# Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
import grp
import json
import logging
import pwd
import os
import stat
from autotest_lib.client.bin import test, utils
from autotest_lib.client.common_lib import error
class security_RootfsStatefulSymlinks(test.test):
version = 1
_BAD_DESTINATIONS = [
'*/var/*', '*/home/*', '*/stateful_partition/*',
'*/usr/local/*'
]
def load_baseline(self):
bfile = open(os.path.join(self.bindir, 'baseline'))
baseline = json.loads(bfile.read())
bfile.close()
return baseline
def validate_attributes(self, link, expectations):
"""
Given a symlink, validate that the file it points to
matches all of the expected properties (owner, group, mode).
Returns True if all expections are met, False otherwise.
"""
destination = os.readlink(link)
if destination != expectations['destination']:
logging.error(
"Expected '%s' to point to '%s', but it points to '%s'",
link, expectations['destination'], destination)
logging.error(utils.system_output("ls -ald '%s'" % destination))
return False
# By this point, we know it points to the right place, but we
# need to determine if the destination exists (and, if not, if
# that's permitted by "can_dangle": true in the baseline.
if not os.path.exists(destination):
logging.warning("'%s' points to '%s', but it's dangling",
link, destination)
return expectations['can_dangle']
# It exists, it's the right path, so check the permissions.
s = os.stat(destination)
owner = pwd.getpwuid(s.st_uid).pw_name
group = grp.getgrgid(s.st_gid).gr_name
mode = oct(stat.S_IMODE(s.st_mode))
if (owner == expectations['owner'] and
group == expectations['group'] and
mode == expectations['mode']):
return True
else:
logging.error("'%s': expected %s:%s %s, saw %s:%s %s",
destination, expectations['owner'],
expectations['group'], expectations['mode'],
owner, group, mode)
return False
def run_once(self):
"""
Find any symlinks that point from the rootfs into
"bad destinations" (e.g., stateful partition). Validate
that any approved cases meet with all expectations, and
that there are no unexpected additional such links found.
"""
baseline = self.load_baseline()
test_pass = True
clauses = ["-lname '%s'" % i for i in self._BAD_DESTINATIONS]
cmd = 'find / -xdev %s' % ' -o '.join(clauses)
cmd_output = utils.system_output(cmd, ignore_status=True)
links_seen = set(cmd_output.splitlines())
for link in links_seen:
# Check if this link is in the baseline. If not, test fails.
if not link in baseline:
logging.error("No baseline entry for '%s'", link)
logging.error(utils.system_output("ls -ald '%s'" % link))
test_pass = False
continue
# If it is, proceed to validate other attributes (where it points,
# permissions of what it points to, etc).
file_pass = self.validate_attributes(link, baseline[link])
test_pass = test_pass and file_pass
# The above will have flagged any links for which we had no baseline.
# Warn (but do not trigger failure) when we have baseline entries
# which we did not find on the system.
expected_set = set(baseline.keys())
diff = expected_set.difference(links_seen)
if diff:
logging.warning("Warning, possible stale baseline entries:")
for d in diff:
logging.warning(d)
if not test_pass:
raise error.TestFail("Baseline mismatch")