4 This tool is for checking the security hardening options of the Linux kernel.
6 Author: Alexander Popov <alex.popov@linux.com>
8 This module performs unit-testing of the kconfig-hardened-check engine.
11 # pylint: disable=missing-function-docstring,line-too-long
16 from collections import OrderedDict
18 from .engine import KconfigCheck, CmdlineCheck, SysctlCheck, VersionCheck, OR, AND, populate_with_data, perform_checks, override_expected_value
21 class TestEngine(unittest.TestCase):
23 Example test scenario:
25 # 1. prepare the checklist
27 config_checklist += [KconfigCheck('reason_1', 'decision_1', 'KCONFIG_NAME', 'expected_1')]
28 config_checklist += [CmdlineCheck('reason_2', 'decision_2', 'cmdline_name', 'expected_2')]
29 config_checklist += [SysctlCheck('reason_3', 'decision_3', 'sysctl_name', 'expected_3')]
31 # 2. prepare the parsed kconfig options
32 parsed_kconfig_options = OrderedDict()
33 parsed_kconfig_options['CONFIG_KCONFIG_NAME'] = 'UNexpected_1'
35 # 3. prepare the parsed cmdline options
36 parsed_cmdline_options = OrderedDict()
37 parsed_cmdline_options['cmdline_name'] = 'expected_2'
39 # 4. prepare the parsed sysctl options
40 parsed_sysctl_options = OrderedDict()
41 parsed_sysctl_options['sysctl_name'] = 'expected_3'
43 # 5. prepare the kernel version
44 kernel_version = (42, 43)
47 self.run_engine(config_checklist, parsed_kconfig_options, parsed_cmdline_options, parsed_sysctl_options, kernel_version)
49 # 7. check that the results are correct
51 self.get_engine_result(config_checklist, result, 'json')
56 def run_engine(checklist, parsed_kconfig_options, parsed_cmdline_options, parsed_sysctl_options, kernel_version):
57 # populate the checklist with data
58 if parsed_kconfig_options:
59 populate_with_data(checklist, parsed_kconfig_options, 'kconfig')
60 if parsed_cmdline_options:
61 populate_with_data(checklist, parsed_cmdline_options, 'cmdline')
62 if parsed_sysctl_options:
63 populate_with_data(checklist, parsed_sysctl_options, 'sysctl')
65 populate_with_data(checklist, kernel_version, 'version')
67 # now everything is ready, perform the checks
68 perform_checks(checklist)
70 # print the table with the results
73 opt.table_print('verbose', True) # verbose mode, with_results
77 # print the results in JSON
81 result.append(opt.json_dump(True)) # with_results
82 print(json.dumps(result))
86 def get_engine_result(checklist, result, result_type):
87 assert(result_type in ('json', 'stdout', 'stdout_verbose')), \
88 f'invalid result type "{result_type}"'
90 if result_type == 'json':
92 result.append(opt.json_dump(True)) # with_results
95 captured_output = io.StringIO()
96 stdout_backup = sys.stdout
97 sys.stdout = captured_output
99 if result_type == 'stdout_verbose':
100 opt.table_print('verbose', True) # verbose mode, with_results
102 opt.table_print(None, True) # normal mode, with_results
103 sys.stdout = stdout_backup
104 result.append(captured_output.getvalue())
106 def test_simple_kconfig(self):
107 # 1. prepare the checklist
108 config_checklist = []
