diff options
author | takeshi_hoshina <takeshi_hoshina@mail.toyota.co.jp> | 2020-11-02 11:07:33 +0900 |
---|---|---|
committer | takeshi_hoshina <takeshi_hoshina@mail.toyota.co.jp> | 2020-11-02 11:07:33 +0900 |
commit | 1c7d6584a7811b7785ae5c1e378f14b5ba0971cf (patch) | |
tree | cd70a267a5ef105ba32f200aa088e281fbd85747 /external/meta-security/lib/oeqa | |
parent | 4204309872da5cb401cbb2729d9e2d4869a87f42 (diff) |
basesystem-jjsandbox/ToshikazuOhiwa/master-jj
recipes
Diffstat (limited to 'external/meta-security/lib/oeqa')
9 files changed, 907 insertions, 0 deletions
diff --git a/external/meta-security/lib/oeqa/runtime/cases/apparmor.py b/external/meta-security/lib/oeqa/runtime/cases/apparmor.py new file mode 100644 index 00000000..b6a9537e --- /dev/null +++ b/external/meta-security/lib/oeqa/runtime/cases/apparmor.py @@ -0,0 +1,46 @@ +# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com> +# +import re + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage + + +class ApparmorTest(OERuntimeTestCase): + + @OEHasPackage(['apparmor']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_apparmor_help(self): + status, output = self.target.run('aa-status --help') + msg = ('apparmor command does not work as expected. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['apparmor.ApparmorTest.test_apparmor_help']) + def test_apparmor_aa_status(self): + status, output = self.target.run('aa-status') + match = re.search('apparmor module is loaded.', output) + if not match: + msg = ('aa-status failed. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['apparmor.ApparmorTest.test_apparmor_aa_status']) + def test_apparmor_aa_complain(self): + status, output = self.target.run('aa-complain /etc/apparmor.d/*') + match = re.search('apparmor module is loaded.', output) + if not match: + msg = ('aa-complain failed. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['apparmor.ApparmorTest.test_apparmor_aa_complain']) + def test_apparmor_aa_enforce(self): + status, output = self.target.run('aa-enforce /etc/apparmor.d/*') + match = re.search('apparmor module is loaded.', output) + if not match: + msg = ('aa-enforce failed. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + diff --git a/external/meta-security/lib/oeqa/runtime/cases/checksec.py b/external/meta-security/lib/oeqa/runtime/cases/checksec.py new file mode 100644 index 00000000..e46744c6 --- /dev/null +++ b/external/meta-security/lib/oeqa/runtime/cases/checksec.py @@ -0,0 +1,34 @@ +# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com> +# +import re + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage + + +class CheckSecTest(OERuntimeTestCase): + + @OEHasPackage(['checksec']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_checksec_help(self): + status, output = self.target.run('checksec --help ') + msg = ('checksec command does not work as expected. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['checksec.CheckSecTest.test_checksec_help']) + def test_checksec_xml(self): + status, output = self.target.run('checksec --format xml --proc-all') + msg = ('checksec xml failed. Output: %s' % output) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['checksec.CheckSecTest.test_checksec_xml']) + @OEHasPackage(['binutils']) + def test_checksec_fortify(self): + status, output = self.target.run('checksec --fortify-proc 1') + match = re.search('FORTIFY_SOURCE support:', output) + if not match: + msg = ('checksec : fortify-proc failed. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 1, msg = msg) diff --git a/external/meta-security/lib/oeqa/runtime/cases/clamav.py b/external/meta-security/lib/oeqa/runtime/cases/clamav.py new file mode 100644 index 00000000..cf839373 --- /dev/null +++ b/external/meta-security/lib/oeqa/runtime/cases/clamav.py @@ -0,0 +1,68 @@ +# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com> +# +import re +from tempfile import mkstemp + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage + + +class ClamavTest(OERuntimeTestCase): + + @classmethod + def setUpClass(cls): + cls.tmp_fd, cls.tmp_path = mkstemp() + with os.fdopen(cls.tmp_fd, 'w') as f: + # use gooled public dns + f.write("nameserver 8.8.8.8") + f.write(os.linesep) + f.write("nameserver 8.8.4.4") + f.write(os.linesep) + f.write("nameserver 