Add check_new_capabilities test

- This test checks new capabilities in image.
- Apply this to image_test.sh to run at the time of image creation.

Change-Id: I13444e8ca978cb03b8e9f00b5f4b6229c6d30c44

diff --git a/test/capability_test/CMakeLists.txt b/test/capability_test/CMakeLists.txt
index 1749c5ce89c0cd6a6fac5b5dbdb569acb0fb8293..78fab6084369cb115c17141f3d23c23216ec8416 100755 (executable)
--- a/test/capability_test/CMakeLists.txt
+++ b/test/capability_test/CMakeLists.txt
@@ -23,11 +23,13 @@ ELSEIF("${ARCH}" STREQUAL "x86_64")
                FILE(GLOB W_ROOT_DAEMON_LIST "${CMAKE_SOURCE_DIR}/test/capability_test/list/emul/wearable/root_daemon_list")
                FILE(GLOB W_CAP_MAC_EXCEPTION_LIST "${CMAKE_SOURCE_DIR}/test/capability_test/list/emul/wearable/cap_mac_exception_list")
 ENDIF()
+FILE(GLOB CHECK_NEW_CAPABILITITES_EXCEPTION_LIST "${CMAKE_SOURCE_DIR}/test/capability_test/new_capabilities_exception.list")
 
 INSTALL(FILES
        ${SHELL_SCRIPT}
        ${W_ROOT_DAEMON_LIST}
        ${W_CAP_MAC_EXCEPTION_LIST}
+       ${CHECK_NEW_CAPABILITITES_EXCEPTION_LIST}
        DESTINATION
        /opt/share/security-config/test/capability_test/wearable
 )
@@ -35,6 +37,7 @@ INSTALL(FILES
        ${SHELL_SCRIPT}
        ${M_ROOT_DAEMON_LIST}
        ${M_CAP_MAC_EXCEPTION_LIST}
+       ${CHECK_NEW_CAPABILITITES_EXCEPTION_LIST}
        DESTINATION
        /opt/share/security-config/test/capability_test/mobile
 )

diff --git a/test/capability_test/check_new_capabilities.sh b/test/capability_test/check_new_capabilities.sh
new file mode 100644 (file)
index 0000000..696064d
--- /dev/null
+++ b/test/capability_test/check_new_capabilities.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+exception_list_path="/opt/share/security-config/test/capability_test/new_capabilities_exception.list"
+result_file="/opt/share/security-config/result/check_new_capabilities.result"
+log_file="/opt/share/security-config/log/check_new_capabilities.log"
+get_cap_tmp_path="/opt/share/security-config/test/capability_test/get_cap.list"
+
+# check exception
+# args : $1 = getcap result
+function check_exception
+{
+       check_result=$(/usr/bin/cat $exception_list_path | grep "$1")
+       if [ "$check_result" = "" ] # This seems newly added capability. Add to log file.
+       then            
+               echo "$1" >> $log_file
+       fi
+}
+
+# init result and log
+echo "Run verify capabilities test"
+if [ -e "$log_file" ]
+then
+       rm $log_file
+fi
+if [ -e "$result_file" ]
+then
+       rm $result_file
+fi
+
+# list capabilities
+/usr/sbin/getcap / -r 2>/dev/null >> $get_cap_tmp_path
+while read line
+do
+       check_exception "$line"
+done < <(/usr/bin/cat $get_cap_tmp_path)
+
+if [ -e $get_cap_tmp_path ]
+then
+       rm $get_cap_tmp_path
+fi
+if [ ! -e $log_file ]
+then
+       echo "YES" > $result_file
+else
+       echo "NO" > $result_file
+fi
+