109 config_checklist += [KconfigCheck('reason_1', 'decision_1', 'NAME_1', 'expected_1')]
110 config_checklist += [KconfigCheck('reason_2', 'decision_2', 'NAME_2', 'expected_2')]
111 config_checklist += [KconfigCheck('reason_3', 'decision_3', 'NAME_3', 'expected_3')]
112 config_checklist += [KconfigCheck('reason_4', 'decision_4', 'NAME_4', 'is not set')]
113 config_checklist += [KconfigCheck('reason_5', 'decision_5', 'NAME_5', 'is present')]
114 config_checklist += [KconfigCheck('reason_6', 'decision_6', 'NAME_6', 'is present')]
115 config_checklist += [KconfigCheck('reason_7', 'decision_7', 'NAME_7', 'is not off')]
116 config_checklist += [KconfigCheck('reason_8', 'decision_8', 'NAME_8', 'is not off')]
117 config_checklist += [KconfigCheck('reason_9', 'decision_9', 'NAME_9', 'is not off')]
118 config_checklist += [KconfigCheck('reason_10', 'decision_10', 'NAME_10', 'is not off')]
120 # 2. prepare the parsed kconfig options
121 parsed_kconfig_options = OrderedDict()
122 parsed_kconfig_options['CONFIG_NAME_1'] = 'expected_1'
123 parsed_kconfig_options['CONFIG_NAME_2'] = 'UNexpected_2'
124 parsed_kconfig_options['CONFIG_NAME_5'] = 'UNexpected_5'
125 parsed_kconfig_options['CONFIG_NAME_7'] = 'really_not_off'
126 parsed_kconfig_options['CONFIG_NAME_8'] = 'off'
127 parsed_kconfig_options['CONFIG_NAME_9'] = '0'
130 self.run_engine(config_checklist, parsed_kconfig_options, None, None, None)
132 # 4. check that the results are correct
134 self.get_engine_result(config_checklist, result, 'json')
137 [["CONFIG_NAME_1", "kconfig", "expected_1", "decision_1", "reason_1", "OK"],
138 ["CONFIG_NAME_2", "kconfig", "expected_2", "decision_2", "reason_2", "FAIL: \"UNexpected_2\""],
139 ["CONFIG_NAME_3", "kconfig", "expected_3", "decision_3", "reason_3", "FAIL: is not found"],
140 ["CONFIG_NAME_4", "kconfig", "is not set", "decision_4", "reason_4", "OK: is not found"],
141 ["CONFIG_NAME_5", "kconfig", "is present", "decision_5", "reason_5", "OK: is present"],
142 ["CONFIG_NAME_6", "kconfig", "is present", "decision_6", "reason_6", "FAIL: is not present"],
143 ["CONFIG_NAME_7", "kconfig", "is not off", "decision_7", "reason_7", "OK: is not off, \"really_not_off\""],
144 ["CONFIG_NAME_8", "kconfig", "is not off", "decision_8", "reason_8", "FAIL: is off"],
145 ["CONFIG_NAME_9", "kconfig", "is not off", "decision_9", "reason_9", "FAIL: is off, \"0\""],
146 ["CONFIG_NAME_10", "kconfig", "is not off", "decision_10", "reason_10", "FAIL: is off, not found"]]
149 def test_simple_cmdline(self):
150 # 1. prepare the checklist
151 config_checklist = []
152 config_checklist += [CmdlineCheck('reason_1', 'decision_1', 'name_1', 'expected_1')]
153 config_checklist += [CmdlineCheck('reason_2', 'decision_2', 'name_2', 'expected_2')]
154 config_checklist += [CmdlineCheck('reason_3', 'decision_3', 'name_3', 'expected_3')]
155 config_checklist += [CmdlineCheck('reason_4', 'decision_4', 'name_4', 'is not set')]
156 config_checklist += [CmdlineCheck('reason_5', 'decision_5', 'name_5', 'is present')]
157 config_checklist += [CmdlineCheck('reason_6', 'decision_6', 'name_6', 'is present')]
