普通文本  |  283行  |  11.54 KB

# Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

import logging
import pwd
import re

from autotest_lib.client.bin import test, utils
from autotest_lib.client.common_lib import error

class security_StatefulPermissions(test.test):
    """
    Report all unexpected writable paths in the /mnt/stateful_partition
    tree.
    """
    version = 1
    _STATEFUL_ROOT = "/mnt/stateful_partition"
    _AID_SYSTEM = 1000
    _AID_CACHE = 2001

    # Note that chronos permissions in /home are covered in greater detail
    # by 'security_ProfilePermissions'.
    _masks_byuser = {"adm": [],
                     "android-root": ["/encrypted/var/log/android.kmsg"],
                     "attestation": ["/unencrypted/preserve",
                                     "/unencrypted/preserve/attestation.epb"],
                     "avfs": [],
                     "bin": [],
                     "bluetooth": ["/encrypted/var/lib/bluetooth"],
                     "chaps": ["/encrypted/var/lib/chaps"],
                     "chronos": ["/encrypted/chronos",
                                 "/encrypted/var/cache/app_pack",
                                 "/encrypted/var/cache/camera",
                                 "/encrypted/var/cache/device_local_account_component_policy",
                                 "/encrypted/var/cache/device_local_account_extensions",
                                 "/encrypted/var/cache/device_local_account_external_policy_data",
                                 "/encrypted/var/cache/display_profiles",
                                 "/encrypted/var/cache/echo",
                                 "/encrypted/var/cache/external_cache",
                                 "/encrypted/var/cache/shared_extensions",
                                 "/encrypted/var/cache/signin_profile_component_policy",
                                 "/encrypted/var/cache/touch_trial/selection",
                                 "/encrypted/var/lib/cromo",
                                 "/encrypted/var/lib/opencryptoki",
                                 "/encrypted/var/lib/timezone",
                                 "/encrypted/var/lib/Synaptics/chronos.1000",
                                 "/encrypted/var/log/chrome",
                                 "/encrypted/var/log/connectivity.bak",
                                 "/encrypted/var/log/connectivity.log",
                                 "/encrypted/var/log/metrics",
                                 "/encrypted/var/minidumps",
                                 "/home/user"],
                     "chronos-access": [],
                     "cras": [],
                     "cros-disks": [],
                     "cups": ["/encrypted/var/cache/cups",
                              "/encrypted/var/spool/cups"],
                     "daemon": [],
                     "debugd": [],
                     "dhcp": ["/encrypted/var/lib/dhcpcd"],
                     "dlm": ["/encrypted/var/log/displaylink"],
                     "imageloaderd": ["/encrypted/var/lib/imageloader"],
                     "input": [],
                     "ipsec": [],
                     "lp": [],
                     "messagebus": [],
                     "mtp": [],
                     "news": [],
                     "nobody": [],
                     "ntfs-3g": [],
                     "openvpn": [],
                     "portage": ["/encrypted/var/log/emerge.log"],
                     "power": ["/encrypted/var/lib/power_manager",
                               "/encrypted/var/log/power_manager"],
                     "pkcs11": [],
                     "root": None,
                     "sshd": [],
                     "syslog": ["/encrypted/var/log"],
                     "tcpdump": [],
                     "tlsdate": [],
                     "tpm_manager": ["/encrypted/var/lib/tpm_manager",
                                     "/unencrypted/preserve"],
                     "tss": ["/var/lib/tpm"],
                     "uucp": [],
                     "wpa": [],
                     "xorg": ["/encrypted/var/lib/xkb",
                              "/encrypted/var/log/xorg",
                              "/encrypted/var/log/Xorg.0.log"]
                    }


    def systemwide_exclusions(self):
        """Returns a list of paths that are only present on test images
        and therefore should be excluded from all 'find' commands.
        """
        paths = []

        # 'preserve/log' is test-only.
        paths.append("/unencrypted/preserve/log")

        # Cover up Portage noise.
        paths.append("/encrypted/var/cache/edb")
        paths.append("/encrypted/var/lib/gentoo")
        paths.append("/encrypted/var/log/portage")

        # Cover up Autotest noise.
        paths.append("/dev_image")
        paths.append("/var_overlay")

        return paths


    def generate_prune_arguments_android(self):
        """Returns a command-line fragment to make 'find' exclude
        android-data/cache: uid=AID_SYSTEM, gid=AID_CACHE
        android-data/data:  uid=AID_SYSTEM, gid=AID_SYSTEM
        Files under these paths are created by various android users.
        """
        try:
            aroot_uid = pwd.getpwnam('android-root').pw_uid
        except KeyError:
            # android-root not found, so don't prune anything
            return ""

        # On ecryptfs backend, the Android data path is
        # /home/.shadow/hash/vault/root/ENCRYPTED<android-data>/...
        # while on ext4crypto backend, it is:
        # /home/.shadow/hash/mount/ENCRYPTED<root>/ENCRYPTED<android-data>/...
        cmd = "-regextype posix-extended -regex STATEFUL_ROOT/home/.shadow/"
        cmd += "[[:alnum:]]{40}/(vault/root|mount/[^/]*)/[^/]*/[^/]* "
        cmd += "-uid {0} \\( -gid {1} -o -gid {2} \\) -prune -o ".format(
                aroot_uid + self._AID_SYSTEM,
                aroot_uid + self._AID_SYSTEM, aroot_uid + self._AID_CACHE)
        return cmd


    def generate_prune_arguments(self, prunelist):
        """Returns a command-line fragment to make 'find' exclude the entries
        in |prunelist|.

