diff options
Diffstat (limited to 'lib/oeqa/runtime/cases')
-rw-r--r-- | lib/oeqa/runtime/cases/aide.py | 26 | ||||
-rw-r--r-- | lib/oeqa/runtime/cases/checksec.py | 2 | ||||
-rw-r--r-- | lib/oeqa/runtime/cases/clamav.py | 21 | ||||
-rw-r--r-- | lib/oeqa/runtime/cases/firejail.py | 18 | ||||
-rw-r--r-- | lib/oeqa/runtime/cases/smack.py | 142 | ||||
-rw-r--r-- | lib/oeqa/runtime/cases/sssd.py | 4 |
6 files changed, 66 insertions, 147 deletions
diff --git a/lib/oeqa/runtime/cases/aide.py b/lib/oeqa/runtime/cases/aide.py new file mode 100644 index 0000000..4c7633c --- /dev/null +++ b/lib/oeqa/runtime/cases/aide.py @@ -0,0 +1,26 @@ +# Copyright (C) 2022 Armin Kuster <akuster808@gmail.com> +# +import re + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage + + +class AideTest(OERuntimeTestCase): + + @OEHasPackage(['aide']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_aide_help(self): + status, output = self.target.run('aide --help') + msg = ('Aide help command does not work as expected. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['aide.AideTest.test_aide_help']) + def test_aide_dbinit(self): + status, output = self.target.run('aide --init') + match = re.search('Number of entries:', output) + if not match: + msg = ('Aide db init failed: output is:\n%s' % output) + self.assertEqual(status, 0, msg = msg) diff --git a/lib/oeqa/runtime/cases/checksec.py b/lib/oeqa/runtime/cases/checksec.py index e46744c..53e6c1d 100644 --- a/lib/oeqa/runtime/cases/checksec.py +++ b/lib/oeqa/runtime/cases/checksec.py @@ -19,7 +19,7 @@ class CheckSecTest(OERuntimeTestCase): @OETestDepends(['checksec.CheckSecTest.test_checksec_help']) def test_checksec_xml(self): - status, output = self.target.run('checksec --format xml --proc-all') + status, output = self.target.run('checksec --format=xml --proc=1') msg = ('checksec xml failed. Output: %s' % output) self.assertEqual(status, 0, msg = msg) diff --git a/lib/oeqa/runtime/cases/clamav.py b/lib/oeqa/runtime/cases/clamav.py index cf83937..e0cad8f 100644 --- a/lib/oeqa/runtime/cases/clamav.py +++ b/lib/oeqa/runtime/cases/clamav.py @@ -1,4 +1,4 @@ -# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com> +# Copyright (C) 2019 - 2022 Armin Kuster <akuster808@gmail.com> # import re from tempfile import mkstemp @@ -48,21 +48,8 @@ class ClamavTest(OERuntimeTestCase): self.assertEqual(status, 0, msg = msg) @OETestDepends(['clamav.ClamavTest.test_ping_clamav_net']) - def test_freshclam_check_mirrors(self): - status, output = self.target.run('freshclam --list-mirrors') - match = re.search('Failures: 0', output) - if not match: - msg = ('freshclam --list-mirrors: failed. ' - 'Status and output:%s and %s' % (status, output)) - self.assertEqual(status, 1, msg = msg) - - @OETestDepends(['clamav.ClamavTest.test_freshclam_check_mirrors']) def test_freshclam_download(self): status, output = self.target.run('freshclam --show-progress') - match = re.search('Database updated', output) - #match = re.search('main.cvd is up to date', output) - if not match: - msg = ('freshclam : DB dowbload failed. ' - 'Status and output:%s and %s' % (status, output)) - self.assertEqual(status, 1, msg = msg) - + msg = ('freshclam : DB dowbload failed. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) diff --git a/lib/oeqa/runtime/cases/firejail.py b/lib/oeqa/runtime/cases/firejail.py new file mode 100644 index 0000000..88a8dda --- /dev/null +++ b/lib/oeqa/runtime/cases/firejail.py @@ -0,0 +1,18 @@ +# Copyright (C) 2022 Armin Kuster <akuster808@gmail.com> +# +import re + +from oeqa.runtime.case import OERuntimeTestCase +from oeqa.core.decorator.depends import OETestDepends +from oeqa.runtime.decorator.package import OEHasPackage + +class FirejailTest(OERuntimeTestCase): + + @OEHasPackage(['firejail']) + @OEHasPackage(['libseccomp']) + @OETestDepends(['ssh.SSHTest.test_ssh']) + def test_firejail_basic(self): + status, output = self.target.run('firejail --help') + msg = ('Firejail --help command does not work as expected. