src/chromiumos/tast/local/bundles/cros/security/userfiles/userfiles.go - chromiumos/platform/tast-tests - Git at Google

 // Copyright 2018 The Chromium OS Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 // Package userfiles contains shared logic for security.UserFiles* tests.
 package userfiles

 import (
 	"context"
 	"strings"

 	chk "chromiumos/tast/local/bundles/cros/security/filecheck"
 	"chromiumos/tast/local/cryptohome"
 	"chromiumos/tast/local/sysutil"
 	"chromiumos/tast/testing"
 )

 const (
 	homeDir   = "/home/chronos" // standard home dir
 	maxErrors = 10              // max errors to report per base dir
 )

 // Check checks files belonging to the supplied logged-in Chrome user.
 // This is a helper function called by security.UserFiles* tests.
 // Errors are reported via s.
 func Check(ctx context.Context, s *testing.State, user string) {
 	userDir, err := cryptohome.UserPath(ctx, user)
 	if err != nil {
 		s.Fatalf("Failed to get cryptohome dir for user %v: %v", user, err)
 	}

 	isChronosUID := chk.UID(sysutil.ChronosUID)

 	chronosAccessGID, err := sysutil.GetGID("chronos-access")
 	if err != nil {
 		s.Fatal("Failed to find gid: ", err)
 	}
 	isChronosAccessGID := chk.GID(chronosAccessGID)

 	checkPath := func(root string, patterns []*chk.Pattern) {
 		s.Log("Checking ", root)
 		probs, numPaths, err := chk.Check(ctx, root, patterns)
 		if err != nil {
 			s.Errorf("Failed to scan %v: %v", root, err)
 		} else {
 			s.Logf("Examined %d path(s) under %s", numPaths, root)
 		}

 		numErrors := 0
 		for p, msgs := range probs {
 			if numErrors++; numErrors > maxErrors {
 				s.Error("Too many errors; aborting")
 				break
 			}
 			s.Errorf("%v: %v", p, strings.Join(msgs, ", "))
 		}
 	}

 	checkPath(homeDir, []*chk.Pattern{
 		chk.NewPattern(chk.Path("user"), chk.SkipChildren()),
 		chk.NewPattern(chk.Path("crash"), chk.SkipChildren()),
 		chk.NewPattern(chk.PathRegexp(`^u-`), chk.SkipChildren()),
 		chk.NewPattern(chk.PathRegexp(`^Singleton`)),
 		chk.NewPattern(chk.Root(), isChronosUID, chk.Mode(0755)),
 		chk.NewPattern(chk.AllPaths(), isChronosUID, chk.NotMode(022)),
 	})

 	checkPath(userDir, []*chk.Pattern{
 		chk.NewPattern(chk.Path("Downloads"), isChronosUID, isChronosAccessGID, chk.Mode(0710), chk.SkipChildren()),
 		chk.NewPattern(chk.Root(), isChronosUID, isChronosAccessGID, chk.Mode(0710)),
 	})

 	// TODO(crbug.com/971919): Add additional vault checks from security_ProfilePermissions?
 }
	// Copyright 2018 The Chromium OS Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	// Package userfiles contains shared logic for security.UserFiles* tests.
	package userfiles

	import (
	"context"
	"strings"

	chk "chromiumos/tast/local/bundles/cros/security/filecheck"
	"chromiumos/tast/local/cryptohome"
	"chromiumos/tast/local/sysutil"
	"chromiumos/tast/testing"
	)

	const (
	homeDir = "/home/chronos" // standard home dir
	maxErrors = 10 // max errors to report per base dir
	)

	// Check checks files belonging to the supplied logged-in Chrome user.
	// This is a helper function called by security.UserFiles* tests.
	// Errors are reported via s.
	func Check(ctx context.Context, s *testing.State, user string) {
	userDir, err := cryptohome.UserPath(ctx, user)
	if err != nil {
	s.Fatalf("Failed to get cryptohome dir for user %v: %v", user, err)
	}

	isChronosUID := chk.UID(sysutil.ChronosUID)

	chronosAccessGID, err := sysutil.GetGID("chronos-access")
	if err != nil {
	s.Fatal("Failed to find gid: ", err)
	}
	isChronosAccessGID := chk.GID(chronosAccessGID)

	checkPath := func(root string, patterns []*chk.Pattern) {
	s.Log("Checking ", root)
	probs, numPaths, err := chk.Check(ctx, root, patterns)
	if err != nil {
	s.Errorf("Failed to scan %v: %v", root, err)
	} else {
	s.Logf("Examined %d path(s) under %s", numPaths, root)
	}

	numErrors := 0
	for p, msgs := range probs {
	if numErrors++; numErrors > maxErrors {
	s.Error("Too many errors; aborting")
	break
	}
	s.Errorf("%v: %v", p, strings.Join(msgs, ", "))
	}
	}

	checkPath(homeDir, []*chk.Pattern{
	chk.NewPattern(chk.Path("user"), chk.SkipChildren()),
	chk.NewPattern(chk.Path("crash"), chk.SkipChildren()),
	chk.NewPattern(chk.PathRegexp(`^u-`), chk.SkipChildren()),
	chk.NewPattern(chk.PathRegexp(`^Singleton`)),
	chk.NewPattern(chk.Root(), isChronosUID, chk.Mode(0755)),
	chk.NewPattern(chk.AllPaths(), isChronosUID, chk.NotMode(022)),
	})

	checkPath(userDir, []*chk.Pattern{
	chk.NewPattern(chk.Path("Downloads"), isChronosUID, isChronosAccessGID, chk.Mode(0710), chk.SkipChildren()),
	chk.NewPattern(chk.Root(), isChronosUID, isChronosAccessGID, chk.Mode(0710)),
	})

	// TODO(crbug.com/971919): Add additional vault checks from security_ProfilePermissions?
	}