        @param prunelist: list of paths to ignore
        """
        fragment = "-path STATEFUL_ROOT%s -prune -o"
        fragments = [fragment % path for path in prunelist]
        return " ".join(fragments)


    def generate_find(self, user, prunelist):
        """
        Generates the "find" command that spits out all files in stateful
        writable by a given user, with the given list of directories removed.

        @param user: report writable paths owned by this user
        @param prunelist: list of paths to ignore
        """
        if prunelist is None:
            return "true" # return a no-op shell command, e.g. for root.

        # Exclude world-writeable stuff.
        # '/var/lib/metrics/uma-events' is world-writeable: crbug.com/198054.
        prunelist.append("/encrypted/var/lib/metrics/uma-events")
        # '/run/lock' is world-writeable.
        prunelist.append("/encrypted/var/lock")
        # '/var/log/asan' should be world-writeable: crbug.com/453579
        prunelist.append("/encrypted/var/log/asan")

        # Add system-wide exclusions.
        prunelist.extend(self.systemwide_exclusions())

        cmd = "find STATEFUL_ROOT "
        cmd += self.generate_prune_arguments(prunelist)
        # Note that we don't "prune" all of /var/tmp's contents, just mask
        # the dir itself. Any contents are still interesting.
        cmd += " -path STATEFUL_ROOT/encrypted/var/tmp -o "
        cmd += " -writable -ls -o -user %s -ls 2>/dev/null" % user
        return cmd


    def expected_owners(self):
        """Returns the set of file/directory owners expected in stateful."""
        # In other words, this is basically the users mentioned in
        # tests_byuser, except for any expected to actually own zero files.
        # Currently, there's no exclusions.
        return set(self._masks_byuser.keys())


    def observed_owners(self):
        """Returns the set of file/directory owners present in stateful."""

        cmd = "find STATEFUL_ROOT "
        cmd += self.generate_prune_arguments_android()
        cmd += self.generate_prune_arguments(self.systemwide_exclusions())
        cmd += " -printf '%u\\n' | sort -u"
        return set(self.subst_run(cmd).splitlines())


    def owners_lacking_coverage(self):
        """
        Determines the set of owners not covered by any of the
        per-owner tests implemented in this class. Returns
        a set of usernames (possibly the empty set).
        """
        return self.observed_owners().difference(self.expected_owners())


    def log_owned_files(self, owner):
        """
        Sends information about all files in the stateful partition
        owned by a given owner to the standard logging facility.

        @param owner: paths owned by this user will be reported
        """
        cmd = "find STATEFUL_ROOT -user %s -ls" % owner
        cmd_output = self.subst_run(cmd)
        logging.error(cmd_output)


    def subst_run(self, cmd, stateful_root=_STATEFUL_ROOT):
        """
        Replace "STATEFUL_ROOT" with the actual stateful partition path.

        @param cmd: string containing the command to examine
        @param stateful_root: path used to replace "STATEFUL_ROOT"
        """
        cmd = cmd.replace("STATEFUL_ROOT", stateful_root)
        return utils.system_output(cmd, ignore_status=True)


    def run_once(self):
        """
        Accounts for the contents of the stateful partition
        piece-wise, inspecting the level of access which can
        be obtained by each of the privilege levels (usernames)
        used in CrOS.

        The test passes if each of the owner-specific sub-tests pass,
        and if there are no files unaccounted for (i.e., no unexpected
        file-owners for which we have no tests.)
        """
        testfail = False

        unexpected_owners = self.owners_lacking_coverage()
        if unexpected_owners:
            testfail = True
            for o in unexpected_owners:
                self.log_owned_files(o)

        # Now run the sub-tests.
        for user, mask in self._masks_byuser.items():
            cmd = self.generate_find(user, mask)

            try:
                pwd.getpwnam(user)
            except KeyError, err:
                logging.warning('Skipping missing user: %s', err)
                continue

            # The 'EOF' below helps us distinguish 2 types of failures.
            # We have to use ignore_status=True because many of these
            # find-based tests will exit(nonzero) to signal that they
            # encountered inaccessible directories, which we expect by-design.
            # This creates ambiguity as to whether empty output means
            # the test ran, and passed, or the su failed. Including an
            # expected 'EOF' output disambiguates these cases.
            cmd = "su -s /bin/sh -c '%s;echo EOF' %s" % (cmd, user)
            cmd_output = self.subst_run(cmd)

            if not cmd_output:
                # we never got 'EOF', su failed
                testfail = True
                logging.error("su failed while attempting to run:")
                logging.error(cmd)
                logging.error("[Got %s]", cmd_output)
            elif not re.search("^\s*EOF\s*$", cmd_output):
                # we got test failures before 'EOF'
                testfail = True
                logging.error("Test for '%s' found unexpected files:\n%s",
                              user, cmd_output)

        if testfail:
            raise error.TestFail("Unexpected files/perms in stateful")