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) diff --git a/lib/oeqa/runtime/cases/smack.py b/lib/oeqa/runtime/cases/smack.py index 35e87ef..6b87574 100644 --- a/lib/oeqa/runtime/cases/smack.py +++ b/lib/oeqa/runtime/cases/smack.py @@ -15,22 +15,19 @@ class SmackBasicTest(OERuntimeTestCase): @classmethod def setUpClass(cls): - cls.smack_path = "" cls.current_label = "" cls.uid = 1000 + status, output = cls.tc.target.run("grep smack /proc/mounts | awk '{print $2}'") + cls.smack_path = output @skipIfNotFeature('smack', 'Test requires smack to be in DISTRO_FEATURES') @OEHasPackage(['smack-test']) @OETestDepends(['ssh.SSHTest.test_ssh']) def test_smack_basic(self): - status, output = self.target.run("grep smack /proc/mounts | awk '{print $2}'") - self.smack_path = output status,output = self.target.run("cat /proc/self/attr/current") self.current_label = output.strip() -class SmackAccessLabel(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_add_access_label(self): ''' Test if chsmack can correctly set a SMACK label ''' @@ -43,19 +40,17 @@ class SmackAccessLabel(SmackBasicTest): "Status and output: %d %s" %(status, output)) status, output = self.target.run("chsmack %s" %filename) self.target.run("rm %s" %filename) - m = re.search('(?<=access=")\S+(?=")', output) + m = re.search('(access=")\S+(?=")', output) if m is None: self.fail("Did not find access attribute") else: - label_retrieved = m .group(0) + label_retrieved = re.split("access=\"", output)[1][:-1] self.assertEqual( LABEL, label_retrieved, "label not set correctly. expected and gotten: " "%s %s" %(LABEL,label_retrieved)) -class SmackExecLabel(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_add_exec_label(self): '''Test if chsmack can correctly set a SMACK Exec label''' @@ -68,19 +63,17 @@ class SmackExecLabel(SmackBasicTest): "Status and output: %d %s" %(status, output)) status, output = self.target.run("chsmack %s" %filename) self.target.run("rm %s" %filename) - m= re.search('(?<=execute=")\S+(?=")', output) + m= re.search('(execute=")\S+(?=")', output) if m is None: self.fail("Did not find execute attribute") else: - label_retrieved = m.group(0) + label_retrieved = re.split("execute=\"", output)[1][:-1] self.assertEqual( LABEL, label_retrieved, "label not set correctly. expected and gotten: " + "%s %s" %(LABEL,label_retrieved)) -class SmackMmapLabel(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_add_mmap_label(self): '''Test if chsmack can correctly set a SMACK mmap label''' @@ -93,19 +86,17 @@ class SmackMmapLabel(SmackBasicTest): "Status and output: %d %s" %(status, output)) status, output = self.target.run("chsmack %s" %filename) self.target.run("rm %s" %filename) - m = re.search('(?<=mmap=")\S+(?=")', output) + m = re.search('(mmap=")\S+(?=")', output) if m is None: self.fail("Did not find mmap attribute") else: - label_retrieved = m.group(0) + label_retrieved = re.split("mmap=\"", output)[1][:-1] self.assertEqual( LABEL, label_retrieved, "label not set correctly. expected and gotten: " + "%s %s" %(LABEL,label_retrieved)) -class SmackTransmutable(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_add_transmutable(self): '''Test if chsmack can correctly set a SMACK transmutable mode''' @@ -117,19 +108,17 @@ class SmackTransmutable(SmackBasicTest): "Status and output: %d %s" %(status, output)) status, output = self.target.run("chsmack %s" %directory) self.target.run("rmdir %s" %directory) - m = re.search('(?<=transmute=")\S+(?=")', output) + m = re.search('(transmute=")\S+(?=")', output) if m is None: self.fail("Did not find transmute attribute") else: - label_retrieved = m.group(0) + label_retrieved = re.split("transmute=\"", output)[1][:-1] self.assertEqual( "TRUE", label_retrieved, "label not set correctly. expected and gotten: " + "%s %s" %(LABEL,label_retrieved)) -class SmackChangeSelfLabelPrivilege(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_privileged_change_self_label(self): '''Test if privileged process (with CAP_MAC_ADMIN privilege) @@ -137,16 +126,14 @@ class SmackChangeSelfLabelPrivilege(SmackBasicTest): ''' labelf = "/proc/self/attr/current" - command = "/bin/sh -c 'echo PRIVILEGED >%s; cat %s'" %(labelf, labelf) + command = "/bin/sh -c 'echo PRIVILEGED >%s'; cat %s" %(labelf, labelf) status, output = self.target.run( - "notroot.py 0 %s %s" %(self.current_label, command)) + "/usr/sbin/notroot.py 0 %s %s" %(self.current_label, command)) self.assertIn("PRIVILEGED", output, "Privilege