Home | History | Annotate | Download | only in security_Minijail_seccomp 
      1 # Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
      2 # Use of this source code is governed by a BSD-style license that can be
      3 # found in the LICENSE file.
      4 
      5 import logging
      6 import os
      7 
      8 from collections import namedtuple
      9 
     10 from autotest_lib.client.bin import test, utils
     11 from autotest_lib.client.common_lib import error
     12 
     13 Jail = namedtuple("Jail", "user policy nnp")
     14 
     15 class security_Minijail_seccomp(test.test):
     16     version = 1
     17 
     18 
     19     def setup(self):
     20         os.chdir(self.srcdir)
     21         utils.make('clean')
     22         utils.make()
     23 
     24 
     25     def run_test(self, exe, args, jail, expected_ret, pretty_msg):
     26         cmdline = '/sbin/minijail0'
     27 
     28         if jail.user:
     29             cmdline += ' -u %s' % jail.user
     30 
     31         if jail.nnp:
     32             cmdline += ' -n'
     33 
     34         cmdline += ' -S %s/%s %s/%s' % (self.bindir, jail.policy,
     35                                         self.bindir, exe)
     36 
     37         if len(args) > 0:
     38             cmdline += ' %s' % ' '.join(args)
     39 
     40         logging.info("Command line: " + cmdline)
     41         ret = utils.system(cmdline, ignore_status=True)
     42 
     43         if ret != expected_ret:
     44             logging.error("ret: %d, expected: %d" % (ret, expected_ret))
     45             raise error.TestFail(pretty_msg)
     46 
     47 
     48     def run_once(self):
     49         privdrop_policy = "policy-privdrop_" + utils.get_arch_userspace()
     50 
     51         case_ok = ("ok", [],
     52                    Jail(None, "policy", nnp=False),
     53                    0, "Allowed system calls failed")
     54         case_block_privdrop = ("ok", [],
     55                                Jail("chronos", "policy", nnp=False),
     56                                253, "Blocked priv-drop system calls succeeded")
     57         case_allow_privdrop = ("ok", [],
     58                                Jail("chronos", privdrop_policy, nnp=False),
     59                                0, "Allowed system calls failed")
     60         case_no_new_privs = ("ok", [],
     61                              Jail("chronos", "policy", nnp=True),
     62                              0, "Allowed system calls failed")
     63         case_fail = ("fail", [],
     64                      Jail(None, "policy", nnp=False),
     65                      253, "Blocked system calls succeeded")
     66 
     67         case_arg_equals_ok = ("open", ["0"],
     68                               Jail(None, "policy-rdonly", nnp=False),
     69                               0, "Allowing system calls via args == failed")
     70         case_arg_equals_fail = ("open", ["1"],
     71                                 Jail(None, "policy-rdonly", nnp=False),
     72                                 253, "Blocking system calls via args == failed")
     73         case_arg_flags_ok = ("open", ["1"],
     74                              Jail(None, "policy-wronly", nnp=False),
     75                              0, "Allowing system calls via args & failed")
     76         case_arg_flags_ok = ("open", ["2"],
     77                              Jail(None, "policy-wronly", nnp=False),
     78                              253, "Blocking system calls via args & failed")
     79 
     80         for case in [case_ok, case_block_privdrop, case_allow_privdrop,
     81                      case_no_new_privs, case_fail,
     82                      case_arg_equals_ok, case_arg_equals_fail,
     83                      case_arg_flags_ok]:
     84             self.run_test(*case)
     85