Detect native code loading by untrusted_app. (fc9a21de) · Commits · e / os / android_frameworks_base

services/core/java/com/android/server/pm/DynamicCodeLoggingService.java

+1 −1

Original line number	Diff line number	Diff line
		@@ -61,7 +61,7 @@ public class DynamicCodeLoggingService extends JobService {
		private static final Pattern EXECUTE_NATIVE_AUDIT_PATTERN =
		Pattern.compile(".\\bavc: granted \\{ execute(?:_no_trans\|) \\} ."
		+ "\\bpath=(?:\"([^\" ])\"\|([0-9A-F]+)) ."
		+ "\\bscontext=u:r:untrusted_app_2(?:5\|7):.*"
		+ "\\bscontext=u:r:untrusted_app(?:_25\|_27)?:.*"
		+ "\\btcontext=u:object_r:app_data_file:.*"
		+ "\\btclass=file\\b.*");

+28 −0

Original line number	Diff line number	Diff line
		@@ -234,6 +234,34 @@ public final class DynamicCodeLoggerIntegrationTests {
		expectedNameHash, expectedContentHash);
		}

		@Test
		public void testGeneratesEvents_spoofed_validFile_untrustedApp() throws Exception {
		File privateCopyFile = privateFile("spoofed2");

		String expectedContentHash = copyAndHashResource(
		"/DynamicCodeLoggerNativeExecutable", privateCopyFile);

		EventLog.writeEvent(EventLog.getTagCode("auditd"),
		"type=1400 avc: granted { execute_no_trans } "
		+ "path=\"" + privateCopyFile + "\" "
		+ "scontext=u:r:untrusted_app: "
		+ "tcontext=u:object_r:app_data_file: "
		+ "tclass=file ");

		String expectedNameHash =
		"3E57AA59249154C391316FDCF07C1D499C26A564E4D305833CCD9A98ED895AC9";

		// Run the job to scan generated audit log entries
		runDynamicCodeLoggingJob(AUDIT_WATCHING_JOB_ID);

		// And then make sure we log events about it
		long previousEventNanos = mostRecentEventTimeNanos();
		runDynamicCodeLoggingJob(IDLE_LOGGING_JOB_ID);

		assertDclLoggedSince(previousEventNanos, DCL_NATIVE_SUBTAG,
		expectedNameHash, expectedContentHash);
		}

		@Test
		public void testGeneratesEvents_spoofed_pathTraversal() throws Exception {
		File privateDir = privateFile("x").getParentFile();