projects / kconfig-hardened-check.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Add the / symbol to the sysctl parsing pattern
[kconfig-hardened-check.git] / kconfig_hardened_check / test_engine.py
diff --git a/kconfig_hardened_check/test_engine.py b/kconfig_hardened_check/test_engine.py
index 99fd96cf88c431b5e8bee6b9140e0a463c3b665f..dce10390aa1502607fdd63ab90019cb1447ef6db 100644 (file)
--- a/kconfig_hardened_check/test_engine.py
+++ b/kconfig_hardened_check/test_engine.py
@@ -1,9 +1,7 @@
 #!/usr/bin/python3
 
 """
-This tool helps me to check Linux kernel options against
-my security hardening preferences for X86_64, ARM64, X86_32, and ARM.
-Let the computers do their job!
+This tool is for checking the security hardening options of the Linux kernel.
 
 Author: Alexander Popov <alex.popov@linux.com>
 
@@ -17,7 +15,7 @@ import io
 import sys
 from collections import OrderedDict
 import json
-from .engine import KconfigCheck, CmdlineCheck, VersionCheck, OR, AND, populate_with_data, perform_checks
+from .engine import KconfigCheck, CmdlineCheck, SysctlCheck, VersionCheck, OR, AND, populate_with_data, perform_checks, override_expected_value
 
 
 class TestEngine(unittest.TestCase):
@@ -28,6 +26,7 @@ class TestEngine(unittest.TestCase):
         config_checklist = []
         config_checklist += [KconfigCheck('reason_1', 'decision_1', 'KCONFIG_NAME', 'expected_1')]
         config_checklist += [CmdlineCheck('reason_2', 'decision_2', 'cmdline_name', 'expected_2')]
+        config_checklist += [SysctlCheck('reason_3', 'decision_3', 'sysctl_name', 'expected_3')]
 
         # 2. prepare the parsed kconfig options
         parsed_kconfig_options = OrderedDict()
@@ -37,25 +36,31 @@ class TestEngine(unittest.TestCase):
         parsed_cmdline_options = OrderedDict()
         parsed_cmdline_options['cmdline_name'] = 'expected_2'
 
-        # 4. prepare the kernel version
+        # 4. prepare the parsed sysctl options
+        parsed_sysctl_options = OrderedDict()
+        parsed_sysctl_options['sysctl_name'] = 'expected_3'
+
+        # 5. prepare the kernel version
         kernel_version = (42, 43)
 
-        # 5. run the engine
-        self.run_engine(config_checklist, parsed_kconfig_options, parsed_cmdline_options, kernel_version)
+        # 6. run the engine
+        self.run_engine(config_checklist, parsed_kconfig_options, parsed_cmdline_options, parsed_sysctl_options, kernel_version)
 
-        # 6. check that the results are correct
+        # 7. check that the results are correct
         result = []
         self.get_engine_result(config_checklist, result, 'json')
         self.assertEqual(...
     """
 
     @staticmethod
-    def run_engine(checklist, parsed_kconfig_options, parsed_cmdline_options, kernel_version):
+    def run_engine(checklist, parsed_kconfig_options, parsed_cmdline_options, parsed_sysctl_options, kernel_version):
         # populate the checklist with data
         if parsed_kconfig_options:
             populate_with_data(checklist, parsed_kconfig_options, 'kconfig')
         if parsed_cmdline_options:
             populate_with_data(checklist, parsed_cmdline_options, 'cmdline')
+        if parsed_sysctl_options:
+            populate_with_data(checklist, parsed_sysctl_options, 'sysctl')
         if kernel_version:
             populate_with_data(checklist, kernel_version, 'version')
 
@@ -122,7 +127,7 @@ class TestEngine(unittest.TestCase):
         parsed_kconfig_options['CONFIG_NAME_9'] = '0'
 
         # 3. run the engine
-        self.run_engine(config_checklist, parsed_kconfig_options, None, None)
+        self.run_engine(config_checklist, parsed_kconfig_options, None, None, None)
 