process did not change label.Output: %s" %output) -class SmackChangeSelfLabelUnprivilege(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_unprivileged_change_self_label(self): '''Test if unprivileged process (without CAP_MAC_ADMIN privilege) @@ -154,7 +141,7 @@ class SmackChangeSelfLabelUnprivilege(SmackBasicTest): command = "/bin/sh -c 'echo %s >/proc/self/attr/current'" %LABEL status, output = self.target.run( - "notroot.py %d %s %s" + "/usr/sbin/notroot.py %d %s %s" %(self.uid, self.current_label, command) + " 2>&1 | grep 'Operation not permitted'" ) @@ -163,8 +150,6 @@ class SmackChangeSelfLabelUnprivilege(SmackBasicTest): "Unprivileged process should not be able to change its label") -class SmackChangeFileLabelPrivilege(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_unprivileged_change_file_label(self): '''Test if unprivileged process cannot change file labels''' @@ -174,17 +159,15 @@ class SmackChangeFileLabelPrivilege(SmackBasicTest): filename = "/tmp/test_unprivileged_change_file_label" self.target.run("touch %s" % filename) - self.target.run("notroot.py %d %s" %(self.uid, self.current_label)) + self.target.run("/usr/sbin/notroot.py %d %s" %(self.uid, self.current_label)) status, output = self.target.run( - "notroot.py " + + "/usr/sbin/notroot.py " + "%d unprivileged %s -a %s %s 2>&1 " %(self.uid, chsmack, LABEL, filename) + "| grep 'Operation not permitted'" ) self.target.run("rm %s" % filename) self.assertEqual( status, 0, "Unprivileged process changed label for %s" %filename) -class SmackLoadRule(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_load_smack_rule(self): '''Test if new smack access rules can be loaded''' @@ -211,8 +194,6 @@ class SmackLoadRule(SmackBasicTest): self.target.run('echo -n "%s" > %s/load' %(clean, self.smack_path)) -class SmackOnlycap(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_onlycap(self): '''Test if smack onlycap label can be set @@ -223,7 +204,6 @@ class SmackOnlycap(SmackBasicTest): status, output = self.target.run("sh /usr/sbin/test_smack_onlycap.sh") self.assertEqual(status, 0, output) -class SmackNetlabel(SmackBasicTest): @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_netlabel(self): @@ -246,7 +226,6 @@ class SmackNetlabel(SmackBasicTest): test_label, output, "Did not find expected label in output: %s" %output) -class SmackCipso(SmackBasicTest): @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_cipso(self): @@ -287,7 +266,6 @@ class SmackCipso(SmackBasicTest): self.assertEqual(status, 0, "Cipso rule C was not set") self.assertIn("/17,33", output, "Rule C was not set correctly") -class SmackDirect(SmackBasicTest): @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_direct(self): @@ -308,8 +286,6 @@ class SmackDirect(SmackBasicTest): "Smack direct label does not match.") -class SmackAmbient(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_ambient(self): test_ambient = "test_ambient" @@ -330,8 +306,6 @@ class SmackAmbient(SmackBasicTest): "Ambient label does not match") -class SmackloadBinary(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smackload(self): '''Test if smackload command works''' @@ -345,8 +319,6 @@ class SmackloadBinary(SmackBasicTest): self.assertEqual(status, 0, "Smackload rule was loaded correctly") -class SmackcipsoBinary(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smackcipso(self): '''Test if smackcipso command works''' @@ -362,8 +334,6 @@ class SmackcipsoBinary(SmackBasicTest): self.assertIn( "2/2", output, "Rule was not set correctly. Got: %s" %output) -class SmackEnforceFileAccess(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_enforce_file_access(self): '''Test if smack file access is enforced (rwx) @@ -375,82 +345,6 @@ class SmackEnforceFileAccess(SmackBasicTest): self.assertEqual(status, 0, output) -class SmackEnforceMmap(SmackBasicTest): - - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) - def test_smack_mmap_enforced(self): - '''Test if smack mmap access is enforced''' - raise unittest.SkipTest("Depends on mmap_test, which was removed from the layer while investigating its license.") - - # 12345678901234567890123456789012345678901234567890123456 - delr1="mmap_label mmap_test_label1 -----" - delr2="mmap_label mmap_test_label2 -----" - delr3="mmap_file_label mmap_test_label1 -----" - delr4="mmap_file_label mmap_test_label2 -----" - - RuleA="mmap_label mmap_test_label1 rw---" - RuleB="mmap_label mmap_test_label2 r--at" - RuleC="mmap_file_label mmap_test_label1 rw---" - RuleD="mmap_file_label mmap_test_label2 rwxat" - - mmap_label="mmap_label" - file_label="mmap_file_label" - test_file = "/usr/sbin/smack_test_mmap" - mmap_exe = "/tmp/mmap_test" - status, echo = self.target.run("which echo") - status, output = self.target.run( - "notroot.py %d %s %s 'test' > %s" \ - %(self.uid, self.current_label, echo, test_file)) - status, output = self.target.run("ls %s" %test_file) - self.assertEqual(status, 0, "Could not create mmap test file") - self.target.run("chsmack -m %s %s" %(file_label, test_file)) - self.target.run("chsmack -e %s %s" %(mmap_label, mmap_exe)) - - # test with no rules with mmap label or exec label as subject - # access should be granted - self.target.run('echo -n "%s" > %s/load' %(delr1, self.smack_path)) - self.target.run('echo -n "%s" > %s/load' %(delr2, self.smack_path)) - self.target.run('echo -n "%s" > %s/load' %(delr3, self.smack_path)) - self.target.run('echo -n "%s" > %s/load' %(delr4, self.smack_path)) - status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file)) - self.assertEqual( - status, 0, - "Should have mmap access without rules. Output: %s" %output) - - # add rules that do not match access required - self.target.run('echo -n "%s" > %s/load' %(RuleA, self.smack_path)) - self.target.run('echo -n "%s" > %s/load' %(RuleB, self.smack_path)) - status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file)) - self.assertNotEqual( - status, 0, - "Should not have mmap access with unmatching rules. " + - "Output: %s" %output) - self.assertIn( - "Permission denied", output, - "Mmap access should be denied with unmatching rules") - - # add rule to match only partially (one way) - self.target.run('echo -n "%s" > %s/load' %(RuleC, self.smack_path)) - status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file)) - self.assertNotEqual( - status, 0, - "Should not have mmap access with partial matching rules. " + - "Output: %s" %output) - self.assertIn( - "Permission denied", output, - "Mmap access should be denied with partial matching rules") - - # add rule to match fully - self.target.run('echo -n "%s" > %s/load' %(RuleD, self.smack_path)) - status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file)) - self.assertEqual( - status, 0, - "Should have mmap access with full matching rules." + - "Output: %s" %output) - - -class SmackEnforceTransmutable(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_transmute_dir(self): '''Test if smack transmute attribute works @@ -473,8 +367,6 @@ class SmackEnforceTransmutable(SmackBasicTest): "Did not get expected label. Output: %s" % output) -class SmackTcpSockets(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_tcp_sockets(self): '''Test if smack is enforced on tcp sockets @@ -485,8 +377,6 @@ class SmackTcpSockets(SmackBasicTest): self.assertEqual(status, 0, output) -class SmackUdpSockets(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_udp_sockets(self): '''Test if smack is enforced on udp sockets @@ -497,8 +387,6 @@ class SmackUdpSockets(SmackBasicTest): self.assertEqual(status, 0, output) -class SmackFileLabels(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_labels(self): '''Check for correct Smack labels.''' diff --git a/lib/oeqa/runtime/cases/sssd.py b/lib/oeqa/runtime/cases/sssd.py index 4644836..1dfdb94 100644 --- a/lib/oeqa/runtime/cases/sssd.py +++ b/lib/oeqa/runtime/cases/sssd.py @@ -28,10 +28,10 @@ class SSSDTest(OERuntimeTestCase): @OETestDepends(['sssd.SSSDTest.test_sssd_sssctl_conf_perms_chk']) def test_sssd_sssctl_deamon(self): - status, output = self.target.run('sssctl domain-status') + status, output = self.target.run('sssctl domain-list') match = re.search('No domains configured, fatal error!', output) if match: - msg = ('sssctl domain-status failed, sssd.conf not setup correctly. ' + msg = ('sssctl domain-list failed, sssd.conf not setup correctly. ' 'Status and output:%s and %s' % (status, output)) self.assertEqual(status, 0, msg = msg) |