117 lines
4.2 KiB
Python
117 lines
4.2 KiB
Python
#!/usr/bin/env python3
|
|
#
|
|
# Copyright (C) 2021 The Android Open Source Project
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
"""Unittests for the seccomp policy linter module."""
|
|
|
|
from pathlib import Path
|
|
import tempfile
|
|
import unittest
|
|
|
|
import seccomp_policy_lint
|
|
|
|
class CheckSeccompPolicyTests(unittest.TestCase):
|
|
"""Tests for check_seccomp_policy."""
|
|
|
|
def setUp(self):
|
|
self.tempdir = Path(tempfile.mkdtemp())
|
|
|
|
def _write_file(self, filename, contents):
|
|
"""Helper to write out a file for testing."""
|
|
path = self.tempdir / filename
|
|
path.write_text(contents)
|
|
return path
|
|
|
|
def test_check_simple(self):
|
|
"""Allow simple policy files."""
|
|
path = self._write_file(
|
|
'test.policy', """
|
|
# Comment.\n
|
|
read: 1\n
|
|
write: 1\n
|
|
""")
|
|
|
|
exp_out = seccomp_policy_lint.CheckPolicyReturn(
|
|
f'seccomp: {path.resolve()} does not contain any dangerous'
|
|
' syscalls, so does not require review from'
|
|
' chromeos-security@',
|
|
[])
|
|
|
|
with path.open('r', encoding='utf-8') as check_file:
|
|
self.assertEqual(seccomp_policy_lint.check_seccomp_policy(
|
|
check_file, seccomp_policy_lint.DANGEROUS_SYSCALLS),
|
|
exp_out)
|
|
|
|
def test_check_dangerous_comment(self):
|
|
"""Dangerous syscalls must have a comment and need to be reviewed."""
|
|
path = self._write_file(
|
|
'test.policy', """
|
|
# Comment.\n\n\n
|
|
clone: 1\n
|
|
write: 1\n
|
|
""")
|
|
|
|
exp_out = seccomp_policy_lint.CheckPolicyReturn(
|
|
f'seccomp: {path.resolve()} contains dangerous syscalls,'
|
|
' so requires review from chromeos-security@',
|
|
[])
|
|
|
|
with path.open('r', encoding='utf-8') as check_file:
|
|
self.assertEqual(seccomp_policy_lint.check_seccomp_policy(
|
|
check_file, seccomp_policy_lint.DANGEROUS_SYSCALLS),
|
|
exp_out)
|
|
|
|
def test_check_dangerous_no_comment(self):
|
|
"""Dangerous syscalls without a comment should cause an error."""
|
|
path = self._write_file(
|
|
'test.policy', """
|
|
# Comment.\n
|
|
mount: 1\n
|
|
clone: 1\n
|
|
""")
|
|
|
|
exp_out = seccomp_policy_lint.CheckPolicyReturn(
|
|
f'seccomp: {path.resolve()} contains dangerous syscalls,'
|
|
' so requires review from chromeos-security@',
|
|
[(f'{path.resolve()}, line 5: clone syscall is a dangerous '
|
|
'syscall so requires a comment on the preceding line')])
|
|
|
|
with path.open('r', encoding='utf-8') as check_file:
|
|
self.assertEqual(seccomp_policy_lint.check_seccomp_policy(
|
|
check_file, seccomp_policy_lint.DANGEROUS_SYSCALLS),
|
|
exp_out)
|
|
|
|
def test_check_duplicate_syscall(self):
|
|
"""Policy files cannot have duplicate syscalls.."""
|
|
path = self._write_file(
|
|
'test.policy', """
|
|
# Comment.\n
|
|
clone: 1\n
|
|
clone: arg0 == 3
|
|
""")
|
|
|
|
exp_out = seccomp_policy_lint.CheckPolicyReturn(
|
|
f'seccomp: {path.resolve()} contains dangerous syscalls,'
|
|
' so requires review from chromeos-security@',
|
|
[(f'{path.resolve()}, line 5: repeat syscall: clone')])
|
|
|
|
with path.open('r', encoding='utf-8') as check_file:
|
|
self.assertEqual(seccomp_policy_lint.check_seccomp_policy(
|
|
check_file, seccomp_policy_lint.DANGEROUS_SYSCALLS),
|
|
exp_out)
|
|
|
|
|
|
if __name__ == '__main__':
|
|
unittest.main()
|