Home | History | Annotate | Download | only in security_AltSyscall 
      1 # Copyright (c) 2015 The Chromium OS Authors. All rights reserved.
      2 # Use of this source code is governed by a BSD-style license that can be
      3 # found in the LICENSE file.
      4 
      5 import logging
      6 import os
      7 
      8 from autotest_lib.client.bin import test, utils
      9 from autotest_lib.client.common_lib import error
     10 from autotest_lib.client.cros import kernel_config
     11 
     12 class security_AltSyscall(test.test):
     13     """
     14     Verify that alt_syscall allows/blocks system calls as expected using
     15     minijail.
     16     """
     17     version = 1
     18 
     19     def initialize(self):
     20         self.job.require_gcc()
     21 
     22     def setup(self):
     23         os.chdir(self.srcdir)
     24         utils.make('clean')
     25         utils.make()
     26 
     27     def run_test(self, exe, table, expected_ret, pretty_msg):
     28         """
     29         Runs a single alt_syscall test case.
     30 
     31         Runs the executable with the specified alt_syscall table using minijail.
     32         Fails the test if the return value does not match what we expected.
     33 
     34         @param exe Test executable
     35         @param table Alt_syscall table name
     36         @param expected_ret Expected return value from the test
     37         @param pretty_msg Message to display on failue
     38         """
     39         cmdline = '/sbin/minijail0 -a %s %s/%s' % (table, self.srcdir, exe)
     40 
     41         logging.info("Command line: " + cmdline)
     42         ret = utils.system(cmdline, ignore_status=True)
     43 
     44         if ret != expected_ret:
     45             logging.error("ret: %d, expected: %d", ret, expected_ret)
     46             raise error.TestFail(pretty_msg)
     47 
     48     def alt_syscall_supported(self):
     49         """
     50         Check that alt_syscall is supported by the kernel.
     51         """
     52         config = kernel_config.KernelConfig()
     53         config.initialize()
     54         config.is_enabled('ALT_SYSCALL')
     55         config.is_enabled('ALT_SYSCALL_CHROMIUMOS')
     56         return len(config.failures()) == 0
     57 
     58     def run_once(self):
     59         if not self.alt_syscall_supported():
     60             raise error.TestFail("ALT_SYSCALL not supported")
     61 
     62         case_allow = ("read", "read_write_test", 0,
     63                       "Allowed system calls failed")
     64         case_deny_blocked = ("mmap", "read_write_test", 2,
     65                              "Blocked system calls succeeded")
     66         case_deny_alt_syscall = ("alt_syscall", "read_write_test", 1,
     67                                  "Changing alt_syscall table succeeded")
     68         case_adjtimex = ("adjtimex", "android", 0,
     69                          "android_adjtimex() filtering didn't work.")
     70         case_clock_adjtime = ("clock_adjtime", "android", 0,
     71                               "android_clock_adjtime() filtering didn't work.")
     72 
     73         for case in [case_allow, case_deny_blocked, case_deny_alt_syscall,
     74                      case_adjtimex, case_clock_adjtime]:
     75             self.run_test(*case)
     76