• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
2# Use of this source code is governed by a BSD-style license that can be
3# found in the LICENSE file.
4
5import logging
6import os
7
8from collections import namedtuple
9
10from autotest_lib.client.bin import test, utils
11from autotest_lib.client.common_lib import error
12
13Jail = namedtuple("Jail", "user policy nnp")
14
15class security_Minijail_seccomp(test.test):
16    version = 1
17
18
19    def setup(self):
20        os.chdir(self.srcdir)
21        utils.make('clean')
22        utils.make()
23
24
25    def run_test(self, exe, args, jail, expected_ret, pretty_msg):
26        cmdline = '/sbin/minijail0'
27
28        if jail.user:
29            cmdline += ' -u %s' % jail.user
30
31        if jail.nnp:
32            cmdline += ' -n'
33
34        cmdline += ' -S %s/%s %s/%s' % (self.bindir, jail.policy,
35                                        self.bindir, exe)
36
37        if len(args) > 0:
38            cmdline += ' %s' % ' '.join(args)
39
40        logging.info("Command line: " + cmdline)
41        ret = utils.system(cmdline, ignore_status=True)
42
43        if ret != expected_ret:
44            logging.error("ret: %d, expected: %d" % (ret, expected_ret))
45            raise error.TestFail(pretty_msg)
46
47
48    def run_once(self):
49        privdrop_policy = "policy-privdrop_" + utils.get_arch_userspace()
50
51        case_ok = ("ok", [],
52                   Jail(None, "policy", nnp=False),
53                   0, "Allowed system calls failed")
54        case_block_privdrop = ("ok", [],
55                               Jail("chronos", "policy", nnp=False),
56                               253, "Blocked priv-drop system calls succeeded")
57        case_allow_privdrop = ("ok", [],
58                               Jail("chronos", privdrop_policy, nnp=False),
59                               0, "Allowed system calls failed")
60        case_no_new_privs = ("ok", [],
61                             Jail("chronos", "policy", nnp=True),
62                             0, "Allowed system calls failed")
63        case_fail = ("fail", [],
64                     Jail(None, "policy", nnp=False),
65                     253, "Blocked system calls succeeded")
66
67        case_arg_equals_ok = ("open", ["0"],
68                              Jail(None, "policy-rdonly", nnp=False),
69                              0, "Allowing system calls via args == failed")
70        case_arg_equals_fail = ("open", ["1"],
71                                Jail(None, "policy-rdonly", nnp=False),
72                                253, "Blocking system calls via args == failed")
73        case_arg_flags_ok = ("open", ["1"],
74                             Jail(None, "policy-wronly", nnp=False),
75                             0, "Allowing system calls via args & failed")
76        case_arg_flags_ok = ("open", ["2"],
77                             Jail(None, "policy-wronly", nnp=False),
78                             253, "Blocking system calls via args & failed")
79
80        for case in [case_ok, case_block_privdrop, case_allow_privdrop,
81                     case_no_new_privs, case_fail,
82                     case_arg_equals_ok, case_arg_equals_fail,
83                     case_arg_flags_ok]:
84            self.run_test(*case)
85