From fc9a21de684f24f0005be43d0113b504bd5990fc Mon Sep 17 00:00:00 2001
From: Alan Stokes <alanstokes@google.com>
Date: Wed, 27 Feb 2019 21:30:59 +0000
Subject: Detect native code loading by untrusted_app.

Modify the regex to cover untrusted_app as well as untrusted_app_25
and untrusted_app_27.

Add a test to verify.

Bug: 126536482
Test: atest DynamicCodeLoggerIntegrationsTests
Change-Id: Ie4cbabfb55a5e78868cc6ee8ec46270ab3bf75d1
---
 .../pm/dex/DynamicCodeLoggerIntegrationTests.java  | 28 ++++++++++++++++++++++
 1 file changed, 28 insertions(+)

(limited to 'tests/DynamicCodeLoggerIntegrationTests/src')

diff --git a/tests/DynamicCodeLoggerIntegrationTests/src/com/android/server/pm/dex/DynamicCodeLoggerIntegrationTests.java b/tests/DynamicCodeLoggerIntegrationTests/src/com/android/server/pm/dex/DynamicCodeLoggerIntegrationTests.java
index 8ef15d869a0b..4f9aeea5bdb4 100644
--- a/tests/DynamicCodeLoggerIntegrationTests/src/com/android/server/pm/dex/DynamicCodeLoggerIntegrationTests.java
+++ b/tests/DynamicCodeLoggerIntegrationTests/src/com/android/server/pm/dex/DynamicCodeLoggerIntegrationTests.java
@@ -234,6 +234,34 @@ public final class DynamicCodeLoggerIntegrationTests {
                 expectedNameHash, expectedContentHash);
     }
 
+    @Test
+    public void testGeneratesEvents_spoofed_validFile_untrustedApp() throws Exception {
+        File privateCopyFile = privateFile("spoofed2");
+
+        String expectedContentHash = copyAndHashResource(
+                "/DynamicCodeLoggerNativeExecutable", privateCopyFile);
+
+        EventLog.writeEvent(EventLog.getTagCode("auditd"),
+                "type=1400 avc: granted { execute_no_trans } "
+                        + "path=\"" + privateCopyFile + "\" "
+                        + "scontext=u:r:untrusted_app: "
+                        + "tcontext=u:object_r:app_data_file: "
+                        + "tclass=file ");
+
+        String expectedNameHash =
+                "3E57AA59249154C391316FDCF07C1D499C26A564E4D305833CCD9A98ED895AC9";
+
+        // Run the job to scan generated audit log entries
+        runDynamicCodeLoggingJob(AUDIT_WATCHING_JOB_ID);
+
+        // And then make sure we log events about it
+        long previousEventNanos = mostRecentEventTimeNanos();
+        runDynamicCodeLoggingJob(IDLE_LOGGING_JOB_ID);
+
+        assertDclLoggedSince(previousEventNanos, DCL_NATIVE_SUBTAG,
+                expectedNameHash, expectedContentHash);
+    }
+
     @Test
     public void testGeneratesEvents_spoofed_pathTraversal() throws Exception {
         File privateDir = privateFile("x").getParentFile();
-- 
cgit v1.2.3-59-g8ed1b