Andrew Geissler | 1fe918a | 2020-05-15 14:16:47 -0500 | [diff] [blame] | 1 | # |
| 2 | # ISA_fsa_plugin.py - Filesystem analyser plugin, part of ISA FW |
| 3 | # |
| 4 | # Copyright (c) 2015 - 2016, Intel Corporation |
| 5 | # |
| 6 | # Redistribution and use in source and binary forms, with or without |
| 7 | # modification, are permitted provided that the following conditions are met: |
| 8 | # |
| 9 | # * Redistributions of source code must retain the above copyright notice, |
| 10 | # this list of conditions and the following disclaimer. |
| 11 | # * Redistributions in binary form must reproduce the above copyright |
| 12 | # notice, this list of conditions and the following disclaimer in the |
| 13 | # documentation and/or other materials provided with the distribution. |
| 14 | # * Neither the name of Intel Corporation nor the names of its contributors |
| 15 | # may be used to endorse or promote products derived from this software |
| 16 | # without specific prior written permission. |
| 17 | # |
| 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" |
| 19 | # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 20 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE |
| 21 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE |
| 22 | # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
| 23 | # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR |
| 24 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER |
| 25 | # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, |
| 26 | # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
| 27 | # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 28 | import os |
| 29 | from stat import * |
| 30 | try: |
| 31 | from lxml import etree |
| 32 | except ImportError: |
| 33 | try: |
| 34 | import xml.etree.cElementTree as etree |
| 35 | except ImportError: |
| 36 | import xml.etree.ElementTree as etree |
| 37 | |
| 38 | |
| 39 | FSAnalyzer = None |
| 40 | |
| 41 | |
| 42 | class ISA_FSChecker(): |
| 43 | initialized = False |
| 44 | |
| 45 | def __init__(self, ISA_config): |
| 46 | self.logfile = ISA_config.logdir + "/isafw_fsalog" |
| 47 | self.full_report_name = ISA_config.reportdir + "/fsa_full_report_" + \ |
| 48 | ISA_config.machine + "_" + ISA_config.timestamp |
| 49 | self.problems_report_name = ISA_config.reportdir + \ |
| 50 | "/fsa_problems_report_" + ISA_config.machine + "_" + ISA_config.timestamp |
| 51 | self.full_reports = ISA_config.full_reports |
| 52 | self.initialized = True |
| 53 | self.setuid_files = [] |
| 54 | self.setgid_files = [] |
| 55 | self.ww_files = [] |
| 56 | self.no_sticky_bit_ww_dirs = [] |
| 57 | with open(self.logfile, 'w') as flog: |
| 58 | flog.write("\nPlugin ISA_FSChecker initialized!\n") |
| 59 | |
| 60 | def process_filesystem(self, ISA_filesystem): |
| 61 | if (self.initialized): |
| 62 | if (ISA_filesystem.img_name and ISA_filesystem.path_to_fs): |
| 63 | with open(self.logfile, 'a') as flog: |
| 64 | flog.write("Analyzing filesystem at: " + ISA_filesystem.path_to_fs + |
| 65 | " for the image: " + ISA_filesystem.img_name + "\n") |
| 66 | self.files = self.find_fsobjects(ISA_filesystem.path_to_fs) |
| 67 | with open(self.logfile, 'a') as flog: |
| 68 | flog.write("\nFilelist is: " + str(self.files)) |
| 69 | if self.full_reports: |
| 70 | with open(self.full_report_name + "_" + ISA_filesystem.img_name, 'w') as ffull_report: |
| 71 | ffull_report.write( |
| 72 | "Report for image: " + ISA_filesystem.img_name + '\n') |
| 73 | ffull_report.write( |
| 74 | "With rootfs location at " + ISA_filesystem.path_to_fs + "\n\n") |
| 75 | for f in self.files: |
| 76 | st = os.lstat(f) |
| 77 | i = f.replace(ISA_filesystem.path_to_fs, "") |
| 78 | if self.full_reports: |
| 79 | with open(self.full_report_name + "_" + ISA_filesystem.img_name, 'a') as ffull_report: |
| 80 | ffull_report.write("File: " + i + ' mode: ' + str(oct(st.st_mode)) + |
| 81 | " uid: " + str(st.st_uid) + " gid: " + str(st.st_gid) + '\n') |
| 82 | if ((st.st_mode & S_ISUID) == S_ISUID): |
| 83 | self.setuid_files.append(i) |
| 84 | if ((st.st_mode & S_ISGID) == S_ISGID): |
| 85 | self.setgid_files.append(i) |
| 86 | if ((st.st_mode & S_IWOTH) == S_IWOTH): |
| 87 | if (((st.st_mode & S_IFDIR) == S_IFDIR) and ((st.st_mode & S_ISVTX) != S_ISVTX)): |
| 88 | self.no_sticky_bit_ww_dirs.append(i) |
