xref: /external/autotest/client/site_tests/security_SuidBinaries/security_SuidBinaries.py

# Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

import logging
import os

from autotest_lib.client.bin import test, utils
from autotest_lib.client.common_lib import error

class security_SuidBinaries(test.test):
    """
    Make sure no surprise binaries become setuid, setgid, or gain filesystem
    capabilities without autotest noticing.
    """
    version = 1

    def load_baseline(self, bltype):
        """
        Load the list of expected files for a given baseline type.
        @param bltype the baseline to load.
        """
        baseline_file = open(os.path.join(self.bindir, 'baseline.' + bltype))
        return set(l.strip() for l in baseline_file)


    def run_once(self, baseline='suid'):
        """
        Do a find on the system for setuid binaries, compare against baseline.
        Fail if setuid binaries are found on the system but not on the baseline.
        """
        exclude = [ '/proc',
                    '/dev',
                    '/sys',
                    '/run',
                    '/usr/local',
                    '/mnt/stateful_partition',
                  ]
        cmd = 'find / '
        for item in exclude:
            cmd += '-wholename %s -prune -o ' % (item)
        cmd += '-type f '

        permmask = {'suid': '4000', 'sgid': '2000'}

        if baseline in permmask:
            cmd += '-a -perm /%s -print' % (permmask[baseline])
        elif baseline == 'fscap':
            cmd += '-exec getcap {} +'
        else:
            raise error.TestFail("Unknown baseline '%s'!" % (baseline))

        cmd_output = utils.system_output(cmd, ignore_status=True)
        observed_set = set(cmd_output.splitlines())
        baseline_set = self.load_baseline(baseline)

        # Report observed set for debugging.
        for line in observed_set:
            logging.debug('%s: %s', baseline, line)

        # Fail if we find new binaries.
        new = observed_set.difference(baseline_set)
        if len(new) > 0:
            message = 'New %s binaries: %s' % (baseline, ', '.join(new))
            raise error.TestFail(message)

        # Log but not fail if we find missing binaries.
        missing = baseline_set.difference(observed_set)
        if len(missing) > 0:
            for filepath in missing:
                logging.error('Missing %s binary: %s', baseline, filepath)
        else:
            logging.debug('OK: %s baseline matches system', baseline)