4 This tool helps me to check Linux kernel options against
5 my security hardening preferences for X86_64, ARM64, X86_32, and ARM.
6 Let the computers do their job!
8 Author: Alexander Popov <alex.popov@linux.com>
10 This module performs unit-testing of the kconfig-hardened-check engine.
13 # pylint: disable=missing-function-docstring,line-too-long
16 from collections import OrderedDict
18 from .engine import KconfigCheck, CmdlineCheck, VersionCheck, OR, AND, populate_with_data, perform_checks
21 class TestEngine(unittest.TestCase):
23 Example test scenario:
25 # 1. prepare the checklist
27 config_checklist += [KconfigCheck('reason_1', 'decision_1', 'KCONFIG_NAME', 'expected_1')]
28 config_checklist += [CmdlineCheck('reason_2', 'decision_2', 'cmdline_name', 'expected_2')]
30 # 2. prepare the parsed kconfig options
31 parsed_kconfig_options = OrderedDict()
32 parsed_kconfig_options['CONFIG_KCONFIG_NAME'] = 'UNexpected_1'
34 # 3. prepare the parsed cmdline options
35 parsed_cmdline_options = OrderedDict()
36 parsed_cmdline_options['cmdline_name'] = 'expected_2'
38 # 4. prepare the kernel version
39 kernel_version = (42, 43)
42 self.run_engine(config_checklist, parsed_kconfig_options, parsed_cmdline_options, kernel_version)
44 # 6. check that the results are correct
46 self.get_engine_result(config_checklist, result, 'json')
51 def run_engine(checklist, parsed_kconfig_options, parsed_cmdline_options, kernel_version):
52 # populate the checklist with data
53 if parsed_kconfig_options:
54 populate_with_data(checklist, parsed_kconfig_options, 'kconfig')
55 if parsed_cmdline_options:
56 populate_with_data(checklist, parsed_cmdline_options, 'cmdline')
58 populate_with_data(checklist, kernel_version, 'version')
60 # now everything is ready, perform the checks
61 perform_checks(checklist)
63 # print the table with the results
66 opt.table_print(None, True) # default mode, with_results
69 # print the results in JSON
73 result.append(opt.json_dump(True)) # with_results
74 print(json.dumps(result))
78 def get_engine_result(checklist, result, result_type):
79 assert(result_type in ('table', 'json')), \
80 f'invalid result type "{result_type}"'
81 if result_type == 'json':
83 result.append(opt.json_dump(True)) # with_results
85 def test_single_kconfig(self):
86 # 1. prepare the checklist
88 config_checklist += [KconfigCheck('reason_1', 'decision_1', 'NAME_1', 'expected_1')]
89 config_checklist += [KconfigCheck('reason_2', 'decision_2', 'NAME_2', 'expected_2')]
90 config_checklist += [KconfigCheck('reason_3', 'decision_3', 'NAME_3', 'expected_3')]
91 config_checklist += [KconfigCheck('reason_4', 'decision_4', 'NAME_4', 'is not set')]
92 config_checklist += [KconfigCheck('reason_5', 'decision_5', 'NAME_5', 'is present')]
93 config_checklist += [KconfigCheck('reason_6', 'decision_6', 'NAME_6', 'is present')]
94 config_checklist += [KconfigCheck('reason_7', 'decision_7', 'NAME_7', 'is not off')]
95 config_checklist += [KconfigCheck('reason_8', 'decision_8', 'NAME_8', 'is not off')]
96 config_checklist += [KconfigCheck('reason_9', 'decision_9', 'NAME_9', 'is not off')]
97 config_checklist += [KconfigCheck('reason_10', 'decision_10', 'NAME_10', 'is not off')]
99 # 2. prepare the parsed kconfig options
100 parsed_kconfig_options = OrderedDict()
101 parsed_kconfig_options['CONFIG_NAME_1'] = 'expected_1'
102 parsed_kconfig_options['CONFIG_NAME_2'] = 'UNexpected_2'
