Skip to content

Commit

Permalink
Re-enables paxtest in testinfra
Browse files Browse the repository at this point in the history
These tests were skipped because we weren't installing paxtest by
default. Let's just install it as part of the test run. Removes
the skip-in-prod marker, so that these checks can be used as part of QA
on hardware. Updates the logic to be distro-specific.

Removes paxtest after test run

We don't install it by default, and it's only useful in QA, so let's
have the test-only dependency automatically cleaned up after install.
  • Loading branch information
Conor Schaefer committed Mar 22, 2021
1 parent 185bd55 commit 3f0bd46
Show file tree
Hide file tree
Showing 2 changed files with 60 additions and 31 deletions.
18 changes: 18 additions & 0 deletions molecule/testinfra/common/paxtest_results.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable shared library bss : Killed
Executable shared library data : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable stack (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Return to function (strcpy) : paxtest: return address contains a NULL byte.
Return to function (memcpy) : {{ memcpy_result }}
Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte.
Return to function (memcpy, PIE) : {{ memcpy_result }}
73 changes: 42 additions & 31 deletions molecule/testinfra/common/test_grsecurity.py
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
import pytest
import re
import warnings
import io
import difflib
import os
from jinja2 import Template

import testutils

Expand Down Expand Up @@ -99,39 +103,46 @@ def test_grsecurity_sysctl_options(host, sysctl_opt):
assert host.sysctl(sysctl_opt[0]) == sysctl_opt[1]


@pytest.mark.skip_in_prod
@pytest.mark.parametrize('paxtest_check', [
"Executable anonymous mapping",
"Executable bss",
"Executable data",
"Executable heap",
"Executable stack",
"Executable shared library bss",
"Executable shared library data",
"Executable anonymous mapping (mprotect)",
"Executable bss (mprotect)",
"Executable data (mprotect)",
"Executable heap (mprotect)",
"Executable stack (mprotect)",
"Executable shared library bss (mprotect)",
"Executable shared library data (mprotect)",
"Writable text segments",
"Return to function (memcpy)",
"Return to function (memcpy, PIE)",
])
def test_grsecurity_paxtest(host, paxtest_check):
def test_grsecurity_paxtest(host):
"""
Check that paxtest does not report anything vulnerable
Requires the package paxtest to be installed.
The paxtest package is currently being installed in the app-test role.
Check that paxtest reports the expected mitigations. These are
"Killed" for most of the checks, with the notable exception of the
memcpy ones. Only newer versions of paxtest will fail the latter,
regardless of kernel.
"""
if host.exists("/usr/bin/paxtest"):
if not host.exists("/usr/bin/paxtest"):
warnings.warn("Installing paxtest to run kernel tests")
with host.sudo():
host.run("apt-get install -y paxtest")
try:
with host.sudo():
c = host.run("paxtest blackhat")
assert c.rc == 0
assert "Vulnerable" not in c.stdout
regex = r"^{}\s*:\sKilled$".format(re.escape(paxtest_check))
assert re.search(regex, c.stdout)
# Log to /tmp to avoid cluttering up /root.
paxtest_cmd = "paxtest blackhat /tmp/paxtest.log"
# Select only predictably formatted lines; omit
# the guesses, since the number of bits can vary
paxtest_cmd += " | grep -P '^(Executable|Return)'"
paxtest_results = host.check_output(paxtest_cmd)

paxtest_template_path = "{}/paxtest_results.j2".format(
os.path.dirname(os.path.abspath(__file__)))

memcpy_result = "Killed"
# Versions of paxtest newer than 0.9.12 or so will report
# "Vulnerable" on memcpy tests, see details in
# https://github.com/freedomofpress/securedrop/issues/1039
if host.system_info.codename == "focal":
memcpy_result = "Vulnerable"
with io.open(paxtest_template_path, 'r') as f:
paxtest_template = Template(f.read().rstrip())
paxtest_expected = paxtest_template.render(memcpy_result=memcpy_result)

# The stdout prints here will only be displayed if the test fails
for paxtest_diff in difflib.context_diff(paxtest_expected.split('\n'),
paxtest_results.split('\n')):
print(paxtest_diff)
assert paxtest_results == paxtest_expected
finally:
host.run("apt-get remove -y paxtest")


@pytest.mark.skip_in_prod
Expand Down

0 comments on commit 3f0bd46

Please sign in to comment.