blob: 696c5aa60f265f25e6cf57d61e2a3bbc88e0a866 [file] [log] [blame] [edit]
# Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
import logging
import os
from autotest_lib.client.bin import test, utils
from autotest_lib.client.common_lib import error
class security_SuidBinaries(test.test):
version = 1
def load_baseline(self,bltype):
baseline_file = open(os.path.join(self.bindir, 'baseline.' + bltype))
return set(l.strip() for l in baseline_file)
def run_once(self, baseline='suid'):
"""
Do a find on the system for setuid binaries, compare against baseline.
Fail if these do not match.
"""
mask = {'suid': '4000', 'sgid': '2000'}
cmd = ('find / -wholename /proc -prune -o '
' -wholename /dev -prune -o '
' -wholename /sys -prune -o '
' -wholename /usr/local -prune -o '
' -wholename /mnt/stateful_partition -prune -o '
'-type f -a -perm /%s -print'
) % mask[baseline]
cmd_output = utils.system_output(cmd, ignore_status=True)
observed_set = set(cmd_output.splitlines())
baseline_set = self.load_baseline(baseline)
# If something in the observed set is not
# covered by the baseline...
diff = observed_set.difference(baseline_set)
if len(diff) > 0:
for filepath in diff:
logging.error('Unexpected %s binary: %s' %
(baseline, filepath))
# Or, things in baseline are missing from the system:
diff2 = baseline_set.difference(observed_set)
if len(diff2) > 0:
for filepath in diff2:
logging.error('Missing %s binary: %s' %
(baseline, filepath))
if (len(diff) + len(diff2)) > 0:
raise error.TestFail('Baseline mismatch')