127.0.0.1") + f.write(os.linesep) + + @classmethod + def tearDownClass(cls): + os.remove(cls.tmp_path) + + @OEHasPackage(['clamav']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_freshclam_help(self): + status, output = self.target.run('freshclam --help ') + msg = ('freshclam --hlep command does not work as expected. ', + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['clamav.ClamavTest.test_freshclam_help']) + @OEHasPackage(['openssh-scp', 'dropbear']) + def test_ping_clamav_net(self): + dst = '/etc/resolv.conf' + self.tc.target.run('rm -f %s' % dst) + (status, output) = self.tc.target.copyTo(self.tmp_path, dst) + msg = 'File could not be copied. Output: %s' % output + self.assertEqual(status, 0, msg=msg) + + status, output = self.target.run('ping -c 1 database.clamav.net') + msg = ('ping database.clamav.net failed: output is:\n%s' % output) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['clamav.ClamavTest.test_ping_clamav_net']) + def test_freshclam_check_mirrors(self): + status, output = self.target.run('freshclam --list-mirrors') + match = re.search('Failures: 0', output) + if not match: + msg = ('freshclam --list-mirrors: failed. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 1, msg = msg) + + @OETestDepends(['clamav.ClamavTest.test_freshclam_check_mirrors']) + def test_freshclam_download(self): + status, output = self.target.run('freshclam --show-progress') + match = re.search('Database updated', output) + #match = re.search('main.cvd is up to date', output) + if not match: + msg = ('freshclam : DB dowbload failed. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 1, msg = msg) + diff --git a/external/meta-security/lib/oeqa/runtime/cases/samhain.py b/external/meta-security/lib/oeqa/runtime/cases/samhain.py new file mode 100644 index 00000000..5043a38c --- /dev/null +++ b/external/meta-security/lib/oeqa/runtime/cases/samhain.py @@ -0,0 +1,43 @@ +# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com> +# +import re +import os + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage + + +class SamhainTest(OERuntimeTestCase): + + @OEHasPackage(['samhain-standalone']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_samhain_help(self): + machine = self.td.get('MACHINE', '') + status, output = self.target.run('echo "127.0.0.1 %s.localdomain %s" >> /etc/hosts' % (machine, machine)) + msg = ("samhain can't append hosts. " + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + status, output = self.target.run('samhain --help') + msg = ('samhain command does not work as expected. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['samhain.SamhainTest.test_samhain_help']) + def test_samhain_init_db(self): + status, output = self.target.run('samhain -t init') + match = re.search('FAILED: 0 ', output) + if not match: + msg = ('samhain database init had an unexpected failure. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['samhain.SamhainTest.test_samhain_init_db']) + def test_samhain_db_check(self): + status, output = self.target.run('samhain -t check') + match = re.search('FAILED: 0 ', output) + if not match: + msg = ('samhain errors found in db. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) diff --git a/external/meta-security/lib/oeqa/runtime/cases/smack.py b/external/meta-security/lib/oeqa/runtime/cases/smack.py new file mode 100644 index 00000000..35e87ef3 --- /dev/null +++ b/external/meta-security/lib/oeqa/runtime/cases/smack.py @@ -0,0 +1,529 @@ +import unittest +import re +import os +import string +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage +from oeqa.core.decorator.data import skipIfNotFeature + +MAX_LABEL_LEN = 255 +LABEL = "a" * MAX_LABEL_LEN + +class SmackBasicTest(OERuntimeTestCase): + ''' base smack test ''' + + @classmethod + def setUpClass(cls): + cls.smack_path = "" + cls.current_label = "" + cls.uid = 1000 + + @skipIfNotFeature('smack', + 'Test requires smack to be in DISTRO_FEATURES') + @OEHasPackage(['smack-test']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_smack_basic(self): + status, output = self.target.run("grep smack /proc/mounts | awk '{print $2}'") + self.smack_path = output + status,output = self.target.run("cat /proc/self/attr/current") + self.current_label = output.strip() + +class SmackAccessLabel(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_add_access_label(self): + ''' Test if chsmack can correctly set a SMACK label ''' + filename = "/tmp/test_access_label" + self.target.run("touch %s" %filename) + status, output = self.target.run("chsmack -a %s %s" %(LABEL, filename)) + self.assertEqual( + status, 0, + "Cannot set smack access label. " + "Status and output: %d %s" %(status, output)) + status, output = self.target.run("chsmack %s" %filename) + self.target.run("rm %s" %filename) + m = re.search('(?