blob: 1d211e7e7d065037b6f1ac774349f796a3ae4352 [file] [log] [blame] [edit]
# Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
import logging
import os
from collections import namedtuple
from autotest_lib.client.bin import test, utils
from autotest_lib.client.common_lib import error
Jail = namedtuple("Jail", "user policy nnp")
class security_Minijail_seccomp(test.test):
version = 1
def setup(self):
os.chdir(self.srcdir)
utils.make('clean')
utils.make()
def run_test(self, exe, args, jail, expected_ret, pretty_msg):
cmdline = '/sbin/minijail0'
if jail.user:
cmdline += ' -u %s' % jail.user
if jail.nnp:
cmdline += ' -n'
cmdline += ' -S %s/%s %s/%s' % (self.bindir, jail.policy,
self.bindir, exe)
if len(args) > 0:
cmdline += ' %s' % ' '.join(args)
logging.info("Command line: " + cmdline)
ret = utils.system(cmdline, ignore_status=True)
if ret != expected_ret:
logging.error("ret: %d, expected: %d" % (ret, expected_ret))
raise error.TestFail(pretty_msg)
def run_once(self):
privdrop_policy = "policy-privdrop_" + utils.get_arch_userspace()
case_ok = ("ok", [],
Jail(None, "policy", nnp=False),
0, "Allowed system calls failed")
case_block_privdrop = ("ok", [],
Jail("chronos", "policy", nnp=False),
253, "Blocked priv-drop system calls succeeded")
case_allow_privdrop = ("ok", [],
Jail("chronos", privdrop_policy, nnp=False),
0, "Allowed system calls failed")
case_no_new_privs = ("ok", [],
Jail("chronos", "policy", nnp=True),
0, "Allowed system calls failed")
case_fail = ("fail", [],
Jail(None, "policy", nnp=False),
253, "Blocked system calls succeeded")
case_arg_equals_ok = ("open", ["0"],
Jail(None, "policy-rdonly", nnp=False),
0, "Allowing system calls via args == failed")
case_arg_equals_fail = ("open", ["1"],
Jail(None, "policy-rdonly", nnp=False),
253, "Blocking system calls via args == failed")
case_arg_flags_ok = ("open", ["1"],
Jail(None, "policy-wronly", nnp=False),
0, "Allowing system calls via args & failed")
case_arg_flags_ok = ("open", ["2"],
Jail(None, "policy-wronly", nnp=False),
253, "Blocking system calls via args & failed")
for case in [case_ok, case_block_privdrop, case_allow_privdrop,
case_no_new_privs, case_fail,
case_arg_equals_ok, case_arg_equals_fail,
case_arg_flags_ok]:
self.run_test(*case)