1*2f2c4c7aSAndroid Build Coastguard Worker#!/usr/bin/python3 2*2f2c4c7aSAndroid Build Coastguard Worker# 3*2f2c4c7aSAndroid Build Coastguard Worker# Copyright 2016 The Android Open Source Project 4*2f2c4c7aSAndroid Build Coastguard Worker# 5*2f2c4c7aSAndroid Build Coastguard Worker# Licensed under the Apache License, Version 2.0 (the "License"); 6*2f2c4c7aSAndroid Build Coastguard Worker# you may not use this file except in compliance with the License. 7*2f2c4c7aSAndroid Build Coastguard Worker# You may obtain a copy of the License at 8*2f2c4c7aSAndroid Build Coastguard Worker# 9*2f2c4c7aSAndroid Build Coastguard Worker# http://www.apache.org/licenses/LICENSE-2.0 10*2f2c4c7aSAndroid Build Coastguard Worker# 11*2f2c4c7aSAndroid Build Coastguard Worker# Unless required by applicable law or agreed to in writing, software 12*2f2c4c7aSAndroid Build Coastguard Worker# distributed under the License is distributed on an "AS IS" BASIS, 13*2f2c4c7aSAndroid Build Coastguard Worker# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14*2f2c4c7aSAndroid Build Coastguard Worker# See the License for the specific language governing permissions and 15*2f2c4c7aSAndroid Build Coastguard Worker# limitations under the License. 16*2f2c4c7aSAndroid Build Coastguard Worker 17*2f2c4c7aSAndroid Build Coastguard Workerimport errno 18*2f2c4c7aSAndroid Build Coastguard Workerimport gzip 19*2f2c4c7aSAndroid Build Coastguard Workerimport os 20*2f2c4c7aSAndroid Build Coastguard Workerfrom socket import * # pylint: disable=wildcard-import,g-importing-member 21*2f2c4c7aSAndroid Build Coastguard Workerimport unittest 22*2f2c4c7aSAndroid Build Coastguard Worker 23*2f2c4c7aSAndroid Build Coastguard Workerimport gki 24*2f2c4c7aSAndroid Build Coastguard Workerimport net_test 25*2f2c4c7aSAndroid Build Coastguard Worker 26*2f2c4c7aSAndroid Build Coastguard Worker 27*2f2c4c7aSAndroid Build Coastguard Workerclass KernelFeatureTest(net_test.NetworkTest): 28*2f2c4c7aSAndroid Build Coastguard Worker KCONFIG = None 29*2f2c4c7aSAndroid Build Coastguard Worker AID_NET_RAW = 3004 30*2f2c4c7aSAndroid Build Coastguard Worker 31*2f2c4c7aSAndroid Build Coastguard Worker @classmethod 32*2f2c4c7aSAndroid Build Coastguard Worker def getKernelConfigFile(cls): 33*2f2c4c7aSAndroid Build Coastguard Worker try: 34*2f2c4c7aSAndroid Build Coastguard Worker return gzip.open("/proc/config.gz", mode="rt") 35*2f2c4c7aSAndroid Build Coastguard Worker except FileNotFoundError: 36*2f2c4c7aSAndroid Build Coastguard Worker return open("/boot/config-" + os.uname()[2], mode="rt") 37*2f2c4c7aSAndroid Build Coastguard Worker 38*2f2c4c7aSAndroid Build Coastguard Worker @classmethod 39*2f2c4c7aSAndroid Build Coastguard Worker def loadKernelConfig(cls): 40*2f2c4c7aSAndroid Build Coastguard Worker cls.KCONFIG = {} 41*2f2c4c7aSAndroid Build Coastguard Worker with cls.getKernelConfigFile() as f: 42*2f2c4c7aSAndroid Build Coastguard Worker for line in f: 43*2f2c4c7aSAndroid Build Coastguard Worker line = line.strip() 44*2f2c4c7aSAndroid Build Coastguard Worker parts = line.split("=") 45*2f2c4c7aSAndroid Build Coastguard Worker if (len(parts) == 2): 46*2f2c4c7aSAndroid Build Coastguard Worker # Lines of the form: 47*2f2c4c7aSAndroid Build Coastguard Worker # CONFIG_FOO=y 48*2f2c4c7aSAndroid Build Coastguard Worker cls.KCONFIG[parts[0]] = parts[1] 49*2f2c4c7aSAndroid Build Coastguard Worker 50*2f2c4c7aSAndroid Build Coastguard Worker @classmethod 51*2f2c4c7aSAndroid Build Coastguard Worker def setUpClass(cls): 52*2f2c4c7aSAndroid Build Coastguard Worker super(net_test.NetworkTest, cls).setUpClass() 53*2f2c4c7aSAndroid