103 parsed_kconfig_options['CONFIG_NAME_5'] = 'UNexpected_5'
104 parsed_kconfig_options['CONFIG_NAME_7'] = 'really_not_off'
105 parsed_kconfig_options['CONFIG_NAME_8'] = 'off'
106 parsed_kconfig_options['CONFIG_NAME_9'] = '0'
109 self.run_engine(config_checklist, parsed_kconfig_options, None, None)
111 # 4. check that the results are correct
113 self.get_engine_result(config_checklist, result, 'json')
116 [["CONFIG_NAME_1", "kconfig", "expected_1", "decision_1", "reason_1", "OK"],
117 ["CONFIG_NAME_2", "kconfig", "expected_2", "decision_2", "reason_2", "FAIL: \"UNexpected_2\""],
118 ["CONFIG_NAME_3", "kconfig", "expected_3", "decision_3", "reason_3", "FAIL: is not found"],
119 ["CONFIG_NAME_4", "kconfig", "is not set", "decision_4", "reason_4", "OK: is not found"],
120 ["CONFIG_NAME_5", "kconfig", "is present", "decision_5", "reason_5", "OK: is present"],
121 ["CONFIG_NAME_6", "kconfig", "is present", "decision_6", "reason_6", "FAIL: is not present"],
122 ["CONFIG_NAME_7", "kconfig", "is not off", "decision_7", "reason_7", "OK: is not off, \"really_not_off\""],
123 ["CONFIG_NAME_8", "kconfig", "is not off", "decision_8", "reason_8", "FAIL: is off"],
124 ["CONFIG_NAME_9", "kconfig", "is not off", "decision_9", "reason_9", "FAIL: is off, \"0\""],
125 ["CONFIG_NAME_10", "kconfig", "is not off", "decision_10", "reason_10", "FAIL: is off, not found"]]
128 def test_single_cmdline(self):
129 # 1. prepare the checklist
130 config_checklist = []
131 config_checklist += [CmdlineCheck('reason_1', 'decision_1', 'name_1', 'expected_1')]
132 config_checklist += [CmdlineCheck('reason_2', 'decision_2', 'name_2', 'expected_2')]
133 config_checklist += [CmdlineCheck('reason_3', 'decision_3', 'name_3', 'expected_3')]
134 config_checklist += [CmdlineCheck('reason_4', 'decision_4', 'name_4', 'is not set')]
135 config_checklist += [CmdlineCheck('reason_5', 'decision_5', 'name_5', 'is present')]
136 config_checklist += [CmdlineCheck('reason_6', 'decision_6', 'name_6', 'is present')]
137 config_checklist += [CmdlineCheck('reason_7', 'decision_7', 'name_7', 'is not off')]
138 config_checklist += [CmdlineCheck('reason_8', 'decision_8', 'name_8', 'is not off')]
139 config_checklist += [CmdlineCheck('reason_9', 'decision_9', 'name_9', 'is not off')]
140 config_checklist += [CmdlineCheck('reason_10', 'decision_10', 'name_10', 'is not off')]
142 # 2. prepare the parsed cmdline options
143 parsed_cmdline_options = OrderedDict()
144 parsed_cmdline_options['name_1'] = 'expected_1'
145 parsed_cmdline_options['name_2'] = 'UNexpected_2'
146 parsed_cmdline_options['name_5'] = ''
147 parsed_cmdline_options['name_7'] = ''
148 parsed_cmdline_options['name_8'] = 'off'
149 parsed_cmdline_options['name_9'] = '0'
152 self.run_engine(config_checklist, None, parsed_cmdline_options, None)
154 # 4. check that the results are correct
156 self.get_engine_result(config_checklist, result, 'json')
159 [["name_1", "cmdline", "expected_1", "decision_1", "reason_1", "OK"],
160 ["name_2", "cmdline", "expected_2", "decision_2", "reason_2", "FAIL: \"UNexpected_2\""],
161 ["name_3", "cmdline", "expected_3", "decision_3", "reason_3", "FAIL: is not found"],
162 ["name_4", "cmdline", "is not set", "decision_4", "reason_4", "OK: is not found"],
163 ["name_5", "cmdline", "is present", "decision_5", "reason_5", "OK: is present"],
