diff options
Diffstat (limited to 'meta-security/lib')
-rw-r--r-- | meta-security/lib/oeqa/runtime/cases/aide.py | 26 | ||||
-rw-r--r-- | meta-security/lib/oeqa/runtime/cases/checksec.py | 2 | ||||
-rw-r--r-- | meta-security/lib/oeqa/runtime/cases/clamav.py | 21 | ||||
-rw-r--r-- | meta-security/lib/oeqa/runtime/cases/firejail.py | 18 | ||||
-rw-r--r-- | meta-security/lib/oeqa/runtime/cases/smack.py | 103 | ||||
-rw-r--r-- | meta-security/lib/oeqa/runtime/cases/sssd.py | 4 |
6 files changed, 66 insertions, 108 deletions
diff --git a/meta-security/lib/oeqa/runtime/cases/aide.py b/meta-security/lib/oeqa/runtime/cases/aide.py new file mode 100644 index 0000000000..4c7633ca1f --- /dev/null +++ b/meta-security/lib/oeqa/runtime/cases/aide.py @@ -0,0 +1,26 @@ +# Copyright (C) 2022 Armin Kuster <akuster808@gmail.com> +# +import re + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage + + +class AideTest(OERuntimeTestCase): + + @OEHasPackage(['aide']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_aide_help(self): + status, output = self.target.run('aide --help') + msg = ('Aide help command does not work as expected. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['aide.AideTest.test_aide_help']) + def test_aide_dbinit(self): + status, output = self.target.run('aide --init') + match = re.search('Number of entries:', output) + if not match: + msg = ('Aide db init failed: output is:\n%s' % output) + self.assertEqual(status, 0, msg = msg) diff --git a/meta-security/lib/oeqa/runtime/cases/checksec.py b/meta-security/lib/oeqa/runtime/cases/checksec.py index e46744c63b..53e6c1d7bb 100644 --- a/meta-security/lib/oeqa/runtime/cases/checksec.py +++ b/meta-security/lib/oeqa/runtime/cases/checksec.py @@ -19,7 +19,7 @@ class CheckSecTest(OERuntimeTestCase): @OETestDepends(['checksec.CheckSecTest.test_checksec_help']) def test_checksec_xml(self): - status, output = self.target.run('checksec --format xml --proc-all') + status, output = self.target.run('checksec --format=xml --proc=1') msg = ('checksec xml failed. Output: %s' % output) self.assertEqual(status, 0, msg = msg) diff --git a/meta-security/lib/oeqa/runtime/cases/clamav.py b/meta-security/lib/oeqa/runtime/cases/clamav.py index cf8393732d..e0cad8f307 100644 --- a/meta-security/lib/oeqa/runtime/cases/clamav.py +++ b/meta-security/lib/oeqa/runtime/cases/clamav.py @@ -1,4 +1,4 @@ -# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com> +# Copyright (C) 2019 - 2022 Armin Kuster <akuster808@gmail.com> # import re from tempfile import mkstemp @@ -48,21 +48,8 @@ class ClamavTest(OERuntimeTestCase): self.assertEqual(status, 0, msg = msg) @OETestDepends(['clamav.ClamavTest.test_ping_clamav_net']) - def test_freshclam_check_mirrors(self): - status, output = self.target.run('freshclam --list-mirrors') - match = re.search('Failures: 0', output) - if not match: - msg = ('freshclam --list-mirrors: failed. ' - 'Status and output:%s and %s' % (status, output)) - self.assertEqual(status, 1, msg = msg) - - @OETestDepends(['clamav.ClamavTest.test_freshclam_check_mirrors']) def test_freshclam_download(self): status, output = self.target.run('freshclam --show-progress') - match = re.search('Database updated', output) - #match = re.search('main.cvd is up to date', output) - if not match: - msg = ('freshclam : DB dowbload failed. ' - 'Status and output:%s and %s' % (status, output)) - self.assertEqual(status, 1, msg = msg) - + msg = ('freshclam : DB dowbload failed. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) diff --git a/meta-security/lib/oeqa/runtime/cases/firejail.py b/meta-security/lib/oeqa/runtime/cases/firejail.py new file mode 100644 index 0000000000..88a8dda210 --- /dev/null +++ b/meta-security/lib/oeqa/runtime/cases/firejail.py @@ -0,0 +1,18 @@ +# Copyright (C) 2022 Armin Kuster <akuster808@gmail.com> +# +import re + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage + +class FirejailTest(OERuntimeTestCase): + + @OEHasPackage(['firejail']) + @OEHasPackage(['libseccomp']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_firejail_basic(self): + status, output = self.target.run('firejail --help') + msg = ('Firejail --help command does not work as expected. