commit e8a6af3b0c333c035f8a648ba1198185e3a1efb8
author Nicolas Norvez <norvez@google.com> Thu Jun 16 19:01:48 2016 -0700
committer chrome-bot <chrome-bot@chromium.org> Tue Jun 21 01:51:48 2016 -0700
tree 3347accb456768b4803856c051cdf43ce4606ce5
parent 903704b6895241d1dcd281fa2abaa00239c3f54a

Modify expected listeners for ARC++

When the container is present sslh replaces sshd on port 22
to mux between adb and sshd. sshd listens on port 2222 instead
Test also no longer expects x11vnc, it has been removed (freon)

BUG=chromium:620781
TEST=security_NetworkListeners goes from failing to passing
on cyan and cyan-cheets

Change-Id: I60e77d77386cd8161f453751503098ba0dd31749
Reviewed-on: https://chromium-review.googlesource.com/353661
Commit-Ready: Nicolas Norvez <norvez@chromium.org>
Tested-by: Nicolas Norvez <norvez@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>

client/site_tests/security_NetworkListeners/baseline.arc

diff --git a/client/site_tests/security_NetworkListeners/baseline.arc b/client/site_tests/security_NetworkListeners/baseline.arc
new file mode 100644
index 0000000..ea168e3
--- /dev/null
+++ b/client/site_tests/security_NetworkListeners/baseline.arc
@@ -0,0 +1,10 @@
+# These first entries are due to autotest noise. As you maintain this
+# list, consider offsetting it with a blacklist in
+# ensure_no_nonrelease_files.config.
+#
+# On ARC++ sshl-fork listens on port 22 and selects between adb and
+# sshd
+sshd *:2222
+sslh-fork *:ssh
+# Shill internal http proxy. crosbug.com/28235
+shill 127.0.0.1:DYNAMIC

client/site_tests/security_NetworkListeners/control

diff --git a/client/site_tests/security_NetworkListeners/control b/client/site_tests/security_NetworkListeners/control
index b31a9a7..ad07cd5 100644
--- a/client/site_tests/security_NetworkListeners/control
+++ b/client/site_tests/security_NetworkListeners/control
@@ -18,5 +18,6 @@
 TEST_CATEGORY = "Functional"
 TEST_TYPE = "client"
 JOB_RETRIES = 2
+ARC_MODE = "disabled"
 
 job.run_test("security_NetworkListeners")

client/site_tests/security_NetworkListeners/control.arc

diff --git a/client/site_tests/security_NetworkListeners/control.arc b/client/site_tests/security_NetworkListeners/control.arc
new file mode 100644
index 0000000..57bfa4a
--- /dev/null
+++ b/client/site_tests/security_NetworkListeners/control.arc
@@ -0,0 +1,24 @@
+# Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+TIME="SHORT"
+AUTHOR = "The Chromium OS Authors"
+DOC = """
+Enforces a whitelist of known, allowed processes with open network listens
+"""
+NAME = "security_NetworkListeners"
+PURPOSE = "To maintain a minimal set of network-facing attack surface"
+CRITERIA = """
+Fail if the list of processes listening on the network doesn't match the
+baseline
+"""
+ATTRIBUTES = "suite:arc-bvt-cq"
+TEST_CLASS = "security"
+TEST_CATEGORY = "Functional"
+TEST_TYPE = "client"
+JOB_RETRIES = 2
+ARC_MODE = "enabled"
+
+job.run_test("security_NetworkListeners", baseline_filename='baseline.arc',
+             arc_mode=ARC_MODE)

client/site_tests/security_NetworkListeners/security_NetworkListeners.py

diff --git a/client/site_tests/security_NetworkListeners/security_NetworkListeners.py b/client/site_tests/security_NetworkListeners/security_NetworkListeners.py
index 5d3d20a..96242e4 100644
--- a/client/site_tests/security_NetworkListeners/security_NetworkListeners.py
+++ b/client/site_tests/security_NetworkListeners/security_NetworkListeners.py
@@ -26,6 +26,9 @@
 _LSOF_NODE = -3
 _LSOF_NAME = -2
 
+
+_BASELINE_DEFAULT_NAME = 'baseline'
+
 # We log in so that we include any daemons that
 # might be spawned at login in our test results.
 class security_NetworkListeners(test.test):
@@ -78,12 +81,18 @@
         return lines_to_keep
 
 
-    def run_once(self):
+    def run_once(self, baseline_filename=None, arc_mode=None):
         """
         Compare a list of processes, listening on TCP ports, to a
         baseline. Test fails if there are mismatches.
+
+        @param baseline_filename: file with expected processes listening
+        @param arc_mode: ARC++ enabled or not
         """
-        with chrome.Chrome():
+        if baseline_filename is None:
+            baseline_filename = _BASELINE_DEFAULT_NAME
+
+        with chrome.Chrome(arc_mode=arc_mode):
             cmd = (r'lsof -n -i -sTCP:LISTEN | '
                    # Workaround for crosbug.com/28235 using a dynamic port #.
                    r'sed "s/\\(shill.*127.0.0.1\\):.*/\1:DYNAMIC LISTEN/g"')
@@ -101,7 +110,7 @@
                 observed_set.add('%s %s' % (fields[_LSOF_COMMAND],
                                             fields[_LSOF_NAME]))
 
-            baseline_set = self.load_baseline('baseline')
+            baseline_set = self.load_baseline(baseline_filename)
             # TODO(wiley) Remove when we get per-board
             #             baselines (crbug.com/406013)
             if webservd_helper.webservd_is_installed():