164 ["name_6", "cmdline", "is present", "decision_6", "reason_6", "FAIL: is not present"],
165 ["name_7", "cmdline", "is not off", "decision_7", "reason_7", "OK: is not off, \"\""],
166 ["name_8", "cmdline", "is not off", "decision_8", "reason_8", "FAIL: is off"],
167 ["name_9", "cmdline", "is not off", "decision_9", "reason_9", "FAIL: is off, \"0\""],
168 ["name_10", "cmdline", "is not off", "decision_10", "reason_10", "FAIL: is off, not found"]]
172 # 1. prepare the checklist
173 config_checklist = []
174 config_checklist += [OR(KconfigCheck('reason_1', 'decision_1', 'NAME_1', 'expected_1'),
175 KconfigCheck('reason_2', 'decision_2', 'NAME_2', 'expected_2'))]
176 config_checklist += [OR(KconfigCheck('reason_3', 'decision_3', 'NAME_3', 'expected_3'),
177 KconfigCheck('reason_4', 'decision_4', 'NAME_4', 'expected_4'))]
178 config_checklist += [OR(KconfigCheck('reason_5', 'decision_5', 'NAME_5', 'expected_5'),
179 KconfigCheck('reason_6', 'decision_6', 'NAME_6', 'expected_6'))]
180 config_checklist += [OR(KconfigCheck('reason_6', 'decision_6', 'NAME_6', 'expected_6'),
181 KconfigCheck('reason_7', 'decision_7', 'NAME_7', 'is not set'))]
182 config_checklist += [OR(KconfigCheck('reason_8', 'decision_8', 'NAME_8', 'expected_8'),
183 KconfigCheck('reason_9', 'decision_9', 'NAME_9', 'is present'))]
184 config_checklist += [OR(KconfigCheck('reason_10', 'decision_10', 'NAME_10', 'expected_10'),
185 KconfigCheck('reason_11', 'decision_11', 'NAME_11', 'is not off'))]
187 # 2. prepare the parsed kconfig options
188 parsed_kconfig_options = OrderedDict()
189 parsed_kconfig_options['CONFIG_NAME_1'] = 'expected_1'
190 parsed_kconfig_options['CONFIG_NAME_2'] = 'UNexpected_2'
191 parsed_kconfig_options['CONFIG_NAME_3'] = 'UNexpected_3'
192 parsed_kconfig_options['CONFIG_NAME_4'] = 'expected_4'
193 parsed_kconfig_options['CONFIG_NAME_5'] = 'UNexpected_5'
194 parsed_kconfig_options['CONFIG_NAME_6'] = 'UNexpected_6'
195 parsed_kconfig_options['CONFIG_NAME_9'] = 'UNexpected_9'
196 parsed_kconfig_options['CONFIG_NAME_11'] = 'really_not_off'
199 self.run_engine(config_checklist, parsed_kconfig_options, None, None)
201 # 4. check that the results are correct
203 self.get_engine_result(config_checklist, result, 'json')
206 [["CONFIG_NAME_1", "kconfig", "expected_1", "decision_1", "reason_1", "OK"],
207 ["CONFIG_NAME_3", "kconfig", "expected_3", "decision_3", "reason_3", "OK: CONFIG_NAME_4 is \"expected_4\""],
208 ["CONFIG_NAME_5", "kconfig", "expected_5", "decision_5", "reason_5", "FAIL: \"UNexpected_5\""],
209 ["CONFIG_NAME_6", "kconfig", "expected_6", "decision_6", "reason_6", "OK: CONFIG_NAME_7 is not found"],
210 ["CONFIG_NAME_8", "kconfig", "expected_8", "decision_8", "reason_8", "OK: CONFIG_NAME_9 is present"],
211 ["CONFIG_NAME_10", "kconfig", "expected_10", "decision_10", "reason_10", "OK: CONFIG_NAME_11 is not off"]]
215 # 1. prepare the checklist
216 config_checklist = []
217 config_checklist += [AND(KconfigCheck('reason_1', 'decision_1', 'NAME_1', 'expected_1'),
218 KconfigCheck('reason_2', 'decision_2', 'NAME_2', 'expected_2'))]
219 config_checklist += [AND(KconfigCheck('reason_3', 'decision_3', 'NAME_3', 'expected_3'),
220 KconfigCheck('reason_4', 'decision_4', 'NAME_4', 'expected_4'))]
221 config_checklist += [AND(KconfigCheck('reason_5', 'decision_5', 'NAME_5', 'expected_5'),
222 KconfigCheck('reason_6', 'decision_6', 'NAME_6', 'expected_6'))]