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) diff --git a/meta-security/lib/oeqa/runtime/cases/smack.py b/meta-security/lib/oeqa/runtime/cases/smack.py index b8255c781c..6b87574998 100644 --- a/meta-security/lib/oeqa/runtime/cases/smack.py +++ b/meta-security/lib/oeqa/runtime/cases/smack.py @@ -15,17 +15,16 @@ class SmackBasicTest(OERuntimeTestCase): @classmethod def setUpClass(cls): - cls.smack_path = "" cls.current_label = "" cls.uid = 1000 + status, output = cls.tc.target.run("grep smack /proc/mounts | awk '{print $2}'") + cls.smack_path = output @skipIfNotFeature('smack', 'Test requires smack to be in DISTRO_FEATURES') @OEHasPackage(['smack-test']) @OETestDepends(['ssh.SSHTest.test_ssh']) def test_smack_basic(self): - status, output = self.target.run("grep smack /proc/mounts | awk '{print $2}'") - self.smack_path = output status,output = self.target.run("cat /proc/self/attr/current") self.current_label = output.strip() @@ -41,11 +40,11 @@ class SmackBasicTest(OERuntimeTestCase): "Status and output: %d %s" %(status, output)) status, output = self.target.run("chsmack %s" %filename) self.target.run("rm %s" %filename) - m = re.search('(?<=access=")\S+(?=")', output) + m = re.search('(access=")\S+(?=")', output) if m is None: self.fail("Did not find access attribute") else: - label_retrieved = m .group(0) + label_retrieved = re.split("access=\"", output)[1][:-1] self.assertEqual( LABEL, label_retrieved, "label not set correctly. expected and gotten: " @@ -64,11 +63,11 @@ class SmackBasicTest(OERuntimeTestCase): "Status and output: %d %s" %(status, output)) status, output = self.target.run("chsmack %s" %filename) self.target.run("rm %s" %filename) - m= re.search('(?<=execute=")\S+(?=")', output) + m= re.search('(execute=")\S+(?=")', output) if m is None: self.fail("Did not find execute attribute") else: - label_retrieved = m.group(0) + label_retrieved = re.split("execute=\"", output)[1][:-1] self.assertEqual( LABEL, label_retrieved, "label not set correctly. expected and gotten: " + @@ -87,11 +86,11 @@ class SmackBasicTest(OERuntimeTestCase): "Status and output: %d %s" %(status, output)) status, output = self.target.run("chsmack %s" %filename) self.target.run("rm %s" %filename) - m = re.search('(?<=mmap=")\S+(?=")', output) + m = re.search('(mmap=")\S+(?=")', output) if m is None: self.fail("Did not find mmap attribute") else: - label_retrieved = m.group(0) + label_retrieved = re.split("mmap=\"", output)[1][:-1] self.assertEqual( LABEL, label_retrieved, "label not set correctly. expected and gotten: " + @@ -109,11 +108,11 @@ class SmackBasicTest(OERuntimeTestCase): "Status and output: %d %s" %(status, output)) status, output = self.target.run("chsmack %s" %directory) self.target.run("rmdir %s" %directory) - m = re.search('(?<=transmute=")\S+(?=")', output) + m = re.search('(transmute=")\S+(?=")', output) if m is None: self.fail("Did not find transmute attribute") else: - label_retrieved = m.group(0) + label_retrieved = re.split("transmute=\"", output)[1][:-1] self.assertEqual( "TRUE", label_retrieved, "label not set correctly. expected and gotten: " + @@ -127,10 +126,10 @@ class SmackBasicTest(OERuntimeTestCase): ''' labelf = "/proc/self/attr/current" - command = "/bin/sh -c 'echo PRIVILEGED >%s; cat %s'" %(labelf, labelf) + command = "/bin/sh -c 'echo PRIVILEGED >%s'; cat %s" %(labelf, labelf) status, output = self.target.run( - "notroot.py 0 %s %s" %(self.current_label, command)) + "/usr/sbin/notroot.py 0 %s %s" %(self.current_label, command)) self.assertIn("PRIVILEGED", output, "Privilege process did not change label.Output: %s" %output) @@ -142,7 +141,7 @@ class SmackBasicTest(OERuntimeTestCase): command = "/bin/sh -c 'echo %s >/proc/self/attr/current'" %LABEL status, output = self.target.run( - "notroot.py %d %s %s" + "/usr/sbin/notroot.py %d %s %s" %(self.uid, self.current_label, command) + " 2>&1 | grep 'Operation not permitted'" ) @@ -160,9 +159,9 @@ class SmackBasicTest(OERuntimeTestCase): filename = "/tmp/test_unprivileged_change_file_label" self.target.run("touch %s" % filename) - self.target.run("notroot.py %d %s" %(self.uid, self.current_label)) + self.target.run("/usr/sbin/notroot.py %d %s" %(self.uid, self.current_label)) status, output = self.target.run( - "notroot.py " + + "/usr/sbin/notroot.py " + "%d unprivileged %s -a %s %s 2>&1 " %(self.uid, chsmack, LABEL, filename) + "| grep 'Operation not permitted'" ) @@ -347,78 +346,6 @@ class SmackBasicTest(OERuntimeTestCase): @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) - def test_smack_mmap_enforced(self): - '''Test if smack mmap access is enforced''' - raise unittest.SkipTest("Depends on mmap_test, which was removed from the layer while investigating its license.") - - # 12345678901234567890123456789012345678901234567890123456 - delr1="mmap_label mmap_test_label1 -----" - delr2="mmap_label mmap_test_label2 -----" - delr3="mmap_file_label mmap_test_label1 -----" - delr4="mmap_file_label mmap_test_label2 -----" - - RuleA="mmap_label mmap_test_label1 rw---" - RuleB="mmap_label mmap_test_label2 r--at" - RuleC="mmap_file_label mmap_test_label1 rw---" - RuleD="mmap_file_label mmap_test_label2 rwxat" - - mmap_label="mmap_label" - file_label="mmap_file_label" - test_file = "/usr/sbin/smack_test_mmap" - mmap_exe = "/tmp/mmap_test" - status, echo = self.target.run("which echo") - status, output = self.target.run( - "notroot.py %d %s %s 'test' > %s" \ - %(self.uid, self.current_label, echo, test_file)) - status, output = self.target.run("ls %s" %test_file) - self.assertEqual(status, 0, "Could not create mmap test file") - self.target.run("chsmack -m %s %s" %(file_label, test_file)) - self.target.run("chsmack -e %s %s" %(mmap_label, mmap_exe)) - - # test with no rules with mmap label or exec label as subject - # access should be granted - self.target.run('echo -n "%s" > %s/load' %(delr1, self.smack_path)) - self.target.run('echo -n "%s" > %s/load' %(delr2, self.smack_path)) - self.target.run('echo -n "%s" > %s/load' %(delr3, self.smack_path)) - self.target.run('echo -n "%s" > %s/load' %(delr4, self.smack_path)) - status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file)) - self.assertEqual( - status, 0, - "Should have mmap access without rules. Output: %s" %output) - - # add rules that do not match access required - self.target.run('echo -n "%s" > %s/load' %(RuleA, self.smack_path)) - self.target.run('echo -n "%s" > %s/load' %(RuleB, self.smack_path)) - status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file)) - self.assertNotEqual( - status, 0, - "Should not have mmap access with unmatching rules. " + - "Output: %s" %output) - self.assertIn( - "Permission denied", output, - "Mmap access should be denied with unmatching rules") - - # add rule to match only partially (one way) - self.target.run('echo -n "%s" > %s/load' %(RuleC, self.smack_path)) - status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file)) - self.assertNotEqual( - status, 0, - "Should not have mmap access with partial matching rules. " + - "Output: %s" %output) - self.assertIn( - "Permission denied", output, - "Mmap access should be denied with partial matching rules") - - # add rule to match fully - self.target.run('echo -n "%s" > %s/load' %(RuleD, self.smack_path)) - status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file)) - self.assertEqual( - status, 0, - "Should have mmap access with full matching rules." + - "Output: %s" %output) - - - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_transmute_dir(self): '''Test if smack transmute attribute works diff --git a/meta-security/lib/oeqa/runtime/cases/sssd.py b/meta-security/lib/oeqa/runtime/cases/sssd.py index 4644836257..1dfdb949bf 100644 --- a/meta-security/lib/oeqa/runtime/cases/sssd.py +++ b/meta-security/lib/oeqa/runtime/cases/sssd.py @@ -28,10 +28,10 @@ class SSSDTest(OERuntimeTestCase): @OETestDepends(['sssd.SSSDTest.test_sssd_sssctl_conf_perms_chk']) def test_sssd_sssctl_deamon(self): - status, output = self.target.run('sssctl domain-status') + status, output = self.target.run('sssctl domain-list') match = re.search('No domains configured, fatal error!', output) if match: - msg = ('sssctl domain-status failed, sssd.conf not setup correctly. ' + msg = ('sssctl domain-list failed, sssd.conf not setup correctly. ' 'Status and output:%s and %s' % (status, output)) self.assertEqual(status, 0, msg = msg) |