Merge #374249 from ~rodsmith/plainbox-provider-checkbox:add-kernel-taint-test

Adds kernel taint test to Checkbox. 

1 files changed, 93 insertions, 0 deletions

diff --git a/bin/kernel_taint_test b/bin/kernel_taint_test
new file mode 100755
index 00000000..976ccb6b
--- /dev/null
+++ b/bin/kernel_taint_test
@@ -0,0 +1,93 @@
+#!/usr/bin/env python3
+"""
+Test that the kernel is not "tainted" by out-of-tree drivers, etc.
+
+Copyright (C) 2019 Canonical Ltd.
+
+Authors:
+ Rod Smith <rod.smith@canonical.com>
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3,
+as published by the Free Software Foundation.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+This script examines the /proc/sys/kernel/tainted file (or a user-specified
+file, for debugging purposes) and parses the contents to determine if the
+kernel is tainted. If so, the script reports the nature of the taint and
+returns a value of 1. The script also returns a value of 1 if
+# /proc/sys/kernel/tainted cannot be found or opened. If the kernel is NOT
+# tainted, the script notes this fact and returns 0.
+"""
+
+
+import sys
+from argparse import ArgumentParser
+
+
+# Note: If max_taints is increased, add descriptions to taint_meanings in
+# report_failures()
+max_taints = 17
+
+
+def find_taints(taint_file):
+ """Read the kernel-taint file."""
+ try:
+ f = open(taint_file, "r")
+ taints = int(f.read())
+ except OSError:
+ taints = 2**(max_taints+1) # Set so we have a non-0 value to return
+ print("Kernel taint file ({}) not found!".format(taint_file))
+ print("Kernel taint value is {}".format(taints))
+ return(taints)
+
+
+def report_failures(taints):
+ """Report the failure code and its meaning(s)."""
+ # Below meaning strings are taken from
+ # https://www.kernel.org/doc/html/latest/admin-guide/tainted-kernels.html
+ taint_meanings = ["proprietary module was loaded",
+ "module was force loaded",
+ "SMP kernel oops on an officially SMP incapable CPU",
+ "module was force unloaded",
+ "processor reported a Machine Check Exception (MCE)",
+ "bad page referenced or some unexpected page flags",
+ "taint requested by userspace application",
+ "kernel died recently, i.e. there was an OOPS or BUG",
+ "ACPI table overridden by user",
+ "kernel issued warning",
+ "staging driver was loaded",
+ "workaround for bug in platform firmware applied",
+ "externally-built ('out-of-tree') module was loaded",
+ "unsigned module was loaded",
+ "soft lockup occurred",
+ "kernel has been live patched",
+ "auxiliary taint, defined for and used by distros",
+ "kernel was built with the struct randomization plugin"]
+ for i in range(max_taints+1):
+ if (taints & (2 ** i)):
+ print("Taint bit value: {} ({})".format(i, taint_meanings[i]))
+ if taints == 0:
+ print("No kernel taints detected.")
+
+
+def main():
+ parser = ArgumentParser()
+ parser.add_argument('--taint-file',
+ default="/proc/sys/kernel/tainted",
+ help='The file that holds the taint information')
+ args = parser.parse_args()
+ taints = find_taints(args.taint_file)
+ report_failures(taints)
+ return(taints > 0)
+
+
+if __name__ == '__main__':
+ sys.exit(main())