Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d5f89343 authored by Mark Salyzyn's avatar Mark Salyzyn
Browse files

adb-remount-test: add an avc check 

Check if adb remount resulted in any unlabeled references just before
rebooting the device.

Test: adb-remount-test.sh
Bug: 129319403
Bug: 132395411
Change-Id: Ica0c14da39773f615d9b5e4cfc4602bd50c70e4e
parent 53ec0a46

fs_mgr/tests/adb-remount-test.sh

+36 −0
Original line number Diff line number Diff line
@@ -135,10 +135,30 @@ Returns: the logcat output" ] 
adb_logcat() {

  echo "${RED}[     INFO ]${NORMAL} logcat ${@}" >&2 &&

  adb logcat "${@}" </dev/null |

    tr -d '\r' |

    grep -v 'logd    : logdr: UID=' |

    sed -e '${/------- beginning of kernel/d}' -e 's/^[0-1][0-9]-[0-3][0-9] //'

}



[ "USAGE: avc_check >/dev/stderr



Returns: worrisome avc violations" ]

avc_check() {

  if ! ${overlayfs_supported:-false}; then

    return

  fi

  local L=`adb_logcat -b all -v brief -d \

                      -e 'context=u:object_r:unlabeled:s0' 2>/dev/null |

             sed -n 's/.*avc: //p' |

             sort -u`

  if [ -z "${L}" ]; then

    return

  fi

  echo "${ORANGE}[  WARNING ]${NORMAL} unlabeled sepolicy violations:" >&2

  echo "${L}" |

    sed 's/^/             /' >&2

}



[ "USAGE: get_property <prop>



Returns the property value" ]
@@ -177,6 +197,7 @@ adb_cat() { 


Returns: true if the reboot command succeeded" ]

adb_reboot() {

  avc_check

  adb reboot remount-test </dev/null || true

  sleep 2

}
@@ -811,6 +832,7 @@ if [ "orange" = "`get_property ro.boot.verifiedbootstate`" -a \ 


  echo "${GREEN}[ RUN      ]${NORMAL} Testing adb shell su root remount -R command" >&2



  avc_check

  adb_su remount -R system </dev/null || true

  sleep 2

  adb_wait ${ADB_WAIT} ||
@@ -977,6 +999,11 @@ fi 


echo "${GREEN}[ RUN      ]${NORMAL} remount" >&2



# Feed log with selinux denials as baseline before overlays

adb_unroot

adb_sh find /system /vendor </dev/null >/dev/null 2>/dev/null

adb_root



D=`adb remount 2>&1`

ret=${?}

echo "${D}"
@@ -1129,6 +1156,9 @@ if ${enforcing}; then 
  B="`adb_cat /vendor/hello 2>&1`"

  check_eq "cat: /vendor/hello: Permission denied" "${B}" vendor after reboot w/o root

  echo "${GREEN}[       OK ]${NORMAL} /vendor content correct MAC after reboot" >&2

  # Feed unprivileged log with selinux denials as a result of overlays

  wait_for_screen

  adb_sh find /system /vendor </dev/null >/dev/null 2>/dev/null

fi

B="`adb_cat /system/hello`"

check_eq "${A}" "${B}" /system after reboot
@@ -1140,6 +1170,9 @@ B="`adb_cat /vendor/hello`" 
check_eq "${A}" "${B}" vendor after reboot

echo "${GREEN}[       OK ]${NORMAL} /vendor content remains after reboot" >&2



# Feed log with selinux denials as a result of overlays

adb_sh find /system /vendor </dev/null >/dev/null 2>/dev/null



# Check if the updated libc.so is persistent after reboot.

adb_root &&

  adb pull /system/lib/bootstrap/libc.so ${tempdir}/libc.so.fromdevice >/dev/null ||
@@ -1176,6 +1209,7 @@ elif ! ( 
  echo "${ORANGE}[  WARNING ]${NORMAL} vendor image signature mismatch, skipping"

else

  wait_for_screen

  avc_check

  adb reboot fastboot </dev/null ||

    die "fastbootd not supported (wrong adb in path?)"

  any_wait ${ADB_WAIT} &&
@@ -1288,6 +1322,7 @@ if [ -n "${scratch_partition}" ]; then 


  echo "${GREEN}[ RUN      ]${NORMAL} test fastboot flash to ${scratch_partition} recovery" >&2



  avc_check

  adb reboot fastboot </dev/null ||

    die "Reboot into fastbootd"

  img=${TMPDIR}/adb-remount-test-${$}.img
@@ -1412,6 +1447,7 @@ err=${?} 


if [ ${err} = 0 ] && ${overlayfs_supported}; then

  echo "${GREEN}[ RUN      ]${NORMAL} test 'adb remount -R'" >&2

  avc_check

  adb_root &&

    adb remount -R &&

    adb_wait ${ADB_WAIT} ||