• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright (c) 2015 The Chromium OS Authors. All rights reserved.
2# Use of this source code is governed by a BSD-style license that can be
3# found in the LICENSE file.
4
5import logging
6import os
7
8from autotest_lib.client.bin import test, utils
9from autotest_lib.client.common_lib import error
10from autotest_lib.client.cros import kernel_config
11
12class security_AltSyscall(test.test):
13    """
14    Verify that alt_syscall allows/blocks system calls as expected using
15    minijail.
16    """
17    version = 1
18
19    def initialize(self):
20        self.job.require_gcc()
21
22    def setup(self):
23        os.chdir(self.srcdir)
24        utils.make('clean')
25        utils.make()
26
27    def run_test(self, exe, table, expected_ret, pretty_msg):
28        """
29        Runs a single alt_syscall test case.
30
31        Runs the executable with the specified alt_syscall table using minijail.
32        Fails the test if the return value does not match what we expected.
33
34        @param exe Test executable
35        @param table Alt_syscall table name
36        @param expected_ret Expected return value from the test
37        @param pretty_msg Message to display on failue
38        """
39        cmdline = '/sbin/minijail0 -a %s %s/%s' % (table, self.srcdir, exe)
40
41        logging.info("Command line: " + cmdline)
42        ret = utils.system(cmdline, ignore_status=True)
43
44        if ret != expected_ret:
45            logging.error("ret: %d, expected: %d", ret, expected_ret)
46            raise error.TestFail(pretty_msg)
47
48    def alt_syscall_supported(self):
49        """
50        Check that alt_syscall is supported by the kernel.
51        """
52        config = kernel_config.KernelConfig()
53        config.initialize()
54        config.is_enabled('ALT_SYSCALL')
55        config.is_enabled('ALT_SYSCALL_CHROMIUMOS')
56        return len(config.failures()) == 0
57
58    def run_once(self):
59        if not self.alt_syscall_supported():
60            raise error.TestFail("ALT_SYSCALL not supported")
61
62        case_allow = ("read", "read_write_test", 0,
63                      "Allowed system calls failed")
64        case_deny_blocked = ("mmap", "read_write_test", 2,
65                             "Blocked system calls succeeded")
66        case_deny_alt_syscall = ("alt_syscall", "read_write_test", 1,
67                                 "Changing alt_syscall table succeeded")
68        case_adjtimex = ("adjtimex", "android", 0,
69                         "android_adjtimex() filtering didn't work.")
70        case_clock_adjtime = ("clock_adjtime", "android", 0,
71                              "android_clock_adjtime() filtering didn't work.")
72
73        for case in [case_allow, case_deny_blocked, case_deny_alt_syscall,
74                     case_adjtimex, case_clock_adjtime]:
75            self.run_test(*case)
76