Security test for compilation flags

Signed-off-by: Daniel Madej <daniel.madej@intel.com>
2020-07-16 16:41:16 +02:00 · 2020-07-16 16:41:16 +02:00 · cd8892f775
commit cd8892f775
parent 94dda3a7d5
1 changed files with 60 additions and 0 deletions
--- a/test/functional/tests/security/test_compilation_flags.py
+++ b/test/functional/tests/security/test_compilation_flags.py
@ -0,0 +1,60 @@
+#
+# Copyright(c) 2019-2020 Intel Corporation
+# SPDX-License-Identifier: BSD-3-Clause-Clear
+#
+
+import os
+import re
+
+from core.test_run import TestRun
+from test_tools.fs_utils import Permissions, PermissionsUsers, PermissionSign
+from test_utils.filesystem.fs_item import FsItem
+
+
+def test_checksec():
+    """
+        title: Checking defenses enabled compilation flags.
+        description: |
+          Check if Open CAS executable file was compiled with defenses enabled compilation flags.
+        pass_criteria:
+          - For casadm script returns:
+            RELRO       STACK CANARY  NX          PIE          RPATH     RUNPATH     FILE
+            Full RELRO  Canary found  NX enabled  PIE enabled  No RPATH  No RUNPATH  /sbin/casadm.
+    """
+    with TestRun.step("Prepare checksec script"):
+        checksec_path = os.path.join(
+            TestRun.usr.working_dir,
+            "test/functional/test-framework/test_tools/checksec.sh"
+        )
+        checksec = FsItem(checksec_path)
+        checksec.chmod(Permissions.x, PermissionsUsers.u, PermissionSign.add)
+
+    with TestRun.step("Check casadm compilation flags"):
+        casadm_binary = "/sbin/casadm"
+        header_expected = ["RELRO", "STACK CANARY", "NX", "PIE", "RPATH", "RUNPATH", "FILE"]
+        binary_expected = ["Full RELRO", "Canary found", "NX enabled", "PIE enabled", "No RPATH",
+                           "No RUNPATH", casadm_binary]
+        result_lines = TestRun.executor.run_expect_success(
+            f'{checksec_path} --file {casadm_binary}').stdout.splitlines()
+        header_found = False
+        for line in result_lines:
+            if not header_found:
+                if line.startswith("RELRO"):
+                    header_found = True
+                    header = line
+                continue
+            # remove formatting from output
+            result = re.sub(r'\x1B\[[0-9;]*m', '', line)
+            break
+        header = [i.strip() for i in header.split("  ") if i != '']
+        if header != header_expected:
+            TestRun.LOGGER.error(
+                'Incorrect header detected!\n'
+                f'Expected: {"  ".join(header_expected)},\n'
+                f'Actual:   {"  ".join(header)}')
+        result = [i.strip() for i in result.split("  ") if i != '']
+        if result != binary_expected:
+            TestRun.LOGGER.error(
+                'Incorrect compilation flags!\n'
+                f'Expected: {"  ".join(binary_expected)},\n'
+                f'Actual:   {"  ".join(result)}')