问题描述
收到CTS 测试fail报告,如:
| Module | Passed | Failed | Assumption Failure | Ignored | Total Tests | Done |
|---|---|---|---|---|---|---|
| armeabi-v7a CtsSecurityHostTestCases | 0 | 1 | 0 | 0 | 1 | true |
这是因为从Android Q开始 Google 新增了对dumpstate denials 的检查(AOSP/667966, AOSP/742461), 如果在执行Bugreport命令后,有出现dumpstate 的avc denied log,该测项就会fail.
Add CTS test to ensure bugreports don't generate SELinux denials.
This test takes a bugreport on the device and ensures that it does not
generate any dumpstate-related denials.
/cts/hostsidetests/security/src/android/cts/security/SELinuxHostTest.java
953 public void testNoBugreportDenials() throws Exception {
954 // Take a bugreport and get its logcat output.
955 mDevice.executeAdbCommand("logcat", "-c");
956 mDevice.getBugreport();
957 String log = mDevice.executeAdbCommand("logcat", "-d");
958 // Find all the dumpstate-related types and make a regex that will match them.
959 Set types = sepolicyAnalyzeGetTypesAssociatedWithAttribute("hal_dumpstate_server");
960 types.add("dumpstate");
961 String typeRegex = types.stream().collect(Collectors.joining("|"));
962 Pattern p = Pattern.compile("avc: *denied.*scontext=u:(?:r|object_r):(?:" + typeRegex + "):s0.*");
963 // Fail if logcat contains such a denial.
964 Matcher m = p.matcher(log);
965 StringBuilder errorString = new StringBuilder();
966 while (m.find()) {
967 errorString.append(m.group());
968 errorString.append("\n");
969 }
970 assertTrue("Found illegal SELinux denial(s): " + errorString, errorString.length() == 0);
971 }
954 // Take a bugreport and get its logcat output.
955 mDevice.executeAdbCommand("logcat", "-c");
956 mDevice.getBugreport();
957 String log = mDevice.executeAdbCommand("logcat", "-d");
958 // Find all the dumpstate-related types and make a regex that will match them.
959 Set types = sepolicyAnalyzeGetTypesAssociatedWithAttribute("hal_dumpstate_server");
960 types.add("dumpstate");
961 String typeRegex = types.stream().collect(Collectors.joining("|"));
962 Pattern p = Pattern.compile("avc: *denied.*scontext=u:(?:r|object_r):(?:" + typeRegex + "):s0.*");
963 // Fail if logcat contains such a denial.
964 Matcher m = p.matcher(log);
965 StringBuilder errorString = new StringBuilder();
966 while (m.find()) {
967 errorString.append(m.group());
968 errorString.append("\n");
969 }
970 assertTrue("Found illegal SELinux denial(s): " + errorString, errorString.length() == 0);
971 }
dumpstate 作为AOSP自带的process,我们一般不会改到它的源码。此类问题的出现,一般是因为新增了一些目录/文件,而没有给dumpstate添加allow rules 或者dontaudit rules, 操作有被触发时就会出现avc denied log,引起测项fail。
解决方案
继续阅读“How to fix SELinuxHostTest#testNoBugreportDenials fail”