158 config_checklist += [CmdlineCheck('reason_7', 'decision_7', 'name_7', 'is not off')]
159 config_checklist += [CmdlineCheck('reason_8', 'decision_8', 'name_8', 'is not off')]
160 config_checklist += [CmdlineCheck('reason_9', 'decision_9', 'name_9', 'is not off')]
161 config_checklist += [CmdlineCheck('reason_10', 'decision_10', 'name_10', 'is not off')]
163 # 2. prepare the parsed cmdline options
164 parsed_cmdline_options = OrderedDict()
165 parsed_cmdline_options['name_1'] = 'expected_1'
166 parsed_cmdline_options['name_2'] = 'UNexpected_2'
167 parsed_cmdline_options['name_5'] = ''
168 parsed_cmdline_options['name_7'] = ''
169 parsed_cmdline_options['name_8'] = 'off'
170 parsed_cmdline_options['name_9'] = '0'
173 self.run_engine(config_checklist, None, parsed_cmdline_options, None, None)
175 # 4. check that the results are correct
177 self.get_engine_result(config_checklist, result, 'json')
180 [["name_1", "cmdline", "expected_1", "decision_1", "reason_1", "OK"],
181 ["name_2", "cmdline", "expected_2", "decision_2", "reason_2", "FAIL: \"UNexpected_2\""],
182 ["name_3", "cmdline", "expected_3", "decision_3", "reason_3", "FAIL: is not found"],
183 ["name_4", "cmdline", "is not set", "decision_4", "reason_4", "OK: is not found"],
184 ["name_5", "cmdline", "is present", "decision_5", "reason_5", "OK: is present"],
185 ["name_6", "cmdline", "is present", "decision_6", "reason_6", "FAIL: is not present"],
186 ["name_7", "cmdline", "is not off", "decision_7", "reason_7", "OK: is not off, \"\""],
187 ["name_8", "cmdline", "is not off", "decision_8", "reason_8", "FAIL: is off"],
188 ["name_9", "cmdline", "is not off", "decision_9", "reason_9", "FAIL: is off, \"0\""],
189 ["name_10", "cmdline", "is not off", "decision_10", "reason_10", "FAIL: is off, not found"]]
192 def test_complex_or(self):
193 # 1. prepare the checklist
194 config_checklist = []
195 config_checklist += [OR(KconfigCheck('reason_1', 'decision_1', 'NAME_1', 'expected_1'),
196 KconfigCheck('reason_2', 'decision_2', 'NAME_2', 'expected_2'))]
197 config_checklist += [OR(KconfigCheck('reason_3', 'decision_3', 'NAME_3', 'expected_3'),
198 KconfigCheck('reason_4', 'decision_4', 'NAME_4', 'expected_4'))]
199 config_checklist += [OR(KconfigCheck('reason_5', 'decision_5', 'NAME_5', 'expected_5'),
200 KconfigCheck('reason_6', 'decision_6', 'NAME_6', 'expected_6'))]
201 config_checklist += [OR(KconfigCheck('reason_6', 'decision_6', 'NAME_6', 'expected_6'),
202 KconfigCheck('reason_7', 'decision_7', 'NAME_7', 'is not set'))]
203 config_checklist += [OR(KconfigCheck('reason_8', 'decision_8', 'NAME_8', 'expected_8'),
204 KconfigCheck('reason_9', 'decision_9', 'NAME_9', 'is present'))]
205 config_checklist += [OR(KconfigCheck('reason_10', 'decision_10', 'NAME_10', 'expected_10'),
206 KconfigCheck('reason_11', 'decision_11', 'NAME_11', 'is not off'))]
208 # 2. prepare the parsed kconfig options
209 parsed_kconfig_options = OrderedDict()
210 parsed_kconfig_options['CONFIG_NAME_1'] = 'expected_1'
211 parsed_kconfig_options['CONFIG_NAME_2'] = 'UNexpected_2'
