[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH v2 2/6] test/depriv: Add a tool to check process-level depriv



Add a tool to check whether the various process-level deprivileging
operations have actually taken place on the process.

The tool takes a domname or domid, and returns success or failure.

To begin with, only test the process/group it setting, since this is
the only restriction currently implemented.

Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxxx>
---
CC: Ian Jackson <ian.jackson@xxxxxxxxxx>
CC: Wei Liu <wei.liu2@xxxxxxxxxx>
CC: Stefano Stabellini <sstabellini@xxxxxxxxxx>
CC: Anthony Perard <anthony.perard@xxxxxxxxxx>
CC: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
---
 tools/tests/depriv/depriv-process-checker.sh | 71 ++++++++++++++++++++
 1 file changed, 71 insertions(+)
 create mode 100755 tools/tests/depriv/depriv-process-checker.sh

diff --git a/tools/tests/depriv/depriv-process-checker.sh 
b/tools/tests/depriv/depriv-process-checker.sh
new file mode 100755
index 0000000000..4aa58e7760
--- /dev/null
+++ b/tools/tests/depriv/depriv-process-checker.sh
@@ -0,0 +1,71 @@
+#!/bin/bash
+
+domain="$1"
+
+if [[ "$domain" =~ ^[0-9]+$ ]] ; then
+    domid="$domain"
+else
+    domid=$(xl domid "$domain")
+fi
+
+dmpid=$(xenstore-read /local/domain/$domid/image/device-model-pid 2>/dev/null)
+if [[ -z "$dmpid" ]] ; then
+    echo "xenstore-read failed"
+    exit 1
+fi
+
+failed="false"
+
+# TEST: Process / group id
+#
+# Read /proc/<qpid>/status, checking Uid and Gid lines
+#
+# Uid should be xen-qemuuser-range-base+$domid
+# Gid should be 65534 ("nobody")
+# FIXME: deal with other UID configurations?
+echo -n "Process UID: "
+tgt_uid=$(id -u xen-qemuuser-range-base)
+tgt_uid=$(( $tgt_uid + $domid ))
+
+# Example input:
+# Uid: 1193    1193    1193    1193
+input=$(grep Uid /proc/$dmpid/status)
+if [[ "$input" =~ 
^Uid:[[:space:]]*([0-9]+)[[:space:]]*([0-9]+)[[:space:]]*([0-9]+)[[:space:]]*([0-9]+)$
 ]] ; then
+    result="PASSED"
+    for i in {1..4}; do
+       if [[ "${BASH_REMATCH[$i]}" != "$tgt_uid" ]] ; then
+           result="FAILED"
+           failed="true"
+           break
+       fi
+    done
+else
+    result="FAILED"
+    failed="true"
+fi
+echo $result
+
+# Example input:
+# Gid: 10020   10020   10020   10020
+echo -n "Process GID: "
+input=$(grep Uid /proc/$dmpid/status)
+if [[ "$input" =~ 
^Gid:[[:space:]]*([0-9]+)[[:space:]]*([0-9]+)[[:space:]]*([0-9]+)[[:space:]]*([0-9]+)$
 ]] ; then
+    result="PASSED"
+    for i in {1..4}; do
+       if [[ "${BASH_REMATCH[$i]}" != "$65534" ]] ; then
+           result="FAILED"
+           failed="true"
+           break
+       fi
+    done
+else
+    result="FAILED"
+    failed="true"
+fi
+echo $result
+
+if $failed ; then
+    exit 1
+else
+    exit 0
+fi
-- 
2.18.0


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.