xref: /OK3568_Linux_fs/buildroot/support/testing/tests/core/test_hardening.py (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1import os
2import json
3
4import infra.basetest
5
6
7class TestHardeningBase(infra.basetest.BRTest):
8    config = \
9        """
10        BR2_powerpc64=y
11        BR2_powerpc_e5500=y
12        BR2_TOOLCHAIN_EXTERNAL=y
13        BR2_TOOLCHAIN_EXTERNAL_CUSTOM=y
14        BR2_TOOLCHAIN_EXTERNAL_DOWNLOAD=y
15        BR2_TOOLCHAIN_EXTERNAL_URL="https://toolchains.bootlin.com/downloads/releases/toolchains/powerpc64-e5500/tarballs/powerpc64-e5500--glibc--stable-2018.02-2.tar.bz2"
16        BR2_TOOLCHAIN_EXTERNAL_GCC_6=y
17        BR2_TOOLCHAIN_EXTERNAL_HEADERS_4_1=y
18        BR2_TOOLCHAIN_EXTERNAL_CUSTOM_GLIBC=y
19        BR2_TOOLCHAIN_EXTERNAL_CXX=y
20        BR2_PACKAGE_LIGHTTPD=y
21        BR2_PACKAGE_HOST_CHECKSEC=y
22        # BR2_TARGET_ROOTFS_TAR is not set
23        """
24
25    checksec_files = ["usr/sbin/lighttpd", "bin/busybox"]
26
27    def checksec_run(self, target_file):
28        filepath = os.path.join(self.builddir, "target", target_file)
29        cmd = ["host/bin/checksec", "--format=json",
30               "--file={}".format(filepath)]
31        # Checksec is being used for elf file analysis only.  There are no
32        # assumptions of target/run-time checks as part of this testing.
33        ret = infra.run_cmd_on_host(self.builddir, cmd)
34        return json.loads(ret)
35
36
37class TestRelro(TestHardeningBase):
38    config = TestHardeningBase.config + \
39        """
40        BR2_RELRO_FULL=y
41        """
42
43    def test_run(self):
44        for f in self.checksec_files:
45            out = self.checksec_run(f)
46            filepath = os.path.join(self.builddir, "target", f)
47            self.assertEqual(out[filepath]["relro"], "full")
48            self.assertEqual(out[filepath]["pie"], "yes")
49
50
51class TestRelroPartial(TestHardeningBase):
52    config = TestHardeningBase.config + \
53        """
54        BR2_RELRO_PARTIAL=y
55        # BR2_PIC_PIE is not set
56        """
57
58    def test_run(self):
59        for f in self.checksec_files:
60            out = self.checksec_run(f)
61            filepath = os.path.join(self.builddir, "target", f)
62            self.assertEqual(out[filepath]["relro"], "partial")
63            self.assertEqual(out[filepath]["pie"], "no")
64
65
66class TestSspNone(TestHardeningBase):
67    config = TestHardeningBase.config + \
68        """
69        BR2_SSP_NONE=y
70        """
71
72    def test_run(self):
73        for f in self.checksec_files:
74            out = self.checksec_run(f)
75            filepath = os.path.join(self.builddir, "target", f)
76            self.assertEqual(out[filepath]["canary"], "no")
77
78
79class TestSspStrong(TestHardeningBase):
80    config = TestHardeningBase.config + \
81        """
82        BR2_SSP_STRONG=y
83        """
84
85    def test_run(self):
86        for f in self.checksec_files:
87            out = self.checksec_run(f)
88            filepath = os.path.join(self.builddir, "target", f)
89            self.assertEqual(out[filepath]["canary"], "yes")
90
91
92class TestFortifyNone(TestHardeningBase):
93    config = TestHardeningBase.config + \
94        """
95        BR2_FORTIFY_SOURCE_NONE=y
96        """
97
98    def test_run(self):
99        for f in self.checksec_files:
100            out = self.checksec_run(f)
101            filepath = os.path.join(self.builddir, "target", f)
102            self.assertEqual(out[filepath]["fortified"], "0")
103
104
105class TestFortifyConserv(TestHardeningBase):
106    config = TestHardeningBase.config + \
107        """
108        BR2_FORTIFY_SOURCE_1=y
109        """
110
111    def test_run(self):
112        for f in self.checksec_files:
113            out = self.checksec_run(f)
114            filepath = os.path.join(self.builddir, "target", f)
115            self.assertNotEqual(out[filepath]["fortified"], "0")
116