212 parsed_kconfig_options['CONFIG_NAME_3'] = 'UNexpected_3'
213 parsed_kconfig_options['CONFIG_NAME_4'] = 'expected_4'
214 parsed_kconfig_options['CONFIG_NAME_5'] = 'UNexpected_5'
215 parsed_kconfig_options['CONFIG_NAME_6'] = 'UNexpected_6'
216 parsed_kconfig_options['CONFIG_NAME_9'] = 'UNexpected_9'
217 parsed_kconfig_options['CONFIG_NAME_11'] = 'really_not_off'
220 self.run_engine(config_checklist, parsed_kconfig_options, None, None, None)
222 # 4. check that the results are correct
224 self.get_engine_result(config_checklist, result, 'json')
227 [["CONFIG_NAME_1", "kconfig", "expected_1", "decision_1", "reason_1", "OK"],
228 ["CONFIG_NAME_3", "kconfig", "expected_3", "decision_3", "reason_3", "OK: CONFIG_NAME_4 is \"expected_4\""],
229 ["CONFIG_NAME_5", "kconfig", "expected_5", "decision_5", "reason_5", "FAIL: \"UNexpected_5\""],
230 ["CONFIG_NAME_6", "kconfig", "expected_6", "decision_6", "reason_6", "OK: CONFIG_NAME_7 is not found"],
231 ["CONFIG_NAME_8", "kconfig", "expected_8", "decision_8", "reason_8", "OK: CONFIG_NAME_9 is present"],
232 ["CONFIG_NAME_10", "kconfig", "expected_10", "decision_10", "reason_10", "OK: CONFIG_NAME_11 is not off"]]
235 def test_complex_and(self):
236 # 1. prepare the checklist
237 config_checklist = []
238 config_checklist += [AND(KconfigCheck('reason_1', 'decision_1', 'NAME_1', 'expected_1'),
239 KconfigCheck('reason_2', 'decision_2', 'NAME_2', 'expected_2'))]
240 config_checklist += [AND(KconfigCheck('reason_3', 'decision_3', 'NAME_3', 'expected_3'),
241 KconfigCheck('reason_4', 'decision_4', 'NAME_4', 'expected_4'))]
242 config_checklist += [AND(KconfigCheck('reason_5', 'decision_5', 'NAME_5', 'expected_5'),
243 KconfigCheck('reason_6', 'decision_6', 'NAME_6', 'expected_6'))]
244 config_checklist += [AND(KconfigCheck('reason_8', 'decision_8', 'NAME_8', 'expected_8'),
245 KconfigCheck('reason_9', 'decision_9', 'NAME_9', 'is present'))]
246 config_checklist += [AND(KconfigCheck('reason_10', 'decision_10', 'NAME_10', 'expected_10'),
247 KconfigCheck('reason_11', 'decision_11', 'NAME_11', 'is not off'))]
248 config_checklist += [AND(KconfigCheck('reason_12', 'decision_12', 'NAME_12', 'expected_12'),
249 KconfigCheck('reason_13', 'decision_13', 'NAME_13', 'is not off'))]
251 # 2. prepare the parsed kconfig options
252 parsed_kconfig_options = OrderedDict()
253 parsed_kconfig_options['CONFIG_NAME_1'] = 'expected_1'
254 parsed_kconfig_options['CONFIG_NAME_2'] = 'expected_2'
255 parsed_kconfig_options['CONFIG_NAME_3'] = 'expected_3'
256 parsed_kconfig_options['CONFIG_NAME_4'] = 'UNexpected_4'
257 parsed_kconfig_options['CONFIG_NAME_5'] = 'UNexpected_5'
258 parsed_kconfig_options['CONFIG_NAME_6'] = 'expected_6'
259 parsed_kconfig_options['CONFIG_NAME_8'] = 'expected_8'
260 parsed_kconfig_options['CONFIG_NAME_10'] = 'expected_10'
261 parsed_kconfig_options['CONFIG_NAME_11'] = '0'
262 parsed_kconfig_options['CONFIG_NAME_12'] = 'expected_12'
265 self.run_engine(config_checklist, parsed_kconfig_options, None, None, None)
267 # 4. check that the results are correct