         # 4. check that the results are correct
         result = []
@@ -165,7 +170,7 @@ class TestEngine(unittest.TestCase):
         parsed_cmdline_options['name_9'] = '0'
 
         # 3. run the engine
-        self.run_engine(config_checklist, None, parsed_cmdline_options, None)
+        self.run_engine(config_checklist, None, parsed_cmdline_options, None, None)
 
         # 4. check that the results are correct
         result = []
@@ -184,6 +189,49 @@ class TestEngine(unittest.TestCase):
                  ["name_10", "cmdline", "is not off", "decision_10", "reason_10", "FAIL: is off, not found"]]
         )
 
+    def test_simple_sysctl(self):
+        # 1. prepare the checklist
+        config_checklist = []
+        config_checklist += [SysctlCheck('reason_1', 'decision_1', 'name_1', 'expected_1')]
+        config_checklist += [SysctlCheck('reason_2', 'decision_2', 'name_2', 'expected_2')]
+        config_checklist += [SysctlCheck('reason_3', 'decision_3', 'name_3', 'expected_3')]
+        config_checklist += [SysctlCheck('reason_4', 'decision_4', 'name_4', 'is not set')]
+        config_checklist += [SysctlCheck('reason_5', 'decision_5', 'name_5', 'is present')]
+        config_checklist += [SysctlCheck('reason_6', 'decision_6', 'name_6', 'is present')]
+        config_checklist += [SysctlCheck('reason_7', 'decision_7', 'name_7', 'is not off')]
+        config_checklist += [SysctlCheck('reason_8', 'decision_8', 'name_8', 'is not off')]
+        config_checklist += [SysctlCheck('reason_9', 'decision_9', 'name_9', 'is not off')]
+        config_checklist += [SysctlCheck('reason_10', 'decision_10', 'name_10', 'is not off')]
+
+        # 2. prepare the parsed sysctl options
+        parsed_sysctl_options = OrderedDict()
+        parsed_sysctl_options['name_1'] = 'expected_1'
+        parsed_sysctl_options['name_2'] = 'UNexpected_2'
+        parsed_sysctl_options['name_5'] = ''
+        parsed_sysctl_options['name_7'] = ''
+        parsed_sysctl_options['name_8'] = 'off'
+        parsed_sysctl_options['name_9'] = '0'
+
+        # 3. run the engine
+        self.run_engine(config_checklist, None, None, parsed_sysctl_options, None)
+
+        # 4. check that the results are correct
+        result = []
+        self.get_engine_result(config_checklist, result, 'json')
+        self.assertEqual(
+                result,
+                [["name_1", "sysctl", "expected_1", "decision_1", "reason_1", "OK"],
+                 ["name_2", "sysctl", "expected_2", "decision_2", "reason_2", "FAIL: \"UNexpected_2\""],
+                 ["name_3", "sysctl", "expected_3", "decision_3", "reason_3", "FAIL: is not found"],
+                 ["name_4", "sysctl", "is not set", "decision_4", "reason_4", "OK: is not found"],
+                 ["name_5", "sysctl", "is present", "decision_5", "reason_5", "OK: is present"],
+                 ["name_6", "sysctl", "is present", "decision_6", "reason_6", "FAIL: is not present"],
+                 ["name_7", "sysctl", "is not off", "decision_7", "reason_7", "OK: is not off, \"\""],
+                 ["name_8", "sysctl", "is not off", "decision_8", "reason_8", "FAIL: is off"],
+                 ["name_9", "sysctl", "is not off", "decision_9", "reason_9", "FAIL: is off, \"0\""],
+                 ["name_10", "sysctl", "is not off", "decision_10", "reason_10", "FAIL: is off, not found"]]
+        )
+
     def test_complex_or(self):
         # 1. prepare the checklist
         config_checklist = []
@@ -212,7 +260,7 @@ class TestEngine(unittest.TestCase):
         parsed_kconfig_options['CONFIG_NAME_11'] = 'really_not_off'
 
         # 3. run the engine
-        self.run_engine(config_checklist, parsed_kconfig_options, None, None)
+        self.run_engine(config_checklist, parsed_kconfig_options, None, None, None)
 
