1 # Copyright 2018 The Chromium OS Authors. All rights reserved. 2 # Use of this source code is governed by a BSD-style license that can be 3 # found in the LICENSE file. 4 5 TIME="SHORT" 6 AUTHOR = "The Chromium OS Authors" 7 DOC = """ 8 When mounting a filesystem, Linux provides no way to specify that symlink 9 traversal should be blocked on the given filesystem. For user-supplied 10 filesystems in particular (sshfs, external storage media, etc.), we wish to 11 block symlink traversal to prevent CrOS code (e.g. the Files app) from being 12 tricked into following unexpected symlinks. We have added functionality to the 13 chromiumos LSM to enable a "nosymfollow" option, which can be provided as part 14 of the mount command to ensure the kernel does not allow symlink traversal on 15 the filesystem. This test does not test the interaction of the chromiumos LSM 16 code with SELinux code. That is done in 17 security_NosymfollowMountOption.test_selinux_interaction 18 """ 19 NAME = "security_NosymfollowMountOption.baseline" 20 PURPOSE = """ 21 Ensure the blocking of symlink traversal on a per-filesystem basis works as 22 expected. 23 """ 24 CRITERIA = """ 25 This autotest ensures that symlink traversal is blocked on filesystems that 26 were mounted with the "nosymfollow" option, as well as that filesystems 27 mounted without that option can still traverse symlinks. 28 """ 29 ATTRIBUTES = "suite:bvt-perbuild" 30 TEST_CLASS = "security" 31 TEST_CATEGORY = "Functional" 32 TEST_TYPE = "client" 33 JOB_RETRIES = 2 34 35 job.run_test("security_NosymfollowMountOption", test_selinux_interaction=False) 36
