[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH v2 2/6] test/depriv: Add a tool to check process-level depriv
Add a tool to check whether the various process-level deprivileging operations have actually taken place on the process. The tool takes a domname or domid, and returns success or failure. To begin with, only test the process/group it setting, since this is the only restriction currently implemented. Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxxx> --- CC: Ian Jackson <ian.jackson@xxxxxxxxxx> CC: Wei Liu <wei.liu2@xxxxxxxxxx> CC: Stefano Stabellini <sstabellini@xxxxxxxxxx> CC: Anthony Perard <anthony.perard@xxxxxxxxxx> CC: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx> --- tools/tests/depriv/depriv-process-checker.sh | 71 ++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100755 tools/tests/depriv/depriv-process-checker.sh diff --git a/tools/tests/depriv/depriv-process-checker.sh b/tools/tests/depriv/depriv-process-checker.sh new file mode 100755 index 0000000000..4aa58e7760 --- /dev/null +++ b/tools/tests/depriv/depriv-process-checker.sh @@ -0,0 +1,71 @@ +#!/bin/bash + +domain="$1" + +if [[ "$domain" =~ ^[0-9]+$ ]] ; then + domid="$domain" +else + domid=$(xl domid "$domain") +fi + +dmpid=$(xenstore-read /local/domain/$domid/image/device-model-pid 2>/dev/null) +if [[ -z "$dmpid" ]] ; then + echo "xenstore-read failed" + exit 1 +fi + +failed="false" + +# TEST: Process / group id +# +# Read /proc/<qpid>/status, checking Uid and Gid lines +# +# Uid should be xen-qemuuser-range-base+$domid +# Gid should be 65534 ("nobody") +# FIXME: deal with other UID configurations? +echo -n "Process UID: " +tgt_uid=$(id -u xen-qemuuser-range-base) +tgt_uid=$(( $tgt_uid + $domid )) + +# Example input: +# Uid: 1193 1193 1193 1193 +input=$(grep Uid /proc/$dmpid/status) +if [[ "$input" =~ ^Uid:[[:space:]]*([0-9]+)[[:space:]]*([0-9]+)[[:space:]]*([0-9]+)[[:space:]]*([0-9]+)$ ]] ; then + result="PASSED" + for i in {1..4}; do + if [[ "${BASH_REMATCH[$i]}" != "$tgt_uid" ]] ; then + result="FAILED" + failed="true" + break + fi + done +else + result="FAILED" + failed="true" +fi +echo $result + +# Example input: +# Gid: 10020 10020 10020 10020 +echo -n "Process GID: " +input=$(grep Uid /proc/$dmpid/status) +if [[ "$input" =~ ^Gid:[[:space:]]*([0-9]+)[[:space:]]*([0-9]+)[[:space:]]*([0-9]+)[[:space:]]*([0-9]+)$ ]] ; then + result="PASSED" + for i in {1..4}; do + if [[ "${BASH_REMATCH[$i]}" != "$65534" ]] ; then + result="FAILED" + failed="true" + break + fi + done +else + result="FAILED" + failed="true" +fi +echo $result + +if $failed ; then + exit 1 +else + exit 0 +fi -- 2.18.0 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |