| # Copyright 2016 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| import logging |
| import os |
| |
| from autotest_lib.client.bin import test, utils |
| from autotest_lib.client.common_lib import error |
| |
| class security_CroshModules(test.test): |
| """Make sure no surprise crosh modules end up installed.""" |
| |
| version = 1 |
| CROSH_DIR = '/usr/share/crosh' |
| MODULE_DIRS = ('dev.d', 'extra.d', 'removable.d') |
| |
| def load_whitelist(self): |
| """Load the list of permitted files.""" |
| with open(os.path.join(self.bindir, 'whitelist')) as fp: |
| return set(line.strip() for line in fp |
| if line and not line.startswith('#')) |
| |
| |
| def run_once(self): |
| """ |
| Do a find on the system for crosh modules and compare against whitelist. |
| Fail if unknown modules are found on the system. |
| """ |
| cmd = 'cd %s && find %s -type f' % ( |
| self.CROSH_DIR, ' '.join(self.MODULE_DIRS)) |
| cmd_output = utils.system_output(cmd, ignore_status=True) |
| observed_set = set(cmd_output.splitlines()) |
| baseline_set = self.load_whitelist() |
| |
| # Report observed set for debugging. |
| for line in observed_set: |
| logging.debug('%s: %s', self.CROSH_DIR, line) |
| |
| # Fail if we find new binaries. |
| new = observed_set.difference(baseline_set) |
| if len(new): |
| message = 'New modules: %s' % (', '.join(new),) |
| raise error.TestFail(message) |
| else: |
| logging.debug('OK: whitelist matches system') |