# Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
import logging
import pwd
import re
from autotest_lib.client.bin import test, utils
from autotest_lib.client.common_lib import error
class security_StatefulPermissions(test.test):
"""
Report all unexpected writable paths in the /mnt/stateful_partition
tree.
"""
version = 1
_STATEFUL_ROOT = "/mnt/stateful_partition"
_AID_SYSTEM = 1000
_AID_CACHE = 2001
# Note that chronos permissions in /home are covered in greater detail
# by 'security_ProfilePermissions'.
_masks_byuser = {"adm": [],
"android-root": ["/encrypted/var/log/android.kmsg"],
"attestation": ["/unencrypted/preserve",
"/unencrypted/preserve/attestation.epb"],
"avfs": [],
"bin": [],
"bluetooth": ["/encrypted/var/lib/bluetooth"],
"chaps": ["/encrypted/var/lib/chaps"],
"chronos": ["/encrypted/chronos",
"/encrypted/var/cache/app_pack",
"/encrypted/var/cache/camera",
"/encrypted/var/cache/device_local_account_component_policy",
"/encrypted/var/cache/device_local_account_extensions",
"/encrypted/var/cache/device_local_account_external_policy_data",
"/encrypted/var/cache/display_profiles",
"/encrypted/var/cache/echo",
"/encrypted/var/cache/external_cache",
"/encrypted/var/cache/shared_extensions",
"/encrypted/var/cache/signin_profile_component_policy",
"/encrypted/var/cache/touch_trial/selection",
"/encrypted/var/lib/cromo",
"/encrypted/var/lib/opencryptoki",
"/encrypted/var/lib/timezone",
"/encrypted/var/lib/Synaptics/chronos.1000",
"/encrypted/var/log/chrome",
"/encrypted/var/log/connectivity.bak",
"/encrypted/var/log/connectivity.log",
"/encrypted/var/log/metrics",
"/encrypted/var/minidumps",
"/home/user"],
"chronos-access": [],
"cras": [],
"cros-disks": [],
"cups": ["/encrypted/var/cache/cups",
"/encrypted/var/spool/cups"],
"daemon": [],
"debugd": [],
"dhcp": ["/encrypted/var/lib/dhcpcd"],
"dlm": ["/encrypted/var/log/displaylink"],
"imageloaderd": ["/encrypted/var/lib/imageloader"],
"input": [],
"ipsec": [],
"lp": [],
"messagebus": [],
"mtp": [],
"news": [],
"nobody": [],
"ntfs-3g": [],
"openvpn": [],
"portage": ["/encrypted/var/log/emerge.log"],
"power": ["/encrypted/var/lib/power_manager",
"/encrypted/var/log/power_manager"],
"pkcs11": [],
"root": None,
"sshd": [],
"syslog": ["/encrypted/var/log"],
"tcpdump": [],
"tlsdate": [],
"tpm_manager": ["/encrypted/var/lib/tpm_manager",
"/unencrypted/preserve"],
"tss": ["/var/lib/tpm"],
"uucp": [],
"wpa": [],
"xorg": ["/encrypted/var/lib/xkb",
"/encrypted/var/log/xorg",
"/encrypted/var/log/Xorg.0.log"]
}
def systemwide_exclusions(self):
"""Returns a list of paths that are only present on test images
and therefore should be excluded from all 'find' commands.
"""
paths = []
# 'preserve/log' is test-only.
paths.append("/unencrypted/preserve/log")
# Cover up Portage noise.
paths.append("/encrypted/var/cache/edb")
paths.append("/encrypted/var/lib/gentoo")
paths.append("/encrypted/var/log/portage")
# Cover up Autotest noise.
paths.append("/dev_image")
paths.append("/var_overlay")
return paths
def generate_prune_arguments_android(self):
"""Returns a command-line fragment to make 'find' exclude
android-data/cache: uid=AID_SYSTEM, gid=AID_CACHE
android-data/data: uid=AID_SYSTEM, gid=AID_SYSTEM
Files under these paths are created by various android users.
"""
try:
aroot_uid = pwd.getpwnam('android-root').pw_uid
except KeyError:
# android-root not found, so don't prune anything
return ""
# On ecryptfs backend, the Android data path is
# /home/.shadow/hash/vault/root/ENCRYPTED<android-data>/...
# while on ext4crypto backend, it is:
# /home/.shadow/hash/mount/ENCRYPTED<root>/ENCRYPTED<android-data>/...
cmd = "-regextype posix-extended -regex STATEFUL_ROOT/home/.shadow/"
cmd += "[[:alnum:]]{40}/(vault/root|mount/[^/]*)/[^/]*/[^/]* "
cmd += "-uid {0} \\( -gid {1} -o -gid {2} \\) -prune -o ".format(
aroot_uid + self._AID_SYSTEM,
aroot_uid + self._AID_SYSTEM, aroot_uid + self._AID_CACHE)
return cmd
def generate_prune_arguments(self, prunelist):
"""Returns a command-line fragment to make 'find' exclude the entries
in |prunelist|.
