OLD | NEW |
1 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. | 1 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. |
2 # Use of this source code is governed by a BSD-style license that can be | 2 # Use of this source code is governed by a BSD-style license that can be |
3 # found in the LICENSE file. | 3 # found in the LICENSE file. |
4 | 4 |
5 import logging | 5 import logging |
6 import os | 6 import os |
7 | 7 |
8 from autotest_lib.client.bin import test, utils | 8 from autotest_lib.client.bin import test, utils |
9 from autotest_lib.client.common_lib import error | 9 from autotest_lib.client.common_lib import error |
10 | 10 |
11 class security_SuidBinaries(test.test): | 11 class security_SuidBinaries(test.test): |
12 version = 1 | 12 version = 1 |
13 | 13 |
14 def load_baseline(self,bltype): | 14 def load_baseline(self,bltype): |
15 baseline_file = open(os.path.join(self.bindir, 'baseline.' + bltype)) | 15 baseline_file = open(os.path.join(self.bindir, 'baseline.' + bltype)) |
16 return set(l.strip() for l in baseline_file) | 16 return set(l.strip() for l in baseline_file) |
17 | 17 |
18 | 18 |
19 def run_once(self, baseline='suid'): | 19 def run_once(self, baseline='suid'): |
20 """ | 20 """ |
21 Do a find on the system for setuid binaries, compare against baseline. | 21 Do a find on the system for setuid binaries, compare against baseline. |
22 Fail if these do not match. | 22 Fail if these do not match. |
23 """ | 23 """ |
24 mask = {'suid': '4000', 'sgid': '2000'} | 24 mask = {'suid': '4000', 'sgid': '2000'} |
25 cmd = ('find / -wholename /proc -prune -o ' | 25 cmd = ('find / -wholename /proc -prune -o ' |
26 ' -wholename /dev -prune -o ' | 26 ' -wholename /dev -prune -o ' |
27 ' -wholename /sys -prune -o ' | 27 ' -wholename /sys -prune -o ' |
28 ' -wholename /home/autotest -prune -o ' | |
29 ' -wholename /usr/local -prune -o ' | 28 ' -wholename /usr/local -prune -o ' |
30 ' -wholename /mnt/stateful_partition -prune -o ' | 29 ' -wholename /mnt/stateful_partition -prune -o ' |
31 '-type f -a -perm /%s -print' | 30 '-type f -a -perm /%s -print' |
32 ) % mask[baseline] | 31 ) % mask[baseline] |
33 cmd_output = utils.system_output(cmd, ignore_status=True) | 32 cmd_output = utils.system_output(cmd, ignore_status=True) |
34 observed_set = set(cmd_output.splitlines()) | 33 observed_set = set(cmd_output.splitlines()) |
35 baseline_set = self.load_baseline(baseline) | 34 baseline_set = self.load_baseline(baseline) |
36 | 35 |
37 # If something in the observed set is not | 36 # If something in the observed set is not |
38 # covered by the baseline... | 37 # covered by the baseline... |
39 diff = observed_set.difference(baseline_set) | 38 diff = observed_set.difference(baseline_set) |
40 if len(diff) > 0: | 39 if len(diff) > 0: |
41 for filepath in diff: | 40 for filepath in diff: |
42 logging.error('Unexpected %s binary: %s' % | 41 logging.error('Unexpected %s binary: %s' % |
43 (baseline, filepath)) | 42 (baseline, filepath)) |
44 | 43 |
45 # Or, things in baseline are missing from the system: | 44 # Or, things in baseline are missing from the system: |
46 diff2 = baseline_set.difference(observed_set) | 45 diff2 = baseline_set.difference(observed_set) |
47 if len(diff2) > 0: | 46 if len(diff2) > 0: |
48 for filepath in diff2: | 47 for filepath in diff2: |
49 logging.error('Missing %s binary: %s' % | 48 logging.error('Missing %s binary: %s' % |
50 (baseline, filepath)) | 49 (baseline, filepath)) |
51 | 50 |
52 if (len(diff) + len(diff2)) > 0: | 51 if (len(diff) + len(diff2)) > 0: |
53 raise error.TestFail('Baseline mismatch') | 52 raise error.TestFail('Baseline mismatch') |
OLD | NEW |