# Copyright (c) 2012 The Chromium OS Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. import logging import pwd import re from autotest_lib.client.bin import test, utils from autotest_lib.client.common_lib import error class security_StatefulPermissions(test.test): """ Report all unexpected writable paths in the /mnt/stateful_partition tree. """ version = 1 _STATEFUL_ROOT = "/mnt/stateful_partition" _AID_SYSTEM = 1000 _AID_CACHE = 2001 # Note that chronos permissions in /home are covered in greater detail # by 'security_ProfilePermissions'. _masks_byuser = {"adm": [], "android-root": ["/encrypted/var/log/android.kmsg"], "attestation": ["/unencrypted/preserve", "/unencrypted/preserve/attestation.epb"], "avfs": [], "bin": [], "bluetooth": ["/encrypted/var/lib/bluetooth"], "chaps": ["/encrypted/var/lib/chaps"], "chronos": ["/encrypted/chronos", "/encrypted/var/cache/app_pack", "/encrypted/var/cache/camera", "/encrypted/var/cache/device_local_account_component_policy", "/encrypted/var/cache/device_local_account_extensions", "/encrypted/var/cache/device_local_account_external_policy_data", "/encrypted/var/cache/display_profiles", "/encrypted/var/cache/echo", "/encrypted/var/cache/external_cache", "/encrypted/var/cache/shared_extensions", "/encrypted/var/cache/signin_profile_component_policy", "/encrypted/var/cache/touch_trial/selection", "/encrypted/var/lib/cromo", "/encrypted/var/lib/opencryptoki", "/encrypted/var/lib/timezone", "/encrypted/var/lib/Synaptics/chronos.1000", "/encrypted/var/log/chrome", "/encrypted/var/log/connectivity.bak", "/encrypted/var/log/connectivity.log", "/encrypted/var/log/metrics", "/encrypted/var/minidumps", "/home/user"], "chronos-access": [], "cras": [], "cros-disks": [], "cups": ["/encrypted/var/cache/cups", "/encrypted/var/spool/cups"], "daemon": [], "debugd": [], "dhcp": ["/encrypted/var/lib/dhcpcd"], "dlm": ["/encrypted/var/log/displaylink"], "imageloaderd": ["/encrypted/var/lib/imageloader"], "input": [], "ipsec": [], "lp": [], "messagebus": [], "mtp": [], "news": [], "nobody": [], "ntfs-3g": [], "openvpn": [], "portage": ["/encrypted/var/log/emerge.log"], "power": ["/encrypted/var/lib/power_manager", "/encrypted/var/log/power_manager"], "pkcs11": [], "root": None, "sshd": [], "syslog": ["/encrypted/var/log"], "tcpdump": [], "tlsdate": [], "tpm_manager": ["/encrypted/var/lib/tpm_manager", "/unencrypted/preserve"], "tss": ["/var/lib/tpm"], "uucp": [], "wpa": [], "xorg": ["/encrypted/var/lib/xkb", "/encrypted/var/log/xorg", "/encrypted/var/log/Xorg.0.log"] } def systemwide_exclusions(self): """Returns a list of paths that are only present on test images and therefore should be excluded from all 'find' commands. """ paths = [] # 'preserve/log' is test-only. paths.append("/unencrypted/preserve/log") # Cover up Portage noise. paths.append("/encrypted/var/cache/edb") paths.append("/encrypted/var/lib/gentoo") paths.append("/encrypted/var/log/portage") # Cover up Autotest noise. paths.append("/dev_image") paths.append("/var_overlay") return paths def generate_prune_arguments_android(self): """Returns a command-line fragment to make 'find' exclude android-data/cache: uid=AID_SYSTEM, gid=AID_CACHE android-data/data: uid=AID_SYSTEM, gid=AID_SYSTEM Files under these paths are created by various android users. """ try: aroot_uid = pwd.getpwnam('android-root').pw_uid except KeyError: # android-root not found, so don't prune anything return "" # On ecryptfs backend, the Android data path is # /home/.shadow/hash/vault/root/ENCRYPTED<android-data>/... # while on ext4crypto backend, it is: # /home/.shadow/hash/mount/ENCRYPTED<root>/ENCRYPTED<android-data>/... cmd = "-regextype posix-extended -regex STATEFUL_ROOT/home/.shadow/" cmd += "[[:alnum:]]{40}/(vault/root|mount/[^/]*)/[^/]*/[^/]* " cmd += "-uid {0} \\( -gid {1} -o -gid {2} \\) -prune -o ".format( aroot_uid + self._AID_SYSTEM, aroot_uid + self._AID_SYSTEM, aroot_uid + self._AID_CACHE) return cmd def generate_prune_arguments(self, prunelist): """Returns a command-line fragment to make 'find' exclude the entries in |prunelist|. @param prunelist: list of paths to ignore """ fragment = "-path STATEFUL_ROOT%s -prune -o" fragments = [fragment % path for path in prunelist] return " ".join(fragments) def generate_find(self, user, prunelist): """ Generates the "find" command that spits out all files in stateful writable by a given user, with the given list of directories removed. @param user: report writable paths owned by this user @param prunelist: list of paths to ignore """ if prunelist is None: return "true" # return a no-op shell command, e.g. for root. # Exclude world-writeable stuff. # '/var/lib/metrics/uma-events' is world-writeable: crbug.com/198054. prunelist.append("/encrypted/var/lib/metrics/uma-events") # '/run/lock' is world-writeable. prunelist.append("/encrypted/var/lock") # '/var/log/asan' should be world-writeable: crbug.com/453579 prunelist.append("/encrypted/var/log/asan") # Add system-wide exclusions. prunelist.extend(self.systemwide_exclusions()) cmd = "find STATEFUL_ROOT " cmd += self.generate_prune_arguments(prunelist) # Note that we don't "prune" all of /var/tmp's contents, just mask # the dir itself. Any contents are still interesting. cmd += " -path STATEFUL_ROOT/encrypted/var/tmp -o " cmd += " -writable -ls -o -user %s -ls 2>/dev/null" % user return cmd def expected_owners(self): """Returns the set of file/directory owners expected in stateful.""" # In other words, this is basically the users mentioned in # tests_byuser, except for any expected to actually own zero files. # Currently, there's no exclusions. return set(self._masks_byuser.keys()) def observed_owners(self): """Returns the set of file/directory owners present in stateful.""" cmd = "find STATEFUL_ROOT " cmd += self.generate_prune_arguments_android() cmd += self.generate_prune_arguments(self.systemwide_exclusions()) cmd += " -printf '%u\\n' | sort -u" return set(self.subst_run(cmd).splitlines()) def owners_lacking_coverage(self): """ Determines the set of owners not covered by any of the per-owner tests implemented in this class. Returns a set of usernames (possibly the empty set). """ return self.observed_owners().difference(self.expected_owners()) def log_owned_files(self, owner): """ Sends information about all files in the stateful partition owned by a given owner to the standard logging facility. @param owner: paths owned by this user will be reported """ cmd = "find STATEFUL_ROOT -user %s -ls" % owner cmd_output = self.subst_run(cmd) logging.error(cmd_output) def subst_run(self, cmd, stateful_root=_STATEFUL_ROOT): """ Replace "STATEFUL_ROOT" with the actual stateful partition path. @param cmd: string containing the command to examine @param stateful_root: path used to replace "STATEFUL_ROOT" """ cmd = cmd.replace("STATEFUL_ROOT", stateful_root) return utils.system_output(cmd, ignore_status=True) def run_once(self): """ Accounts for the contents of the stateful partition piece-wise, inspecting the level of access which can be obtained by each of the privilege levels (usernames) used in CrOS. The test passes if each of the owner-specific sub-tests pass, and if there are no files unaccounted for (i.e., no unexpected file-owners for which we have no tests.) """ testfail = False unexpected_owners = self.owners_lacking_coverage() if unexpected_owners: testfail = True for o in unexpected_owners: self.log_owned_files(o) # Now run the sub-tests. for user, mask in self._masks_byuser.items(): cmd = self.generate_find(user, mask) try: pwd.getpwnam(user) except KeyError, err: logging.warning('Skipping missing user: %s', err) continue # The 'EOF' below helps us distinguish 2 types of failures. # We have to use ignore_status=True because many of these # find-based tests will exit(nonzero) to signal that they # encountered inaccessible directories, which we expect by-design. # This creates ambiguity as to whether empty output means # the test ran, and passed, or the su failed. Including an # expected 'EOF' output disambiguates these cases. cmd = "su -s /bin/sh -c '%s;echo EOF' %s" % (cmd, user) cmd_output = self.subst_run(cmd) if not cmd_output: # we never got 'EOF', su failed testfail = True logging.error("su failed while attempting to run:") logging.error(cmd) logging.error("[Got %s]", cmd_output) elif not re.search("^\s*EOF\s*$", cmd_output): # we got test failures before 'EOF' testfail = True logging.error("Test for '%s' found unexpected files:\n%s", user, cmd_output) if testfail: raise error.TestFail("Unexpected files/perms in stateful")