditLogBuilder.mPathMatcher;
		}

		@After
		public void tearDown() {
		runWithShellPermissionIdentity(() -> DeviceConfig.clearAllLocalOverrides());
		}

		@Test
		public void testMatcher_scontext() {
		assertThat(mScontextMatcher.reset("u:r:" + TEST_DOMAIN + ":s0").matches()).isTrue();
		@@ -109,13 +93,9 @@ public class SelinuxAuditLogsBuilderTest {

		@Test
		public void testMatcher_scontextDefaultConfig() {
		runWithShellPermissionIdentity(
		() ->
		DeviceConfig.clearLocalOverride(
		DeviceConfig.NAMESPACE_ADSERVICES,
		SelinuxAuditLogBuilder.CONFIG_SELINUX_AUDIT_DOMAIN));

		Matcher scontexMatcher = new SelinuxAuditLogBuilder().mScontextMatcher;
		Matcher scontexMatcher =
		new SelinuxAuditLogBuilder(SelinuxAuditLogsCollector.DEFAULT_SELINUX_AUDIT_DOMAIN)
		.mScontextMatcher;

		assertThat(scontexMatcher.reset("u:r:" + TEST_DOMAIN + ":s0").matches()).isFalse();
		assertThat(scontexMatcher.reset("u:r:" + TEST_DOMAIN + ":s0:c123,c456").matches())
		@@ -221,13 +201,7 @@ public class SelinuxAuditLogsBuilderTest {
		@Test
		public void testSelinuxAuditLogsBuilder_wrongConfig() {
		String notARegexDomain = "not]a[regex";
		runWithShellPermissionIdentity(
		() ->
		DeviceConfig.setLocalOverride(
		DeviceConfig.NAMESPACE_ADSERVICES,
		SelinuxAuditLogBuilder.CONFIG_SELINUX_AUDIT_DOMAIN,
		notARegexDomain));
		SelinuxAuditLogBuilder noOpBuilder = new SelinuxAuditLogBuilder();
		SelinuxAuditLogBuilder noOpBuilder = new SelinuxAuditLogBuilder(notARegexDomain);

		noOpBuilder.reset(
		"granted { p } scontext=u:r:"

services/tests/selinux/src/com/android/server/selinux/SelinuxAuditLogsCollectorTest.java

+1 −10

Original line number	Diff line number	Diff line
		@@ -15,7 +15,6 @@
		*/
		package com.android.server.selinux;

		import static com.android.compatibility.common.util.SystemUtil.runWithShellPermissionIdentity;
		import static com.android.dx.mockito.inline.extended.ExtendedMockito.mockitoSession;
		import static com.android.dx.mockito.inline.extended.ExtendedMockito.verify;

		@@ -28,7 +27,6 @@ import static org.mockito.ArgumentMatchers.anyString;
		import static org.mockito.Mockito.never;
		import static org.mockito.Mockito.times;

		import android.provider.DeviceConfig;
		import android.util.EventLog;

		import androidx.test.ext.junit.runners.AndroidJUnit4;
		@@ -59,6 +57,7 @@ public class SelinuxAuditLogsCollectorTest {
		private final SelinuxAuditLogsCollector mSelinuxAutidLogsCollector =
		// Ignore rate limiting for tests
		new SelinuxAuditLogsCollector(
		() -> TEST_DOMAIN,
		new RateLimiter(mClock, /* window= */ Duration.ofMillis(0)),
		new QuotaLimiter(
		mClock, /* windowSize= / Duration.ofHours(1), / maxPermits= */ 5));
		@@ -67,13 +66,6 @@ public class SelinuxAuditLogsCollectorTest {

		@Before
		public void setUp() {
		runWithShellPermissionIdentity(
		() ->
		DeviceConfig.setLocalOverride(
		DeviceConfig.NAMESPACE_ADSERVICES,
		SelinuxAuditLogBuilder.CONFIG_SELINUX_AUDIT_DOMAIN,
		TEST_DOMAIN));

		mSelinuxAutidLogsCollector.setStopRequested(false);
		// move the clock forward for the limiters.
		mClock.currentTimeMillis += Duration.ofHours(1).toMillis();
		@@ -85,7 +77,6 @@ public class SelinuxAuditLogsCollectorTest {

		@After
		public void tearDown() {
		runWithShellPermissionIdentity(() -> DeviceConfig.clearAllLocalOverrides());
		mMockitoSession.finishMocking();
		}