1# Copyright 2018 The Chromium OS Authors. All rights reserved. 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5TIME="SHORT" 6AUTHOR = "The Chromium OS Authors" 7DOC = """ 8When mounting a filesystem, Linux provides no way to specify that symlink 9traversal should be blocked on the given filesystem. For user-supplied 10filesystems in particular (sshfs, external storage media, etc.), we wish to 11block symlink traversal to prevent CrOS code (e.g. the Files app) from being 12tricked into following unexpected symlinks. We have added functionality to the 13chromiumos LSM to enable a "nosymfollow" option, which can be provided as part 14of the mount command to ensure the kernel does not allow symlink traversal on 15the filesystem. This test does not test the interaction of the chromiumos LSM 16code with SELinux code. That is done in 17security_NosymfollowMountOption.test_selinux_interaction 18""" 19NAME = "security_NosymfollowMountOption.baseline" 20PURPOSE = """ 21Ensure the blocking of symlink traversal on a per-filesystem basis works as 22expected. 23""" 24CRITERIA = """ 25This autotest ensures that symlink traversal is blocked on filesystems that 26were mounted with the "nosymfollow" option, as well as that filesystems 27mounted without that option can still traverse symlinks. 28""" 29ATTRIBUTES = "suite:bvt-perbuild" 30TEST_CLASS = "security" 31TEST_CATEGORY = "Functional" 32TEST_TYPE = "client" 33JOB_RETRIES = 2 34 35job.run_test("security_NosymfollowMountOption", test_selinux_interaction=False) 36