269 self.get_engine_result(config_checklist, result, 'json')
272 [["CONFIG_NAME_1", "kconfig", "expected_1", "decision_1", "reason_1", "OK"],
273 ["CONFIG_NAME_3", "kconfig", "expected_3", "decision_3", "reason_3", "FAIL: CONFIG_NAME_4 is not \"expected_4\""],
274 ["CONFIG_NAME_5", "kconfig", "expected_5", "decision_5", "reason_5", "FAIL: \"UNexpected_5\""],
275 ["CONFIG_NAME_8", "kconfig", "expected_8", "decision_8", "reason_8", "FAIL: CONFIG_NAME_9 is not present"],
276 ["CONFIG_NAME_10", "kconfig", "expected_10", "decision_10", "reason_10", "FAIL: CONFIG_NAME_11 is off"],
277 ["CONFIG_NAME_12", "kconfig", "expected_12", "decision_12", "reason_12", "FAIL: CONFIG_NAME_13 is off, not found"]]
280 def test_version(self):
281 # 1. prepare the checklist
282 config_checklist = []
283 config_checklist += [OR(KconfigCheck('reason_1', 'decision_1', 'NAME_1', 'expected_1'),
284 VersionCheck((41, 101)))]
285 config_checklist += [AND(KconfigCheck('reason_2', 'decision_2', 'NAME_2', 'expected_2'),
286 VersionCheck((44, 1)))]
287 config_checklist += [AND(KconfigCheck('reason_3', 'decision_3', 'NAME_3', 'expected_3'),
288 VersionCheck((42, 44)))]
289 config_checklist += [OR(KconfigCheck('reason_4', 'decision_4', 'NAME_4', 'expected_4'),
290 VersionCheck((42, 43)))]
292 # 2. prepare the parsed kconfig options
293 parsed_kconfig_options = OrderedDict()
294 parsed_kconfig_options['CONFIG_NAME_2'] = 'expected_2'
295 parsed_kconfig_options['CONFIG_NAME_3'] = 'expected_3'
297 # 3. prepare the kernel version
298 kernel_version = (42, 43)
301 self.run_engine(config_checklist, parsed_kconfig_options, None, None, kernel_version)
303 # 5. check that the results are correct
305 self.get_engine_result(config_checklist, result, 'json')
308 [["CONFIG_NAME_1", "kconfig", "expected_1", "decision_1", "reason_1", "OK: version >= 41.101"],
309 ["CONFIG_NAME_2", "kconfig", "expected_2", "decision_2", "reason_2", "FAIL: version < 44.1"],
310 ["CONFIG_NAME_3", "kconfig", "expected_3", "decision_3", "reason_3", "FAIL: version < 42.44"],
311 ["CONFIG_NAME_4", "kconfig", "expected_4", "decision_4", "reason_4", "OK: version >= 42.43"]]
314 def test_stdout(self):
315 # 1. prepare the checklist
316 config_checklist = []
317 config_checklist += [OR(KconfigCheck('reason_1', 'decision_1', 'NAME_1', 'expected_1'),
318 AND(CmdlineCheck('reason_2', 'decision_2', 'name_2', 'expected_2'),
319 KconfigCheck('reason_3', 'decision_3', 'NAME_3', 'expected_3')))]
320 config_checklist += [AND(CmdlineCheck('reason_4', 'decision_4', 'name_4', 'expected_4'),
321 OR(KconfigCheck('reason_5', 'decision_5', 'NAME_5', 'expected_5'),
322 CmdlineCheck('reason_6', 'decision_6', 'name_6', 'expected_6')))]
324 # 2. prepare the parsed cmdline options
325 parsed_cmdline_options = OrderedDict()
326 parsed_cmdline_options['name_4'] = 'expected_4'
327 parsed_cmdline_options['name_6'] = 'UNexpected_6'
330 self.run_engine(config_checklist, None, parsed_cmdline_options, None, None)
332 # 4. check that the results are correct
334 self.get_engine_result(config_checklist, json_result, 'json')