<=access=")\S+(?=")', output) + if m is None: + self.fail("Did not find access attribute") + else: + label_retrieved = m .group(0) + self.assertEqual( + LABEL, label_retrieved, + "label not set correctly. expected and gotten: " + "%s %s" %(LABEL,label_retrieved)) + + +class SmackExecLabel(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_add_exec_label(self): + '''Test if chsmack can correctly set a SMACK Exec label''' + filename = "/tmp/test_exec_label" + self.target.run("touch %s" %filename) + status, output = self.target.run("chsmack -e %s %s" %(LABEL, filename)) + self.assertEqual( + status, 0, + "Cannot set smack exec label. " + "Status and output: %d %s" %(status, output)) + status, output = self.target.run("chsmack %s" %filename) + self.target.run("rm %s" %filename) + m= re.search('(?<=execute=")\S+(?=")', output) + if m is None: + self.fail("Did not find execute attribute") + else: + label_retrieved = m.group(0) + self.assertEqual( + LABEL, label_retrieved, + "label not set correctly. expected and gotten: " + + "%s %s" %(LABEL,label_retrieved)) + + +class SmackMmapLabel(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_add_mmap_label(self): + '''Test if chsmack can correctly set a SMACK mmap label''' + filename = "/tmp/test_exec_label" + self.target.run("touch %s" %filename) + status, output = self.target.run("chsmack -m %s %s" %(LABEL, filename)) + self.assertEqual( + status, 0, + "Cannot set smack mmap label. " + "Status and output: %d %s" %(status, output)) + status, output = self.target.run("chsmack %s" %filename) + self.target.run("rm %s" %filename) + m = re.search('(?<=mmap=")\S+(?=")', output) + if m is None: + self.fail("Did not find mmap attribute") + else: + label_retrieved = m.group(0) + self.assertEqual( + LABEL, label_retrieved, + "label not set correctly. expected and gotten: " + + "%s %s" %(LABEL,label_retrieved)) + + +class SmackTransmutable(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_add_transmutable(self): + '''Test if chsmack can correctly set a SMACK transmutable mode''' + + directory = "~/test_transmutable" + self.target.run("mkdir -p %s" %directory) + status, output = self.target.run("chsmack -t %s" %directory) + self.assertEqual(status, 0, "Cannot set smack transmutable. " + "Status and output: %d %s" %(status, output)) + status, output = self.target.run("chsmack %s" %directory) + self.target.run("rmdir %s" %directory) + m = re.search('(?<=transmute=")\S+(?=")', output) + if m is None: + self.fail("Did not find transmute attribute") + else: + label_retrieved = m.group(0) + self.assertEqual( + "TRUE", label_retrieved, + "label not set correctly. expected and gotten: " + + "%s %s" %(LABEL,label_retrieved)) + + +class SmackChangeSelfLabelPrivilege(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_privileged_change_self_label(self): + '''Test if privileged process (with CAP_MAC_ADMIN privilege) + can change its label. + ''' + + labelf = "/proc/self/attr/current" + command = "/bin/sh -c 'echo PRIVILEGED >%s; cat %s'" %(labelf, labelf) + + status, output = self.target.run( + "notroot.py 0 %s %s" %(self.current_label, command)) + + self.assertIn("PRIVILEGED", output, + "Privilege process did not change label.Output: %s" %output) + +class SmackChangeSelfLabelUnprivilege(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_unprivileged_change_self_label(self): + '''Test if unprivileged process (without CAP_MAC_ADMIN privilege) + cannot change its label''' + + command = "/bin/sh -c 'echo %s >/proc/self/attr/current'" %LABEL + status, output = self.target.run( + "notroot.py %d %s %s" + %(self.uid, self.current_label, command) + + " 2>&1 | grep 'Operation not permitted'" ) + + self.assertEqual( + status, 0, + "Unprivileged process should not be able