普通文本  |  71行  |  2.37 KB

# Copyright (c) 2015 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

import logging
import os

from autotest_lib.client.bin import test, utils
from autotest_lib.client.common_lib import error
from autotest_lib.client.cros import kernel_config

class security_AltSyscall(test.test):
    """
    Verify that alt_syscall allows/blocks system calls as expected using
    minijail.
    """
    version = 1

    def initialize(self):
        self.job.require_gcc()

    def setup(self):
        os.chdir(self.srcdir)
        utils.make('clean')
        utils.make()

    def run_test(self, exe, table, expected_ret, pretty_msg):
        """
        Runs a single alt_syscall test case.

        Runs the executable with the specified alt_syscall table using minijail.
        Fails the test if the return value does not match what we expected.

        @param exe Test executable
        @param table Alt_syscall table name
        @param expected_ret Expected return value from the test
        @param pretty_msg Message to display on failue
        """
        cmdline = '/sbin/minijail0 -a %s %s/%s' % (table, self.srcdir, exe)

        logging.info("Command line: " + cmdline)
        ret = utils.system(cmdline, ignore_status=True)

        if ret != expected_ret:
            logging.error("ret: %d, expected: %d", ret, expected_ret)
            raise error.TestFail(pretty_msg)

    def alt_syscall_supported(self):
        """
        Check that alt_syscall is supported by the kernel.
        """
        config = kernel_config.KernelConfig()
        config.initialize()
        config.is_enabled('ALT_SYSCALL')
        config.is_enabled('ALT_SYSCALL_CHROMIUMOS')
        return len(config.failures()) == 0

    def run_once(self):
        if not self.alt_syscall_supported():
            raise error.TestFail("ALT_SYSCALL not supported")

        case_allow = ("read", "read_write_test", 0,
                      "Allowed system calls failed")
        case_deny_blocked = ("mmap", "read_write_test", 2,
                             "Blocked system calls succeeded")
        case_deny_alt_syscall = ("alt_syscall", "read_write_test", 1,
                                 "Changing alt_syscall table succeeded")

        for case in [case_allow, case_deny_blocked, case_deny_alt_syscall]:
            self.run_test(*case)