ACPR/android_system_core
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge "logd: test: switch to /data/backup/ for sepolicy avc injection" am: d289e36847

Browse source 
am: 17fc5dad3b

Change-Id: Ibc0cffb9f8df3d7bb8bc848e03cb1b0af588a446
This commit is contained in:
Mark Salyzyn 2017-01-20 19:47:11 +00:00 committed by android-build-merger
commit 0eaa560c7a
1 changed files with 17 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
logd/tests/logd_test.cpp
View file

@ -196,7 +196,9 @@ TEST(logd, statistics) {
EXPECT_TRUE(NULL != main_logs); EXPECT_TRUE(NULL != main_logs);
char *radio_logs = strstr(cp, "\nChattiest UIDs in radio "); char *radio_logs = strstr(cp, "\nChattiest UIDs in radio ");
EXPECT_TRUE(NULL != radio_logs); if (!radio_logs) GTEST_LOG_(INFO) << "Value of: NULL != radio_logs\n"
"Actual: false\n"
"Expected: false\n";
char *system_logs = strstr(cp, "\nChattiest UIDs in system "); char *system_logs = strstr(cp, "\nChattiest UIDs in system ");
EXPECT_TRUE(NULL != system_logs); EXPECT_TRUE(NULL != system_logs);
@ -942,8 +944,16 @@ static pid_t sepolicy_rate(unsigned rate, unsigned num) {
return 0; return 0;
} }
// Requests dac_read_search, falls back to request dac_override // The key here is we are root, but we are in u:r:shell:s0,
rate /= 2; // and the directory does not provide us DAC access
// (eg: 0700 system system) so we trigger the pair dac_override
// and dac_read_search on every try to get past the message
// de-duper. We will also rotate the file name in the directory
// as another measure.
static const char file[] = "/data/backup/cannot_access_directory_%u";
static const unsigned avc_requests_per_access = 2;
rate /= avc_requests_per_access;
useconds_t usec; useconds_t usec;
if (rate == 0) { if (rate == 0) {
rate = 1; rate = 1;
@ -951,15 +961,12 @@ static pid_t sepolicy_rate(unsigned rate, unsigned num) {
} else { } else {
usec = (1000000 + (rate / 2)) / rate; usec = (1000000 + (rate / 2)) / rate;
} }
num = (num + 1) / 2; num = (num + (avc_requests_per_access / 2)) / avc_requests_per_access;
if (usec < 2) usec = 2; if (usec < 2) usec = 2;
while (num > 0) { while (num > 0) {
if (access(android::base::StringPrintf( if (access(android::base::StringPrintf(file, num).c_str(), F_OK) == 0) {
"/data/misc/logd/cannot_access_directory_%u",
num).c_str(),
F_OK) == 0) {
_exit(-1); _exit(-1);
// NOTREACHED // NOTREACHED
return 0; return 0;
@ -1002,7 +1009,7 @@ static int count_avc(pid_t pid) {
// int len = get4LE(eventData + 4 + 1); // int len = get4LE(eventData + 4 + 1);
log_msg.buf[LOGGER_ENTRY_MAX_LEN] = '\0'; log_msg.buf[LOGGER_ENTRY_MAX_LEN] = '\0';
const char *cp = strstr(eventData + 4 + 1 + 4, "): avc: "); const char *cp = strstr(eventData + 4 + 1 + 4, "): avc: denied");
if (!cp) continue; if (!cp) continue;
++count; ++count;
@ -1055,8 +1062,7 @@ TEST(logd, sepolicy_rate_limiter_spam) {
// give logd another 3 seconds to react to the burst before checking // give logd another 3 seconds to react to the burst before checking
sepolicy_rate(rate, rate * 3); sepolicy_rate(rate, rate * 3);
// maximum period at double the maximum burst rate (spam filter kicked in) // maximum period at double the maximum burst rate (spam filter kicked in)
EXPECT_GE(((AUDIT_RATE_LIMIT_MAX * AUDIT_RATE_LIMIT_BURST_DURATION) * 130) / EXPECT_GE(threshold * 2,
100, // +30% margin
count_avc(sepolicy_rate(rate, count_avc(sepolicy_rate(rate,
rate * AUDIT_RATE_LIMIT_BURST_DURATION))); rate * AUDIT_RATE_LIMIT_BURST_DURATION)));
// cool down, and check unspammy rate still works // cool down, and check unspammy rate still works