@param prunelist: list of paths to ignore
"""
fragment = "-path STATEFUL_ROOT%s -prune -o"
fragments = [fragment % path for path in prunelist]
return " ".join(fragments)
def generate_find(self, user, prunelist):
"""
Generates the "find" command that spits out all files in stateful
writable by a given user, with the given list of directories removed.
@param user: report writable paths owned by this user
@param prunelist: list of paths to ignore
"""
if prunelist is None:
return "true" # return a no-op shell command, e.g. for root.
# Exclude world-writeable stuff.
# '/var/lib/metrics/uma-events' is world-writeable: crbug.com/198054.
prunelist.append("/encrypted/var/lib/metrics/uma-events")
# '/run/lock' is world-writeable.
prunelist.append("/encrypted/var/lock")
# '/var/log/asan' should be world-writeable: crbug.com/453579
prunelist.append("/encrypted/var/log/asan")
# Add system-wide exclusions.
prunelist.extend(self.systemwide_exclusions())
cmd = "find STATEFUL_ROOT "
cmd += self.generate_prune_arguments(prunelist)
# Note that we don't "prune" all of /var/tmp's contents, just mask
# the dir itself. Any contents are still interesting.
cmd += " -path STATEFUL_ROOT/encrypted/var/tmp -o "
cmd += " -writable -ls -o -user %s -ls 2>/dev/null" % user
return cmd
def expected_owners(self):
"""Returns the set of file/directory owners expected in stateful."""
# In other words, this is basically the users mentioned in
# tests_byuser, except for any expected to actually own zero files.
# Currently, there's no exclusions.
return set(self._masks_byuser.keys())
def observed_owners(self):
"""Returns the set of file/directory owners present in stateful."""
cmd = "find STATEFUL_ROOT "
cmd += self.generate_prune_arguments_android()
cmd += self.generate_prune_arguments(self.systemwide_exclusions())
cmd += " -printf '%u\\n' | sort -u"
return set(self.subst_run(cmd).splitlines())
def owners_lacking_coverage(self):
"""
Determines the set of owners not covered by any of the
per-owner tests implemented in this class. Returns
a set of usernames (possibly the empty set).
"""
return self.observed_owners().difference(self.expected_owners())
def log_owned_files(self, owner):
"""
Sends information about all files in the stateful partition
owned by a given owner to the standard logging facility.
@param owner: paths owned by this user will be reported
"""
cmd = "find STATEFUL_ROOT -user %s -ls" % owner
cmd_output = self.subst_run(cmd)
logging.error(cmd_output)
def subst_run(self, cmd, stateful_root=_STATEFUL_ROOT):
"""
Replace "STATEFUL_ROOT" with the actual stateful partition path.
@param cmd: string containing the command to examine
@param stateful_root: path used to replace "STATEFUL_ROOT"
"""
cmd = cmd.replace("STATEFUL_ROOT", stateful_root)
return utils.system_output(cmd, ignore_status=True)
def run_once(self):
"""
Accounts for the contents of the stateful partition
piece-wise, inspecting the level of access which can
be obtained by each of the privilege levels (usernames)
used in CrOS.
The test passes if each of the owner-specific sub-tests pass,
and if there are no files unaccounted for (i.e., no unexpected
file-owners for which we have no tests.)
"""
testfail = False
unexpected_owners = self.owners_lacking_coverage()
if unexpected_owners:
testfail = True
for o in unexpected_owners:
self.log_owned_files(o)
# Now run the sub-tests.
for user, mask in self._masks_byuser.items():
cmd = self.generate_find(user, mask)
try:
pwd.getpwnam(user)
except KeyError, err:
logging.warning('Skipping missing user: %s', err)
continue
# The 'EOF' below helps us distinguish 2 types of failures.
# We have to use ignore_status=True because many of these
# find-based tests will exit(nonzero) to signal that they
# encountered inaccessible directories, which we expect by-design.
# This creates ambiguity as to whether empty output means
# the test ran, and passed, or the su failed. Including an
# expected 'EOF' output disambiguates these cases.
cmd = "su -s /bin/sh -c '%s;echo EOF' %s" % (cmd, user)
cmd_output = self.subst_run(cmd)
if not cmd_output:
# we never got 'EOF', su failed
testfail = True
logging.error("su failed while attempting to run:")
logging.error(cmd)
logging.error("[Got %s]", cmd_output)
elif not re.search("^\s*EOF\s*$", cmd_output):
# we got test failures before 'EOF'
testfail = True
logging.error("Test for '%s' found unexpected files:\n%s",
user, cmd_output)
if testfail:
raise error.TestFail("Unexpected files/perms in stateful")