1 # Copyright 2016 The Chromium OS Authors. All rights reserved. 2 # Use of this source code is governed by a BSD-style license that can be 3 # found in the LICENSE file. 4 5 import logging 6 import os 7 8 from autotest_lib.client.bin import test, utils 9 from autotest_lib.client.common_lib import error 10 11 class security_CroshModules(test.test): 12 """Make sure no surprise crosh modules end up installed.""" 13 14 version = 1 15 CROSH_DIR = '/usr/share/crosh' 16 MODULE_DIRS = ('dev.d', 'extra.d', 'removable.d') 17 18 def load_whitelist(self): 19 """Load the list of permitted files.""" 20 with open(os.path.join(self.bindir, 'whitelist')) as fp: 21 return set(line.strip() for line in fp 22 if line and not line.startswith('#')) 23 24 25 def run_once(self): 26 """ 27 Do a find on the system for crosh modules and compare against whitelist. 28 Fail if unknown modules are found on the system. 29 """ 30 cmd = 'cd %s && find %s -type f' % ( 31 self.CROSH_DIR, ' '.join(self.MODULE_DIRS)) 32 cmd_output = utils.system_output(cmd, ignore_status=True) 33 observed_set = set(cmd_output.splitlines()) 34 baseline_set = self.load_whitelist() 35 36 # Report observed set for debugging. 37 for line in observed_set: 38 logging.debug('%s: %s', self.CROSH_DIR, line) 39 40 # Fail if we find new binaries. 41 new = observed_set.difference(baseline_set) 42 if len(new): 43 message = 'New modules: %s' % (', '.join(new),) 44 raise error.TestFail(message) 45 else: 46 logging.debug('OK: whitelist matches system') 47