to change its label") + + +class SmackChangeFileLabelPrivilege(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_unprivileged_change_file_label(self): + '''Test if unprivileged process cannot change file labels''' + + status, chsmack = self.target.run("which chsmack") + status, touch = self.target.run("which touch") + filename = "/tmp/test_unprivileged_change_file_label" + + self.target.run("touch %s" % filename) + self.target.run("notroot.py %d %s" %(self.uid, self.current_label)) + status, output = self.target.run( + "notroot.py " + + "%d unprivileged %s -a %s %s 2>&1 " %(self.uid, chsmack, LABEL, filename) + + "| grep 'Operation not permitted'" ) + + self.target.run("rm %s" % filename) + self.assertEqual( status, 0, "Unprivileged process changed label for %s" %filename) + +class SmackLoadRule(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_load_smack_rule(self): + '''Test if new smack access rules can be loaded''' + + # old 23 character format requires special spaces formatting + # 12345678901234567890123456789012345678901234567890123 + ruleA="TheOne TheOther rwxat" + ruleB="TheOne TheOther r----" + clean="TheOne TheOther -----" + modeA = "rwxat" + modeB = "r" + + status, output = self.target.run('echo -n "%s" > %s/load' %(ruleA, self.smack_path)) + status, output = self.target.run( 'cat %s/load | grep "^TheOne" | grep " TheOther "' %self.smack_path) + self.assertEqual(status, 0, "Rule A was not added") + mode = list(filter(bool, output.split(" ")))[2].strip() + self.assertEqual( mode, modeA, "Mode A was not set correctly; mode: %s" %mode) + + status, output = self.target.run( 'echo -n "%s" > %s/load' %(ruleB, self.smack_path)) + status, output = self.target.run( 'cat %s/load | grep "^TheOne" | grep " TheOther "' %self.smack_path) + mode = list(filter(bool, output.split(" ")))[2].strip() + self.assertEqual( mode, modeB, "Mode B was not set correctly; mode: %s" %mode) + + self.target.run('echo -n "%s" > %s/load' %(clean, self.smack_path)) + + +class SmackOnlycap(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_onlycap(self): + '''Test if smack onlycap label can be set + + test needs to change the running label of the current process, + so whole test takes places on image + ''' + status, output = self.target.run("sh /usr/sbin/test_smack_onlycap.sh") + self.assertEqual(status, 0, output) + +class SmackNetlabel(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_netlabel(self): + + test_label="191.191.191.191 TheOne" + expected_label="191.191.191.191/32 TheOne" + + status, output = self.target.run( "echo -n '%s' > %s/netlabel" %(test_label, self.smack_path)) + self.assertEqual( status, 0, "Netlabel /32 could not be set. Output: %s" %output) + + status, output = self.target.run("cat %s/netlabel" %self.smack_path) + self.assertIn( expected_label, output, "Did not find expected label in output: %s" %output) + + test_label="253.253.253.0/24 TheOther" + status, output = self.target.run( "echo -n '%s' > %s/netlabel" %(test_label, self.smack_path)) + self.assertEqual( status, 0, "Netlabel /24 could not be set. Output: %s" %output) + + status, output = self.target.run("cat %s/netlabel" %self.smack_path) + self.assertIn( + test_label, output, + "Did not find expected label in output: %s" %output) + +class SmackCipso(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_cipso(self): + '''Test if smack cipso rules can be set''' + # 12345678901234567890123456789012345678901234567890123456 + ruleA="TheOneA 2 0 " + ruleB="TheOneB 3 1 55 " + ruleC="TheOneC 4 2 17 33 " + + status, output = self.target.run( + "echo -n '%s' > %s/cipso" %(ruleA, self.smack_path)) + self.assertEqual(status, 0, + "Could not set cipso label A. Ouput: %s" %output) + + status, output = self.target.run( + "cat %s/cipso | grep '^TheOneA'" %self.smack_path) + self.assertEqual(status, 0, "Cipso rule A was not set") + self.assertIn(" 2", output, "Rule A was not set correctly") + + status, output = self.target.run( + "echo -n '%s' > %s/cipso" %(ruleB, self.smack_path)) + self.assertEqual(status, 0, + "Could not set cipso label B. Ouput: %s" %output) + + status, output = self.target.run( + "cat %s/cipso | grep '^TheOneB'" %self.smack_path) + self.assertEqual(status, 0, "Cipso rule B was not set") + self.assertIn("/55", output, "Rule