         # 4. check that the results are correct
         result = []
@@ -257,7 +305,7 @@ class TestEngine(unittest.TestCase):
         parsed_kconfig_options['CONFIG_NAME_12'] = 'expected_12'
 
         # 3. run the engine
-        self.run_engine(config_checklist, parsed_kconfig_options, None, None)
+        self.run_engine(config_checklist, parsed_kconfig_options, None, None, None)
 
         # 4. check that the results are correct
         result = []
@@ -293,7 +341,7 @@ class TestEngine(unittest.TestCase):
         kernel_version = (42, 43)
 
         # 4. run the engine
-        self.run_engine(config_checklist, parsed_kconfig_options, None, kernel_version)
+        self.run_engine(config_checklist, parsed_kconfig_options, None, None, kernel_version)
 
         # 5. check that the results are correct
         result = []
@@ -311,20 +359,24 @@ class TestEngine(unittest.TestCase):
         config_checklist = []
         config_checklist += [OR(KconfigCheck('reason_1', 'decision_1', 'NAME_1', 'expected_1'),
                                 AND(CmdlineCheck('reason_2', 'decision_2', 'name_2', 'expected_2'),
-                                    KconfigCheck('reason_3', 'decision_3', 'NAME_3', 'expected_3')))]
+                                    SysctlCheck('reason_3', 'decision_3', 'name_3', 'expected_3')))]
         config_checklist += [AND(CmdlineCheck('reason_4', 'decision_4', 'name_4', 'expected_4'),
                                  OR(KconfigCheck('reason_5', 'decision_5', 'NAME_5', 'expected_5'),
-                                    CmdlineCheck('reason_6', 'decision_6', 'name_6', 'expected_6')))]
+                                    SysctlCheck('reason_6', 'decision_6', 'name_6', 'expected_6')))]
 
         # 2. prepare the parsed cmdline options
         parsed_cmdline_options = OrderedDict()
         parsed_cmdline_options['name_4'] = 'expected_4'
-        parsed_cmdline_options['name_6'] = 'UNexpected_6'
 
-        # 3. run the engine
-        self.run_engine(config_checklist, None, parsed_cmdline_options, None)
+        # 3. prepare the parsed sysctl options
+        parsed_sysctl_options = OrderedDict()
+        parsed_sysctl_options['name_3'] = 'UNexpected_3'
+        parsed_sysctl_options['name_6'] = 'UNexpected_6'
 
