def test_create_dir_no_write(bpf_program: BPFProgram, caplog, setup_testdir):
    Commands.add_profile(OPEN_PATH, False)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/a', FS_ACCESS.READ, BPFBOX_ACTION.TAINT)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox', FS_ACCESS.EXEC)

    with pytest.raises(subprocess.CalledProcessError):
        subprocess.check_call([OPEN_PATH, 'create-dir'])
def test_malicious_symlink_cannot_add_link(bpf_program: BPFProgram, caplog, setup_testdir):
    Commands.add_profile(OPEN_PATH, False)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/a', FS_ACCESS.READ, BPFBOX_ACTION.TAINT)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox', FS_ACCESS.WRITE)

    with pytest.raises(subprocess.CalledProcessError):
        subprocess.check_call([OPEN_PATH, 'malicious-symlink-read'])
def test_parent_child(bpf_program: BPFProgram, caplog, setup_testdir):
    Commands.add_profile(OPEN_PATH, False)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/a', FS_ACCESS.READ, BPFBOX_ACTION.TAINT)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/a', FS_ACCESS.READ)

    with pytest.raises(subprocess.CalledProcessError):
        subprocess.check_call([OPEN_PATH, 'parent-child'])
def test_symlink_disallowed(bpf_program: BPFProgram, caplog, setup_testdir):
    Commands.add_profile(OPEN_PATH, False)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/a', FS_ACCESS.READ, BPFBOX_ACTION.TAINT)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox', FS_ACCESS.READ | FS_ACCESS.EXEC)

    with pytest.raises(subprocess.CalledProcessError):
        subprocess.check_call([OPEN_PATH, 'symlink'])
def test_unlink_no_rm(bpf_program: BPFProgram, caplog, setup_testdir):
    open('/tmp/bpfbox/e', 'a').close()
    Commands.add_profile(OPEN_PATH, False)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/a', FS_ACCESS.READ, BPFBOX_ACTION.TAINT)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox', FS_ACCESS.WRITE | FS_ACCESS.EXEC)

    with pytest.raises(subprocess.CalledProcessError):
        subprocess.check_call([OPEN_PATH, 'unlink'])
def test_fs_allow_write_and_append(bpf_program: BPFProgram, caplog, setup_testdir):
    Commands.add_profile(OPEN_PATH, False)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/a', FS_ACCESS.READ, BPFBOX_ACTION.TAINT)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/a', FS_ACCESS.WRITE | FS_ACCESS.APPEND)

    subprocess.check_call([OPEN_PATH, 'simple-write-append'])

    subprocess.check_call([OPEN_PATH, 'simple-write-no-append'])
def test_fs_allow_append_only(bpf_program: BPFProgram, caplog, setup_testdir):
    Commands.add_profile(OPEN_PATH, False)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/a', FS_ACCESS.READ, BPFBOX_ACTION.TAINT)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/a', FS_ACCESS.APPEND)

    subprocess.check_call([OPEN_PATH, 'simple-write-append'])

    with pytest.raises(subprocess.CalledProcessError):
        subprocess.check_call([OPEN_PATH, 'simple-write-no-append'])
def test_procfs(bpf_program: BPFProgram, caplog, setup_testdir):
    Commands.add_profile(OPEN_PATH, False)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/a', FS_ACCESS.READ, BPFBOX_ACTION.TAINT)
    Commands.add_fs_rule(OPEN_PATH, '/proc', FS_ACCESS.EXEC)

    subprocess.check_call([OPEN_PATH, 'proc-self'])

    with pytest.raises(subprocess.CalledProcessError):
        subprocess.check_call([OPEN_PATH, 'proc-other', '1'])
def test_fs_allow_read_write(bpf_program: BPFProgram, caplog, setup_testdir):
    Commands.add_profile(OPEN_PATH, False)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/a', FS_ACCESS.READ, BPFBOX_ACTION.TAINT)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/a', FS_ACCESS.READ | FS_ACCESS.WRITE)

    subprocess.check_call([OPEN_PATH, 'simple-read'])

    subprocess.check_call([OPEN_PATH, 'simple-read-and-write'])

    subprocess.check_call([OPEN_PATH, 'simple-read-and-readwrite'])
Example #10
0
def test_procfs_other_process(bpf_program: BPFProgram, caplog, setup_testdir):
    sleep_path = which('sleep')
    Commands.add_profile(OPEN_PATH, False)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/a', FS_ACCESS.READ, BPFBOX_ACTION.TAINT)
    Commands.add_fs_rule(OPEN_PATH, '/proc', FS_ACCESS.EXEC)
    Commands.add_procfs_rule(OPEN_PATH, sleep_path, FS_ACCESS.READ | FS_ACCESS.EXEC)

    subprocess.check_call([OPEN_PATH, 'proc-self'])

