Merge "logd: test: switch to /data/backup/ for sepolicy avc injection" am: d289e36847 am: 17fc5dad3b am: 0eaa560c7a

am: 212fc3349f

Change-Id: I3d0b151d3892b56db9f68a703021a9991c67c222
This commit is contained in:
Mark Salyzyn 2017-01-20 19:52:30 +00:00 committed by android-build-merger
commit 987059e988
1 changed files with 17 additions and 11 deletions

View File

@ -196,7 +196,9 @@ TEST(logd, statistics) {
EXPECT_TRUE(NULL != main_logs);
char *radio_logs = strstr(cp, "\nChattiest UIDs in radio ");
EXPECT_TRUE(NULL != radio_logs);
if (!radio_logs) GTEST_LOG_(INFO) << "Value of: NULL != radio_logs\n"
"Actual: false\n"
"Expected: false\n";
char *system_logs = strstr(cp, "\nChattiest UIDs in system ");
EXPECT_TRUE(NULL != system_logs);
@ -942,8 +944,16 @@ static pid_t sepolicy_rate(unsigned rate, unsigned num) {
return 0;
}
// Requests dac_read_search, falls back to request dac_override
rate /= 2;
// The key here is we are root, but we are in u:r:shell:s0,
// and the directory does not provide us DAC access
// (eg: 0700 system system) so we trigger the pair dac_override
// and dac_read_search on every try to get past the message
// de-duper. We will also rotate the file name in the directory
// as another measure.
static const char file[] = "/data/backup/cannot_access_directory_%u";
static const unsigned avc_requests_per_access = 2;
rate /= avc_requests_per_access;
useconds_t usec;
if (rate == 0) {
rate = 1;
@ -951,15 +961,12 @@ static pid_t sepolicy_rate(unsigned rate, unsigned num) {
} else {
usec = (1000000 + (rate / 2)) / rate;
}
num = (num + 1) / 2;
num = (num + (avc_requests_per_access / 2)) / avc_requests_per_access;
if (usec < 2) usec = 2;
while (num > 0) {
if (access(android::base::StringPrintf(
"/data/misc/logd/cannot_access_directory_%u",
num).c_str(),
F_OK) == 0) {
if (access(android::base::StringPrintf(file, num).c_str(), F_OK) == 0) {
_exit(-1);
// NOTREACHED
return 0;
@ -1002,7 +1009,7 @@ static int count_avc(pid_t pid) {
// int len = get4LE(eventData + 4 + 1);
log_msg.buf[LOGGER_ENTRY_MAX_LEN] = '\0';
const char *cp = strstr(eventData + 4 + 1 + 4, "): avc: ");
const char *cp = strstr(eventData + 4 + 1 + 4, "): avc: denied");
if (!cp) continue;
++count;
@ -1055,8 +1062,7 @@ TEST(logd, sepolicy_rate_limiter_spam) {
// give logd another 3 seconds to react to the burst before checking
sepolicy_rate(rate, rate * 3);
// maximum period at double the maximum burst rate (spam filter kicked in)
EXPECT_GE(((AUDIT_RATE_LIMIT_MAX * AUDIT_RATE_LIMIT_BURST_DURATION) * 130) /
100, // +30% margin
EXPECT_GE(threshold * 2,
count_avc(sepolicy_rate(rate,
rate * AUDIT_RATE_LIMIT_BURST_DURATION)));
// cool down, and check unspammy rate still works