| 89 | if (((st.st_mode & S_IFREG) == S_IFREG) and ((st.st_mode & S_IFLNK) != S_IFLNK)): |
| 90 | self.ww_files.append(i) |
| 91 | self.write_problems_report(ISA_filesystem) |
| 92 | self.write_problems_report_xml(ISA_filesystem) |
| 93 | else: |
| 94 | with open(self.logfile, 'a') as flog: |
| 95 | flog.write( |
| 96 | "Mandatory arguments such as image name and path to the filesystem are not provided!\n") |
| 97 | flog.write("Not performing the call.\n") |
| 98 | else: |
| 99 | with open(self.logfile, 'a') as flog: |
| 100 | flog.write( |
| 101 | "Plugin hasn't initialized! Not performing the call.\n") |
| 102 | |
| 103 | def write_problems_report(self, ISA_filesystem): |
| 104 | with open(self.problems_report_name + "_" + ISA_filesystem.img_name, 'w') as fproblems_report: |
| 105 | fproblems_report.write( |
| 106 | "Report for image: " + ISA_filesystem.img_name + '\n') |
| 107 | fproblems_report.write( |
| 108 | "With rootfs location at " + ISA_filesystem.path_to_fs + "\n\n") |
| 109 | fproblems_report.write("Files with SETUID bit set:\n") |
| 110 | for item in self.setuid_files: |
| 111 | fproblems_report.write(item + '\n') |
| 112 | fproblems_report.write("\n\nFiles with SETGID bit set:\n") |
| 113 | for item in self.setgid_files: |
| 114 | fproblems_report.write(item + '\n') |
| 115 | fproblems_report.write("\n\nWorld-writable files:\n") |
| 116 | for item in self.ww_files: |
| 117 | fproblems_report.write(item + '\n') |
| 118 | fproblems_report.write( |
| 119 | "\n\nWorld-writable dirs with no sticky bit:\n") |
| 120 | for item in self.no_sticky_bit_ww_dirs: |
| 121 | fproblems_report.write(item + '\n') |
| 122 | |
| 123 | def write_problems_report_xml(self, ISA_filesystem): |
| 124 | num_tests = len(self.setuid_files) + len(self.setgid_files) + \ |
| 125 | len(self.ww_files) + len(self.no_sticky_bit_ww_dirs) |
| 126 | root = etree.Element( |
| 127 | 'testsuite', name='FSA_Plugin', tests=str(num_tests)) |
| 128 | if self.setuid_files: |
| 129 | for item in self.setuid_files: |
| 130 | tcase1 = etree.SubElement( |
| 131 | root, 'testcase', classname='Files_with_SETUID_bit_set', name=item) |
| 132 | etree.SubElement( |
| 133 | tcase1, 'failure', message=item, type='violation') |
| 134 | if self.setgid_files: |
| 135 | for item in self.setgid_files: |
| 136 | tcase2 = etree.SubElement( |
| 137 | root, 'testacase', classname='Files_with_SETGID_bit_set', name=item) |
| 138 | etree.SubElement( |
| 139 | tcase2, 'failure', message=item, type='violation') |
| 140 | if self.ww_files: |
| 141 | for item in self.ww_files: |
| 142 | tcase3 = etree.SubElement( |
| 143 | root, 'testase', classname='World-writable_files', name=item) |
| 144 | etree.SubElement( |
| 145 | tcase3, 'failure', message=item, type='violation') |
| 146 | if self.no_sticky_bit_ww_dirs: |
| 147 | for item in self.no_sticky_bit_ww_dirs: |
| 148 | tcase4 = etree.SubElement( |
| 149 | root, 'testcase', classname='World-writable_dirs_with_no_sticky_bit', name=item) |
| 150 | etree.SubElement( |
| 151 | tcase4, 'failure', message=item, type='violation') |
| 152 | tree = etree.ElementTree(root) |
| 153 | output = self.problems_report_name + "_" + ISA_filesystem.img_name + '.xml' |
| 154 | try: |
| 155 | tree.write(output, encoding='UTF-8', |
| 156 | pretty_print=True, xml_declaration=True) |
| 157 | except TypeError: |
| 158 | tree.write(output, encoding='UTF-8', xml_declaration=True) |
| 159 | |
| 160 | def find_fsobjects(self, init_path): |
| 161 | list_of_files = [] |
| 162 | for (dirpath, dirnames, filenames) in os.walk(init_path): |
| 163 | if (dirpath != init_path): |
| 164 | list_of_files.append(str(dirpath)[:]) |
| 165 | for f in filenames: |
| 166 | list_of_files.append(str(dirpath + "/" + f)[:]) |
| 167 | return list_of_files |
| 168 | |
| 169 | # ======== supported callbacks from ISA ============= # |
| 170 | |
| 171 | |
| 172 | def init(ISA_config): |
| 173 | global FSAnalyzer |
| 174 | FSAnalyzer = ISA_FSChecker(ISA_config) |
| 175 | |
| 176 | |
| 177 | def getPluginName(): |
| 178 | return "ISA_FSChecker" |
| 179 | |
| 180 | |
| 181 | def process_filesystem(ISA_filesystem): |
| 182 | global FSAnalyzer |
| 183 | return FSAnalyzer.process_filesystem(ISA_filesystem) |
| 184 | |
| 185 | # ==================================================== # |