Build Coastguard Worker cls.loadKernelConfig() 54*2f2c4c7aSAndroid Build Coastguard Worker 55*2f2c4c7aSAndroid Build Coastguard Worker def assertFeatureAbsent(self, feature_name): 56*2f2c4c7aSAndroid Build Coastguard Worker return self.assertNotIn(feature_name, self.KCONFIG) 57*2f2c4c7aSAndroid Build Coastguard Worker 58*2f2c4c7aSAndroid Build Coastguard Worker def assertFeatureBuiltIn(self, feature_name): 59*2f2c4c7aSAndroid Build Coastguard Worker return self.assertEqual("y", self.KCONFIG[feature_name]) 60*2f2c4c7aSAndroid Build Coastguard Worker 61*2f2c4c7aSAndroid Build Coastguard Worker def assertFeatureModular(self, feature_name): 62*2f2c4c7aSAndroid Build Coastguard Worker return self.assertEqual("m", self.KCONFIG[feature_name]) 63*2f2c4c7aSAndroid Build Coastguard Worker 64*2f2c4c7aSAndroid Build Coastguard Worker def assertFeatureEnabled(self, feature_name): 65*2f2c4c7aSAndroid Build Coastguard Worker return self.assertIn(self.KCONFIG[feature_name], ["m", "y"]) 66*2f2c4c7aSAndroid Build Coastguard Worker 67*2f2c4c7aSAndroid Build Coastguard Worker def testNetfilterRejectEnabled(self): 68*2f2c4c7aSAndroid Build Coastguard Worker """Verify that CONFIG_IP{,6}_NF_{FILTER,TARGET_REJECT} is enabled.""" 69*2f2c4c7aSAndroid Build Coastguard Worker self.assertFeatureBuiltIn("CONFIG_IP_NF_FILTER") 70*2f2c4c7aSAndroid Build Coastguard Worker self.assertFeatureBuiltIn("CONFIG_IP_NF_TARGET_REJECT") 71*2f2c4c7aSAndroid Build Coastguard Worker 72*2f2c4c7aSAndroid Build Coastguard Worker self.assertFeatureBuiltIn("CONFIG_IP6_NF_FILTER") 73*2f2c4c7aSAndroid Build Coastguard Worker self.assertFeatureBuiltIn("CONFIG_IP6_NF_TARGET_REJECT") 74*2f2c4c7aSAndroid Build Coastguard Worker 75*2f2c4c7aSAndroid Build Coastguard Worker def testRemovedAndroidParanoidNetwork(self): 76*2f2c4c7aSAndroid Build Coastguard Worker """Verify that ANDROID_PARANOID_NETWORK is gone. 77*2f2c4c7aSAndroid Build Coastguard Worker 78*2f2c4c7aSAndroid Build Coastguard Worker On a 4.14-q kernel you can achieve this by simply 79*2f2c4c7aSAndroid Build Coastguard Worker changing the ANDROID_PARANOID_NETWORK default y to n 80*2f2c4c7aSAndroid Build Coastguard Worker in your kernel source code in net/Kconfig: 81*2f2c4c7aSAndroid Build Coastguard Worker 82*2f2c4c7aSAndroid Build Coastguard Worker @@ -94,3 +94,3 @@ endif # if INET 83*2f2c4c7aSAndroid Build Coastguard Worker config ANDROID_PARANOID_NETWORK 84*2f2c4c7aSAndroid Build Coastguard Worker bool "Only allow certain groups to create sockets" 85*2f2c4c7aSAndroid Build Coastguard Worker - default y 86*2f2c4c7aSAndroid Build Coastguard Worker + default n 87*2f2c4c7aSAndroid Build Coastguard Worker """ 88*2f2c4c7aSAndroid Build Coastguard Worker with net_test.RunAsUidGid(12345, self.AID_NET_RAW): 89*2f2c4c7aSAndroid Build Coastguard Worker self.assertRaisesErrno(errno.EPERM, socket, AF_PACKET, SOCK_RAW, 0) 90*2f2c4c7aSAndroid Build Coastguard Worker 91*2f2c4c7aSAndroid Build Coastguard Worker @unittest.skipUnless(net_test.IS_GSI, "not GSI") 92*2f2c4c7aSAndroid Build Coastguard Worker def testIsGSI(self): 93*2f2c4c7aSAndroid Build Coastguard Worker pass 94*2f2c4c7aSAndroid Build Coastguard Worker 95*2f2c4c7aSAndroid Build Coastguard Worker @unittest.skipUnless(gki.IS_GKI, "not GKI") 96*2f2c4c7aSAndroid Build Coastguard Worker def testIsGKI(self): 97*2f2c4c7aSAndroid Build Coastguard Worker pass 98*2f2c4c7aSAndroid Build Coastguard Worker 99*2f2c4c7aSAndroid Build Coastguard Worker 100*2f2c4c7aSAndroid Build Coastguard Workerif __name__ == "__main__": 101*2f2c4c7aSAndroid Build Coastguard Worker unittest.main() 102