337 [["CONFIG_NAME_1", "kconfig", "expected_1", "decision_1", "reason_1", "FAIL: is not found"],
338 ["name_4", "cmdline", "expected_4", "decision_4", "reason_4", "FAIL: CONFIG_NAME_5 is not \"expected_5\""]]
342 self.get_engine_result(config_checklist, stdout_result, 'stdout')
347 CONFIG_NAME_1 |kconfig| expected_1 |decision_1| reason_1 | FAIL: is not found\
348 name_4 |cmdline| expected_4 |decision_4| reason_4 | FAIL: CONFIG_NAME_5 is not \"expected_5\"\
353 self.get_engine_result(config_checklist, stdout_result, 'stdout_verbose')
358 <<< OR >>> | FAIL: is not found\n\
359 CONFIG_NAME_1 |kconfig| expected_1 |decision_1| reason_1 | FAIL: is not found\n\
360 <<< AND >>> | FAIL: CONFIG_NAME_3 is not \"expected_3\"\n\
361 name_2 |cmdline| expected_2 |decision_2| reason_2 | None\n\
362 CONFIG_NAME_3 |kconfig| expected_3 |decision_3| reason_3 | FAIL: is not found\
365 <<< AND >>> | FAIL: CONFIG_NAME_5 is not \"expected_5\"\n\
366 name_4 |cmdline| expected_4 |decision_4| reason_4 | None\n\
367 <<< OR >>> | FAIL: is not found\n\
368 CONFIG_NAME_5 |kconfig| expected_5 |decision_5| reason_5 | FAIL: is not found\n\
369 name_6 |cmdline| expected_6 |decision_6| reason_6 | FAIL: \"UNexpected_6\"\
373 def test_value_overriding(self):
374 # 1. prepare the checklist
375 config_checklist = []
376 config_checklist += [KconfigCheck('reason_1', 'decision_1', 'NAME_1', 'expected_1')]
377 config_checklist += [CmdlineCheck('reason_2', 'decision_2', 'name_2', 'expected_2')]
379 # 2. prepare the parsed kconfig options
380 parsed_kconfig_options = OrderedDict()
381 parsed_kconfig_options['CONFIG_NAME_1'] = 'expected_1_new'
383 # 3. prepare the parsed cmdline options
384 parsed_cmdline_options = OrderedDict()
385 parsed_cmdline_options['name_2'] = 'expected_2_new'
388 self.run_engine(config_checklist, parsed_kconfig_options, parsed_cmdline_options, None, None)
390 # 5. check that the results are correct
392 self.get_engine_result(config_checklist, result, 'json')
395 [["CONFIG_NAME_1", "kconfig", "expected_1", "decision_1", "reason_1", "FAIL: \"expected_1_new\""],
396 ["name_2", "cmdline", "expected_2", "decision_2", "reason_2", "FAIL: \"expected_2_new\""]]
399 # 6. override expected value and perform the checks again
400 override_expected_value(config_checklist, "CONFIG_NAME_1", "expected_1_new")
401 perform_checks(config_checklist)
403 # 7. check that the results are correct
405 self.get_engine_result(config_checklist, result, 'json')
408 [["CONFIG_NAME_1", "kconfig", "expected_1_new", "decision_1", "reason_1", "OK"],
409 ["name_2", "cmdline", "expected_2", "decision_2", "reason_2", "FAIL: \"expected_2_new\""]]
412 # 8. override expected value and perform the checks again
413 override_expected_value(config_checklist, "name_2", "expected_2_new")
414 perform_checks(config_checklist)
416 # 9. check that the results are correct
418 self.get_engine_result(config_checklist, result, 'json')
421 [["CONFIG_NAME_1", "kconfig", "expected_1_new", "decision_1", "reason_1", "OK"],
422 ["name_2", "cmdline", "expected_2_new", "decision_2", "reason_2", "OK"]]