B was not set correctly") + + status, output = self.target.run( + "echo -n '%s' > %s/cipso" %(ruleC, self.smack_path)) + self.assertEqual( + status, 0, + "Could not set cipso label C. Ouput: %s" %output) + + status, output = self.target.run( + "cat %s/cipso | grep '^TheOneC'" %self.smack_path) + self.assertEqual(status, 0, "Cipso rule C was not set") + self.assertIn("/17,33", output, "Rule C was not set correctly") + +class SmackDirect(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_direct(self): + status, initial_direct = self.target.run( + "cat %s/direct" %self.smack_path) + + test_direct="17" + status, output = self.target.run( + "echo '%s' > %s/direct" %(test_direct, self.smack_path)) + self.assertEqual(status, 0 , + "Could not set smack direct. Output: %s" %output) + status, new_direct = self.target.run("cat %s/direct" %self.smack_path) + # initial label before checking + status, output = self.target.run( + "echo '%s' > %s/direct" %(initial_direct, self.smack_path)) + self.assertEqual( + test_direct, new_direct.strip(), + "Smack direct label does not match.") + + +class SmackAmbient(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_ambient(self): + test_ambient = "test_ambient" + status, initial_ambient = self.target.run("cat %s/ambient" %self.smack_path) + status, output = self.target.run( + "echo '%s' > %s/ambient" %(test_ambient, self.smack_path)) + self.assertEqual(status, 0, + "Could not set smack ambient. Output: %s" %output) + + status, output = self.target.run("cat %s/ambient" %self.smack_path) + # Filter '\x00', which is sometimes added to the ambient label + new_ambient = ''.join(filter(lambda x: x in string.printable, output)) + initial_ambient = ''.join(filter(lambda x: x in string.printable, initial_ambient)) + status, output = self.target.run( + "echo '%s' > %s/ambient" %(initial_ambient, self.smack_path)) + self.assertEqual( + test_ambient, new_ambient.strip(), + "Ambient label does not match") + + +class SmackloadBinary(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smackload(self): + '''Test if smackload command works''' + rule="testobject testsubject rwx" + + status, output = self.target.run("echo -n '%s' > /tmp/rules" %rule) + status, output = self.target.run("smackload /tmp/rules") + self.assertEqual( status, 0, "Smackload failed to load rule. Output: %s" %output) + + status, output = self.target.run( "cat %s/load | grep '%s'" %(self.smack_path, rule)) + self.assertEqual(status, 0, "Smackload rule was loaded correctly") + + +class SmackcipsoBinary(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smackcipso(self): + '''Test if smackcipso command works''' + # 12345678901234567890123456789012345678901234567890123456 + rule="cipsolabel 2 2 " + + status, output = self.target.run("echo '%s' | smackcipso" %rule) + self.assertEqual( status, 0, "Smackcipso failed to load rule. Output: %s" %output) + + status, output = self.target.run( + "cat %s/cipso | grep 'cipsolabel'" %self.smack_path) + self.assertEqual(status, 0, "smackcipso rule was loaded correctly") + self.assertIn( "2/2", output, "Rule was not set correctly. Got: %s" %output) + + +class SmackEnforceFileAccess(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_enforce_file_access(self): + '''Test if smack file access is enforced (rwx) + + test needs to change the running label of the current process, + so whole test takes places on image + ''' + status, output = self.target.run("sh /usr/sbin/smack_test_file_access.sh") + self.assertEqual(status, 0, output) + + +class SmackEnforceMmap(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_mmap_enforced(self): + '''Test if smack mmap access is enforced''' + raise unittest.SkipTest("Depends on mmap_test, which was removed from the layer while investigating its license.") + + # 12345678901234567890123456789012345678901234567890123456 + delr1="mmap_label mmap_test_label1 -----" + delr2="mmap_label mmap_test_label2 -----" + delr3="mmap_file_label mmap_test_label1 -----" + delr4="mmap_file_label mmap_test_label2 -----" + + RuleA="mmap_label mmap_test_label1 rw---" + RuleB="mmap_label mmap_test_label2 r--at" + RuleC="mmap_file_label mmap_test_label1 rw---" + RuleD="mmap_file_label mmap_test_label2 rwxat" + + mmap_label="mmap_label" + file_label="mmap_file_label" + test_file = "/usr/sbin/smack_test_mmap" + mmap_exe = "/tmp/mmap_test" + status, echo = self.target.run("which echo") + status, output = self.target.run( + "notroot.py %d %s %s 'test' > %s" \ + %(self.uid, self.current_label, echo, test_file)) + status, output = self.target.run("ls %s" %test_file) + self.assertEqual(status, 0, "Could not create mmap test file") + self.target.run("chsmack -m %s %s" %(file_label, test_file)) + self.target.run("chsmack -e %s %s" %(mmap_label, mmap_exe)) + + # test with no rules with mmap label or exec label as subject + # access should be granted + self.target.run('echo -n "%s" > %s/load' %(delr1, self.smack_path)) + self.target.run('echo -n "%s" > %s/load' %(delr2, self.smack_path)) + self.target.run('echo -n "%s" > %s/load' %(delr3, self.smack_path)) + self.target.run('echo -n "%s" > %s/load' %(delr4, self.smack_path)) + status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file)) + self.assertEqual( + status, 0, + "Should have mmap access without rules. Output: %s" %output) + + # add rules that do not match access required + self.target.run('echo -n "%s" > %s/load' %(RuleA, self.smack_path)) + self.target.run('echo -n "%s" > %s/load' %(RuleB, self.smack_path)) + status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file)) + self.assertNotEqual( + status, 0, + "Should not have mmap access with unmatching rules. " + + "Output: %s" %output) + self.assertIn( + "Permission denied", output, + "Mmap access should be denied with unmatching rules") + + # add rule to match only partially (one way) + self.target.run('echo -n "%s" > %s/load' %(RuleC, self.smack_path)) + status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file)) + self.assertNotEqual( + status, 0, + "Should not have mmap access with partial matching rules. " + + "Output: %s" %output) + self.assertIn( + "Permission denied", output, + "Mmap access should be denied with partial matching rules") + + # add rule to match fully + self.target.run('echo -n "%s" > %s/load' %(RuleD, self.smack_path)) + status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file)) + self.assertEqual( + status, 0, + "Should have mmap access with full matching rules." + + "Output: %s" %output) + + +class SmackEnforceTransmutable(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_transmute_dir(self): + '''Test if smack transmute attribute works + + test needs to change the running label of the current process, + so whole test takes places on image + ''' + test_dir = "/tmp/smack_transmute_dir" + label="transmute_label" + status, initial_label = self.target.run("cat /proc/self/attr/current") + + self.target.run("mkdir -p %s" % test_dir) + self.target.run("chsmack -a %s %s" % (label, test_dir)) + self.target.run("chsmack -t %s" % test_dir) + self.target.run("echo -n '%s %s rwxat' | smackload" %(initial_label, label) ) + + self.target.run("touch %s/test" % test_dir) + status, output = self.target.run("chsmack %s/test" % test_dir) + self.assertIn( 'access="%s"' %label, output, + "Did not get expected label. Output: %s" % output) + + +class SmackTcpSockets(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_tcp_sockets(self): + '''Test if smack is enforced on tcp sockets + + whole test takes places on image, depends on tcp_server/tcp_client''' + + status, output = self.target.run("sh /usr/sbin/test_smack_tcp_sockets.sh") + self.assertEqual(status, 0, output) + + +class SmackUdpSockets(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_udp_sockets(self): + '''Test if smack is enforced on udp sockets + + whole test takes places on image, depends on udp_server/udp_client''' + + status, output = self.target.run("sh /usr/sbin/test_smack_udp_sockets.sh") + self.assertEqual(status, 0, output) + + +class SmackFileLabels(SmackBasicTest): + + @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) + def test_smack_labels(self): + '''Check for correct Smack labels.''' + expected = ''' +/tmp/ access="*" +/etc/ access="System::Shared" transmute="TRUE" +/etc/passwd access="System::Shared" +/etc/terminfo access="System::Shared" transmute="TRUE" +/etc/skel/ access="System::Shared" transmute="TRUE" +/etc/skel/.profile access="System::Shared" +/var/log/ access="System::Log" transmute="TRUE" +/var/tmp/ access="*" +''' + files = ' '.join([x.split()[0] for x in expected.split('\n') if x]) + files_wildcard = ' '.join([x + '/*' for x in files.split()]) + # Auxiliary information. + status, output = self.target.run( + 'set -x; mount; ls -l -d %s; find %s | xargs ls -d -l; find %s | xargs chsmack' % ( + ' '.join([x.rstrip('/') for x in files.split()]), files, files + ) + ) + msg = "File status:\n" + output + status, output = self.target.run('chsmack %s' % files) + self.assertEqual( + status, 0, msg="status and output: %s and %s\n%s" % (status,output, msg)) + self.longMessage = True + self.maxDiff = None + self.assertEqual(output.strip().split('\n'), expected.strip().split('\n'), msg=msg) diff --git a/external/meta-security/lib/oeqa/runtime/cases/sssd.py b/external/meta-security/lib/oeqa/runtime/cases/sssd.py new file mode 100644 index 00000000..46448362 --- /dev/null +++ b/external/meta-security/lib/oeqa/runtime/cases/sssd.py @@ -0,0 +1,37 @@ +# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com> +# +import re + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage + + +class SSSDTest(OERuntimeTestCase): + + @OEHasPackage(['sssd']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_sssd_help(self): + status, output = self.target.run('sssctl --help') + msg = ('sssctl command does not work as expected. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 1, msg = msg) + + @OETestDepends(['sssd.SSSDTest.test_sssd_help']) + def test_sssd_sssctl_conf_perms_chk(self): + status, output = self.target.run('sssctl domain-status') + match = re.search('ConfDB initialization has failed', output) + if match: + msg = ('sssctl domain-status failed, check sssd.conf perms. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['sssd.SSSDTest.test_sssd_sssctl_conf_perms_chk']) + def test_sssd_sssctl_deamon(self): + status, output = self.target.run('sssctl domain-status') + match = re.search('No domains configured, fatal error!', output) + if match: + msg = ('sssctl domain-status failed, sssd.conf not setup correctly. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + diff --git a/external/meta-security/lib/oeqa/runtime/cases/suricata.py b/external/meta-security/lib/oeqa/runtime/cases/suricata.py new file mode 100644 index 00000000..7f052ecd --- /dev/null +++ b/external/meta-security/lib/oeqa/runtime/cases/suricata.py @@ -0,0 +1,76 @@ +# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com> +# +import re +from tempfile import mkstemp + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage + + +class SuricataTest(OERuntimeTestCase): + + @classmethod + def setUpClass(cls): + cls.tmp_fd, cls.tmp_path = mkstemp() + with os.fdopen(cls.tmp_fd, 'w') as f: + # use google public dns + f.write("nameserver 8.8.8.8") + f.write(os.linesep) + f.write("nameserver 8.8.4.4") + f.write(os.linesep) + f.write("nameserver 127.0.0.1") + f.write(os.linesep) + + @classmethod + def tearDownClass(cls): + os.remove(cls.tmp_path) + + @OEHasPackage(['suricata']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_suricata_help(self): + status, output = self.target.run('suricata --help') + msg = ('suricata command does not work as expected. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 1, msg = msg) + + @OETestDepends(['suricata.SuricataTest.test_suricata_help']) + def test_ping_openinfosecfoundation_org(self): + dst = '/etc/resolv.conf' + self.tc.target.run('rm -f %s' % dst) + (status, output) = self.tc.target.copyTo(self.tmp_path, dst) + msg = 'File could not be copied. Output: %s' % output + self.assertEqual(status, 0, msg=msg) + + status, output = self.target.run('ping -c 1 openinfosecfoundation.org') + msg = ('ping openinfosecfoundation.org failed: output is:\n%s' % output) + self.assertEqual(status, 0, msg = msg) + + @OEHasPackage(['python3-suricata-update']) + @OETestDepends(['suricata.SuricataTest.test_ping_openinfosecfoundation_org']) + def test_suricata_update(self): + status, output = self.tc.target.run('suricata-update') + msg = ('suricata-update had an unexpected failure. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['suricata.SuricataTest.test_suricata_update']) + def test_suricata_update_sources_list(self): + status, output = self.tc.target.run('suricata-update list-sources') + msg = ('suricata-update list-sources had an unexpected failure. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['suricata.SuricataTest.test_suricata_update_sources_list']) + def test_suricata_update_sources(self): + status, output = self.tc.target.run('suricata-update update-sources') + msg = ('suricata-update update-sources had an unexpected failure. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['suricata.SuricataTest.test_suricata_update_sources']) + def test_suricata_update_enable_source(self): + status, output = self.tc.target.run('suricata-update enable-source oisf/trafficid') + msg = ('suricata-update enable-source oisf/trafficid had an unexpected failure. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) diff --git a/external/meta-security/lib/oeqa/runtime/cases/tripwire.py b/external/meta-security/lib/oeqa/runtime/cases/tripwire.py new file mode 100644 index 00000000..659724d0 --- /dev/null +++ b/external/meta-security/lib/oeqa/runtime/cases/tripwire.py @@ -0,0 +1,47 @@ +# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com> +# +import re + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage + + +class TripwireTest(OERuntimeTestCase): + + @OEHasPackage(['tripwire']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_tripwire_help(self): + status, output = self.target.run('tripwire --help') + msg = ('tripwire command does not work as expected. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 8, msg = msg) + + @OETestDepends(['tripwire.TripwireTest.test_tripwire_help']) + def test_tripwire_twinstall(self): + status, output = self.target.run('/etc/tripwire/twinstall.sh') + match = re.search('The database was successfully generated.', output) + if not match: + msg = ('/etc/tripwire/twinstall.sh failed. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['tripwire.TripwireTest.test_tripwire_twinstall']) + def test_tripwire_twadmin(self): + status, output = self.target.run('twadmin --create-cfgfile --cfgfile /etc/tripwire/twcfg.enc --site-keyfile /etc/tripwire/site.key -Q tripwire /etc/tripwire/twcfg.txt') + status, output = self.target.run('twadmin --create-polfile --cfgfile /etc/tripwire/twcfg.enc --polfile /etc/tripwire/twpol.enc --site-keyfile /etc/tripwire/site.key -Q tripwire /etc/tripwire/twpol.txt') + match = re.search('Wrote policy file: /etc/tripwire/twpol.enc', output) + if not match: + msg = ('twadmin --create-profile ; failed. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['tripwire.TripwireTest.test_tripwire_twadmin']) + def test_tripwire_init(self): + status, hostname = self.target.run('hostname') + status, output = self.target.run('tripwire --init --cfgfile /etc/tripwire/twcfg.enc --polfile /etc/tripwire/tw.pol --site-keyfile /etc/tripwire/site.key --local-keyfile /etc/tripwire/%s-local.key -P tripwire' % hostname) + match = re.search('The database was successfully generated.', output) + if not match: + msg = ('tripwire --init; Failed for host: %s. ' + 'Status and output:%s and %s' % (hostname, status, output)) + self.assertEqual(status, 0, msg = msg) diff --git a/external/meta-security/lib/oeqa/selftest/cases/cvechecker.py b/external/meta-security/lib/oeqa/selftest/cases/cvechecker.py new file mode 100644 index 00000000..23ca7d22 --- /dev/null +++ b/external/meta-security/lib/oeqa/selftest/cases/cvechecker.py @@ -0,0 +1,27 @@ +import os +import re + +from oeqa.selftest.case import OESelftestTestCase +from oeqa.utils.commands import bitbake, get_bb_var + +class CveCheckerTests(OESelftestTestCase): + def test_cve_checker(self): + image = "core-image-sato" + + deploy_dir = get_bb_var("DEPLOY_DIR_IMAGE") + image_link_name = get_bb_var('IMAGE_LINK_NAME', image) + + manifest_link = os.path.join(deploy_dir, "%s.cve" % image_link_name) + + self.logger.info('CVE_CHECK_MANIFEST = "%s"' % manifest_link) + if (not 'cve-check' in get_bb_var('INHERIT')): + add_cve_check_config = 'INHERIT += "cve-check"' + self.append_config(add_cve_check_config) + self.append_config('CVE_CHECK_MANIFEST = "%s"' % manifest_link) + result = bitbake("-k -c cve_check %s" % image, ignore_status=True) + if (not 'cve-check' in get_bb_var('INHERIT')): + self.remove_config(add_cve_check_config) + + isfile = os.path.isfile(manifest_link) + self.assertEqual(True, isfile, 'Failed to create cve data file : %s' % manifest_link) + |