-        # 4. check that the results are correct
+        # 4. run the engine
+        self.run_engine(config_checklist, None, parsed_cmdline_options, parsed_sysctl_options, None)
+
+        # 5. check that the results are correct
         json_result = []
         self.get_engine_result(config_checklist, json_result, 'json')
         self.assertEqual(
@@ -352,15 +404,89 @@ name_4                                  |cmdline| expected_4 |decision_4|     re
 "\
     <<< OR >>>                                                                             | FAIL: is not found\n\
 CONFIG_NAME_1                           |kconfig| expected_1 |decision_1|     reason_1     | FAIL: is not found\n\
-    <<< AND >>>                                                                            | FAIL: CONFIG_NAME_3 is not \"expected_3\"\n\
+    <<< AND >>>                                                                            | FAIL: name_3 is not \"expected_3\"\n\
 name_2                                  |cmdline| expected_2 |decision_2|     reason_2     | None\n\
-CONFIG_NAME_3                           |kconfig| expected_3 |decision_3|     reason_3     | FAIL: is not found\
+name_3                                  |sysctl | expected_3 |decision_3|     reason_3     | FAIL: \"UNexpected_3\"\
 "\
 "\
     <<< AND >>>                                                                            | FAIL: CONFIG_NAME_5 is not \"expected_5\"\n\
 name_4                                  |cmdline| expected_4 |decision_4|     reason_4     | None\n\
     <<< OR >>>                                                                             | FAIL: is not found\n\
 CONFIG_NAME_5                           |kconfig| expected_5 |decision_5|     reason_5     | FAIL: is not found\n\
-name_6                                  |cmdline| expected_6 |decision_6|     reason_6     | FAIL: \"UNexpected_6\"\
+name_6                                  |sysctl | expected_6 |decision_6|     reason_6     | FAIL: \"UNexpected_6\"\
 "               ]
         )
+
+    def test_value_overriding(self):
+        # 1. prepare the checklist
+        config_checklist = []
+        config_checklist += [KconfigCheck('reason_1', 'decision_1', 'NAME_1', 'expected_1')]
+        config_checklist += [CmdlineCheck('reason_2', 'decision_2', 'name_2', 'expected_2')]
+        config_checklist += [SysctlCheck('reason_3', 'decision_3', 'name_3', 'expected_3')]
+
+        # 2. prepare the parsed kconfig options
+        parsed_kconfig_options = OrderedDict()
+        parsed_kconfig_options['CONFIG_NAME_1'] = 'expected_1_new'
+
+        # 3. prepare the parsed cmdline options
+        parsed_cmdline_options = OrderedDict()
+        parsed_cmdline_options['name_2'] = 'expected_2_new'
+
+        # 4. prepare the parsed sysctl options
+        parsed_sysctl_options = OrderedDict()
+        parsed_sysctl_options['name_3'] = 'expected_3_new'
+
+        # 5. run the engine
+        self.run_engine(config_checklist, parsed_kconfig_options, parsed_cmdline_options, parsed_sysctl_options, None)
+
+        # 6. check that the results are correct
+        result = []
+        self.get_engine_result(config_checklist, result, 'json')
+        self.assertEqual(
+                result,
+                [["CONFIG_NAME_1", "kconfig", "expected_1", "decision_1", "reason_1", "FAIL: \"expected_1_new\""],
+                 ["name_2", "cmdline", "expected_2", "decision_2", "reason_2", "FAIL: \"expected_2_new\""],
+                 ["name_3", "sysctl", "expected_3", "decision_3", "reason_3", "FAIL: \"expected_3_new\""]]
+        )
+
+        # 7. override expected value and perform the checks again
+        override_expected_value(config_checklist, "CONFIG_NAME_1", "expected_1_new")
+        perform_checks(config_checklist)
+
+        # 8. check that the results are correct
+        result = []
+        self.get_engine_result(config_checklist, result, 'json')
+        self.assertEqual(
+                result,
+                [["CONFIG_NAME_1", "kconfig", "expected_1_new", "decision_1", "reason_1", "OK"],
+                 ["name_2", "cmdline", "expected_2", "decision_2", "reason_2", "FAIL: \"expected_2_new\""],
+                 ["name_3", "sysctl", "expected_3", "decision_3", "reason_3", "FAIL: \"expected_3_new\""]]
+        )
+
+        # 9. override expected value and perform the checks again
+        override_expected_value(config_checklist, "name_2", "expected_2_new")
+        perform_checks(config_checklist)
+
+        # 10. check that the results are correct
+        result = []
+        self.get_engine_result(config_checklist, result, 'json')
+        self.assertEqual(
+                result,
+                [["CONFIG_NAME_1", "kconfig", "expected_1_new", "decision_1", "reason_1", "OK"],
+                 ["name_2", "cmdline", "expected_2_new", "decision_2", "reason_2", "OK"],
+                 ["name_3", "sysctl", "expected_3", "decision_3", "reason_3", "FAIL: \"expected_3_new\""]]
+        )
+
+        # 11. override expected value and perform the checks again
+        override_expected_value(config_checklist, "name_3", "expected_3_new")
+        perform_checks(config_checklist)
+
+        # 12. check that the results are correct
+        result = []
+        self.get_engine_result(config_checklist, result, 'json')
+        self.assertEqual(
+                result,
+                [["CONFIG_NAME_1", "kconfig", "expected_1_new", "decision_1", "reason_1", "OK"],
+                 ["name_2", "cmdline", "expected_2_new", "decision_2", "reason_2", "OK"],
+                 ["name_3", "sysctl", "expected_3_new", "decision_3", "reason_3", "OK"]]
+        )
kconfig-hardened-check