    sleep_pid = subprocess.Popen([sleep_path, '10']).pid
    subprocess.check_call([OPEN_PATH, 'proc-other', str(sleep_pid)])
Example #11
0
 def load(self, policy: Policy):
     super().load(policy)
     state = self.calculate_state_number(policy)
     for _file in self.file:
         Commands.add_fs_rule(
             policy.profile,
             _file,
             FS_ACCESS.from_list(self.access),
             BPFBOX_ACTION.from_list(self.action),
             state=state,
         )
Example #12
0
def test_fs_complex_policy(bpf_program: BPFProgram, caplog, setup_testdir):
    Commands.add_profile(OPEN_PATH, False)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/a', FS_ACCESS.READ, BPFBOX_ACTION.TAINT)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/a', FS_ACCESS.READ | FS_ACCESS.WRITE)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/b', FS_ACCESS.APPEND)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/c', FS_ACCESS.READ)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/d', FS_ACCESS.EXEC)

    subprocess.check_call([OPEN_PATH, 'complex'])

    subprocess.check_call([OPEN_PATH, 'complex-with-extra'])

    with pytest.raises(subprocess.CalledProcessError):
        subprocess.check_call([OPEN_PATH, 'complex-with-invalid'])
Example #13
0
def test_non_malicious_symlink_can_read_original(bpf_program: BPFProgram, caplog, setup_testdir):
    Commands.add_profile(OPEN_PATH, False)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/a', FS_ACCESS.READ, BPFBOX_ACTION.TAINT)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox', FS_ACCESS.WRITE)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/a', FS_ACCESS.LINK)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/a', FS_ACCESS.READ)

    subprocess.check_call([OPEN_PATH, 'malicious-symlink-read'])
Example #14
0
def test_rename_allowed(bpf_program: BPFProgram, caplog, setup_testdir):
    os.mkdir('/tmp/bpfbox/new_dir')
    Commands.add_profile(OPEN_PATH, False)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/a', FS_ACCESS.READ, BPFBOX_ACTION.TAINT)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox', FS_ACCESS.WRITE)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/new_dir', FS_ACCESS.WRITE | FS_ACCESS.EXEC)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/a', FS_ACCESS.RM)

    subprocess.check_call([OPEN_PATH, 'rename'])
Example #15
0
def test_rename_no_newdir_write(bpf_program: BPFProgram, caplog, setup_testdir):
    os.mkdir('/tmp/bpfbox/new_dir')
    Commands.add_profile(OPEN_PATH, False)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/a', FS_ACCESS.READ, BPFBOX_ACTION.TAINT)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox', FS_ACCESS.WRITE)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/new_dir', FS_ACCESS.EXEC)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/a', FS_ACCESS.RM)

    with pytest.raises(subprocess.CalledProcessError):
        subprocess.check_call([OPEN_PATH, 'rename'])
Example #16
0
def test_link_allowed(bpf_program: BPFProgram, caplog, setup_testdir):
    Commands.add_profile(OPEN_PATH, False)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/a', FS_ACCESS.READ, BPFBOX_ACTION.TAINT)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox', FS_ACCESS.WRITE)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/a', FS_ACCESS.LINK)

    subprocess.check_call([OPEN_PATH, 'link'])
Example #17
0
def test_unlink_allowed(bpf_program: BPFProgram, caplog, setup_testdir):
    open('/tmp/bpfbox/e', 'a').close()
    Commands.add_profile(OPEN_PATH, False)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/a', FS_ACCESS.READ, BPFBOX_ACTION.TAINT)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox', FS_ACCESS.WRITE | FS_ACCESS.EXEC)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/e', FS_ACCESS.RM)

    subprocess.check_call([OPEN_PATH, 'unlink'])
Example #18
0
File: dsl.py Project: keyolk/bpfbox
 def __call__(self, profile: str) -> int:
     return Commands.add_fs_rule(profile, self.pathname, self.access,
                                 self.action)
Example #19
0
def test_chown_allowed(bpf_program: BPFProgram, caplog, setup_testdir):
    Commands.add_profile(OPEN_PATH, False)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/a', FS_ACCESS.READ, BPFBOX_ACTION.TAINT)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/a', FS_ACCESS.READ | FS_ACCESS.SETATTR)

    subprocess.check_call([OPEN_PATH, 'chown-a'])
Example #20
0
def test_create_dir_allowed(bpf_program: BPFProgram, caplog, setup_testdir):
    Commands.add_profile(OPEN_PATH, False)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox/a', FS_ACCESS.READ, BPFBOX_ACTION.TAINT)
    Commands.add_fs_rule(OPEN_PATH, '/tmp/bpfbox', FS_ACCESS.WRITE | FS_ACCESS.EXEC)

    subprocess.check_call([OPEN_PATH, 'create-dir'])