223 config_checklist += [AND(KconfigCheck('reason_8', 'decision_8', 'NAME_8', 'expected_8'),
224 KconfigCheck('reason_9', 'decision_9', 'NAME_9', 'is present'))]
225 config_checklist += [AND(KconfigCheck('reason_10', 'decision_10', 'NAME_10', 'expected_10'),
226 KconfigCheck('reason_11', 'decision_11', 'NAME_11', 'is not off'))]
227 config_checklist += [AND(KconfigCheck('reason_12', 'decision_12', 'NAME_12', 'expected_12'),
228 KconfigCheck('reason_13', 'decision_13', 'NAME_13', 'is not off'))]
230 # 2. prepare the parsed kconfig options
231 parsed_kconfig_options = OrderedDict()
232 parsed_kconfig_options['CONFIG_NAME_1'] = 'expected_1'
233 parsed_kconfig_options['CONFIG_NAME_2'] = 'expected_2'
234 parsed_kconfig_options['CONFIG_NAME_3'] = 'expected_3'
235 parsed_kconfig_options['CONFIG_NAME_4'] = 'UNexpected_4'
236 parsed_kconfig_options['CONFIG_NAME_5'] = 'UNexpected_5'
237 parsed_kconfig_options['CONFIG_NAME_6'] = 'expected_6'
238 parsed_kconfig_options['CONFIG_NAME_8'] = 'expected_8'
239 parsed_kconfig_options['CONFIG_NAME_10'] = 'expected_10'
240 parsed_kconfig_options['CONFIG_NAME_11'] = '0'
241 parsed_kconfig_options['CONFIG_NAME_12'] = 'expected_12'
244 self.run_engine(config_checklist, parsed_kconfig_options, None, None)
246 # 4. check that the results are correct
248 self.get_engine_result(config_checklist, result, 'json')
251 [["CONFIG_NAME_1", "kconfig", "expected_1", "decision_1", "reason_1", "OK"],
252 ["CONFIG_NAME_3", "kconfig", "expected_3", "decision_3", "reason_3", "FAIL: CONFIG_NAME_4 is not \"expected_4\""],
253 ["CONFIG_NAME_5", "kconfig", "expected_5", "decision_5", "reason_5", "FAIL: \"UNexpected_5\""],
254 ["CONFIG_NAME_8", "kconfig", "expected_8", "decision_8", "reason_8", "FAIL: CONFIG_NAME_9 is not present"],
255 ["CONFIG_NAME_10", "kconfig", "expected_10", "decision_10", "reason_10", "FAIL: CONFIG_NAME_11 is off"],
256 ["CONFIG_NAME_12", "kconfig", "expected_12", "decision_12", "reason_12", "FAIL: CONFIG_NAME_13 is off, not found"]]
259 def test_version(self):
260 # 1. prepare the checklist
261 config_checklist = []
262 config_checklist += [OR(KconfigCheck('reason_1', 'decision_1', 'NAME_1', 'expected_1'),
263 VersionCheck((41, 101)))]
264 config_checklist += [AND(KconfigCheck('reason_2', 'decision_2', 'NAME_2', 'expected_2'),
265 VersionCheck((44, 1)))]
266 config_checklist += [AND(KconfigCheck('reason_3', 'decision_3', 'NAME_3', 'expected_3'),
267 VersionCheck((42, 44)))]
268 config_checklist += [OR(KconfigCheck('reason_4', 'decision_4', 'NAME_4', 'expected_4'),
269 VersionCheck((42, 43)))]
271 # 2. prepare the parsed kconfig options
272 parsed_kconfig_options = OrderedDict()
273 parsed_kconfig_options['CONFIG_NAME_2'] = 'expected_2'
274 parsed_kconfig_options['CONFIG_NAME_3'] = 'expected_3'
276 # 3. prepare the kernel version
277 kernel_version = (42, 43)
280 self.run_engine(config_checklist, parsed_kconfig_options, None, kernel_version)
282 # 5. check that the results are correct
284 self.get_engine_result(config_checklist, result, 'json')
287 [["CONFIG_NAME_1", "kconfig", "expected_1", "decision_1", "reason_1", "OK: version >= 41.101"],
288 ["CONFIG_NAME_2", "kconfig", "expected_2", "decision_2", "reason_2", "FAIL: version < 44.1"],
289 ["CONFIG_NAME_3", "kconfig", "expected_3", "decision_3", "reason_3", "FAIL: version < 42.44"],
290 ["CONFIG_NAME_4", "kconfig", "expected_4", "decision_4", "reason_4", "OK: version >= 42.43"]]