diff --git a/test/capability_test/new_capabilities_exception.list b/test/capability_test/new_capabilities_exception.list
new file mode 100644 (file)
index 0000000..83425cb
--- /dev/null
+++ b/test/capability_test/new_capabilities_exception.list
@@ -0,0 +1,40 @@
+/usr/sbin/tayga = cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei
+/usr/sbin/xtables-multi = cap_net_admin,cap_net_raw,cap_sys_admin+ei
+/usr/sbin/named = cap_fowner,cap_net_bind_service,cap_net_admin,cap_sys_chroot+eip
+/usr/sbin/lwresd = cap_fowner,cap_net_bind_service,cap_net_admin,cap_sys_chroot+eip
+/usr/sbin/sdbd = cap_dac_override,cap_setgid,cap_setuid,cap_sys_admin+eip
+/usr/sbin/hostapd = cap_fowner,cap_net_bind_service,cap_net_admin,cap_net_raw+eip
+/usr/sbin/ip = cap_net_admin+ei
+/usr/sbin/wpa_supplicant = cap_net_admin,cap_net_raw+eip
+/usr/bin/focus_server = cap_chown,cap_fowner,cap_lease+eip
+/usr/bin/touch = cap_dac_override+ei
+/usr/bin/pkgdir-tool = cap_chown,cap_dac_override,cap_fowner+eip
+/usr/bin/msg-server = cap_chown,cap_net_admin,cap_net_raw,cap_lease+eip
+/usr/bin/media-server = cap_dac_read_search+eip
+/usr/bin/alarm-server = cap_sys_time+eip
+/usr/bin/systemd-user-helper = cap_dac_override,cap_setgid,cap_sys_admin,cap_mac_override,cap_mac_admin+ei
+/usr/bin/csr-server = cap_dac_override,cap_fowner+eip
+/usr/bin/pkgmgr-server = cap_chown,cap_dac_override,cap_fsetid,cap_kill,cap_setgid,cap_setuid+eip
+/usr/bin/muse-server = cap_dac_override+eip
+/usr/bin/amd = cap_dac_override,cap_kill+ep
+/usr/bin/wrt-loader = cap_setgid,cap_sys_admin+ei
+/usr/bin/tpk-backend = cap_chown,cap_dac_override,cap_fowner+eip
+/usr/bin/launchpad-loader = cap_setgid+ei
+/usr/bin/email-service = cap_chown+eip
+/usr/bin/wgt-backend = cap_chown,cap_dac_override,cap_fowner+eip
+/usr/bin/download-provider = cap_chown,cap_dac_override+eip
+/usr/bin/chmod = cap_fowner+ei
+/usr/bin/sound_server = cap_chown,cap_fowner,cap_lease+eip
+/usr/bin/dnsmasq = cap_dac_override,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei
+/usr/bin/feedbackd = cap_dac_override+eip
+/usr/bin/data-provider-master = cap_dac_read_search+eip
+/usr/bin/amixer = cap_dac_override+ei
+/usr/bin/pkg_getsize = cap_dac_read_search+eip
+/usr/bin/pkg_cleardata = cap_dac_override+eip
+/usr/bin/launchpad-process-pool = cap_dac_override,cap_setgid,cap_mac_admin+ei
+/usr/bin/mobileap-agent = cap_dac_override,cap_fowner,cap_net_bind_service,cap_net_admin+eip
+/usr/bin/chgrp = cap_chown+ei
+/usr/bin/xdelta3 = cap_dac_override+ei
+/usr/bin/telephony-daemon = cap_net_admin+eip
+/usr/bin/nether = cap_net_admin,cap_net_raw+eip
+/usr/bin/dotnet-launcher = cap_setgid,cap_mac_admin+ei

diff --git a/test/image_test.sh b/test/image_test.sh
index 7c575615a0f45a50aae8c64bd8315830aed6530d..797607c4690751847d81af8ee5d81ff0730d8650 100644 (file)
--- a/test/image_test.sh
+++ b/test/image_test.sh
@@ -71,6 +71,19 @@ then
        fi
 fi
 
+# capability test
+check_new_capability_test="$security_test_path/capability_test/check_new_capabilities.sh"
+check_new_capability_log="$log_path/check_new_capabilities.log"
+if [ -e  $check_new_capability_test ]
+then
+       $check_new_capability_test 1>/dev/null 2>/dev/null
+       if [ -e "$check_new_capability_log" ]
+       then
+               echo "###### new capabilites list ######" >> $log_file
+               cat $check_new_capability_log >> $log_file
+       fi
+fi
+
 # Print the failed lists in build log
 if [ -e "$log_file" ]
 then