[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v2 6/6] RFC: tools/dm_restrict: Enable QEMU sandboxing


  • To: Ian Jackson <ian.jackson@xxxxxxxxxx>
  • From: George Dunlap <george.dunlap@xxxxxxxxxx>
  • Date: Mon, 24 Sep 2018 15:28:04 +0100
  • Autocrypt: addr=george.dunlap@xxxxxxxxxx; prefer-encrypt=mutual; keydata= xsFNBFPqG+MBEACwPYTQpHepyshcufo0dVmqxDo917iWPslB8lauFxVf4WZtGvQSsKStHJSj 92Qkxp4CH2DwudI8qpVbnWCXsZxodDWac9c3PordLwz5/XL41LevEoM3NWRm5TNgJ3ckPA+J K5OfSK04QtmwSHFP3G/SXDJpGs+oDJgASta2AOl9vPV+t3xG6xyfa2NMGn9wmEvvVMD44Z7R W3RhZPn/NEZ5gaJhIUMgTChGwwWDOX0YPY19vcy5fT4bTIxvoZsLOkLSGoZb/jHIzkAAznug Q7PPeZJ1kXpbW9EHHaUHiCD9C87dMyty0N3TmWfp0VvBCaw32yFtM9jUgB7UVneoZUMUKeHA fgIXhJ7I7JFmw3J0PjGLxCLHf2Q5JOD8jeEXpdxugqF7B/fWYYmyIgwKutiGZeoPhl9c/7RE Bf6f9Qv4AtQoJwtLw6+5pDXsTD5q/GwhPjt7ohF7aQZTMMHhZuS52/izKhDzIufl6uiqUBge 0lqG+/ViLKwCkxHDREuSUTtfjRc9/AoAt2V2HOfgKORSCjFC1eI0+8UMxlfdq2z1AAchinU0 eSkRpX2An3CPEjgGFmu2Je4a/R/Kd6nGU8AFaE8ta0oq5BSFDRYdcKchw4TSxetkG6iUtqOO ZFS7VAdF00eqFJNQpi6IUQryhnrOByw+zSobqlOPUO7XC5fjnwARAQABzSRHZW9yZ2UgVy4g RHVubGFwIDxkdW5sYXBnQHVtaWNoLmVkdT7CwYAEEwEKACoCGwMFCwkIBwMFFQoJCAsFFgID AQACHgECF4ACGQEFAlpk2IEFCQo9I54ACgkQpjY8MQWQtG1A1BAAnc0oX3+M/jyv4j/ESJTO U2JhuWUWV6NFuzU10pUmMqpgQtiVEVU2QbCvTcZS1U/S6bqAUoiWQreDMSSgGH3a3BmRNi8n HKtarJqyK81aERM2HrjYkC1ZlRYG+jS8oWzzQrCQiTwn3eFLJrHjqowTbwahoiMw/nJ+OrZO /VXLfNeaxA5GF6emwgbpshwaUtESQ/MC5hFAFmUBZKAxp9CXG2ZhTP6ROV4fwhpnHaz8z+BT NQz8YwA4gkmFJbDUA9I0Cm9D/EZscrCGMeaVvcyldbMhWS+aH8nbqv6brhgbJEQS22eKCZDD J/ng5ea25QnS0fqu3bMrH39tDqeh7rVnt8Yu/YgOwc3XmgzmAhIDyzSinYEWJ1FkOVpIbGl9 uR6seRsfJmUK84KCScjkBhMKTOixWgNEQ/zTcLUsfTh6KQdLTn083Q5aFxWOIal2hiy9UyqR VQydowXy4Xx58rqvZjuYzdGDdAUlZ+D2O3Jp28ez5SikA/ZaaoGI9S1VWvQsQdzNfD2D+xfL qfd9yv7gko9eTJzv5zFr2MedtRb/nCrMTnvLkwNX4abB5+19JGneeRU4jy7yDYAhUXcI/waS /hHioT9MOjMh+DoLCgeZJYaOcgQdORY/IclLiLq4yFnG+4Ocft8igp79dbYYHkAkmC9te/2x Kq9nEd0Hg288EO/OwE0EVFq6vQEIAO2idItaUEplEemV2Q9mBA8YmtgckdLmaE0uzdDWL9To 1PL+qdNe7tBXKOfkKI7v32fe0nB4aecRlQJOZMWQRQ0+KLyXdJyHkq9221sHzcxsdcGs7X3c 17ep9zASq+wIYqAdZvr7pN9a3nVHZ4W7bzezuNDAvn4EpOf/o0RsWNyDlT6KECs1DuzOdRqD oOMJfYmtx9hMzqBoTdr6U20/KgnC/dmWWcJAUZXaAFp+3NYRCkk7k939VaUpoY519CeLrymd Vdke66KCiWBQXMkgtMGvGk5gLQLy4H3KXvpXoDrYKgysy7jeOccxI8owoiOdtbfM8TTDyWPR Ygjzb9LApA8AEQEAAcLBZQQYAQoADwIbDAUCWmTXMwUJB+tP9gAKCRCmNjwxBZC0bb+2D/9h jn1k5WcRHlu19WGuH6q0Kgm1LRT7PnnSz904igHNElMB5a7wRjw5kdNwU3sRm2nnmHeOJH8k Yj2Hn1QgX5SqQsysWTHWOEseGeoXydx9zZZkt3oQJM+9NV1VjK0bOXwqhiQyEUWz5/9l467F S/k4FJ5CHNRumvhLa0l2HEEu5pxq463HQZHDt4YE/9Y74eXOnYCB4nrYxQD/GSXEZvWryEWr eDoaFqzq1TKtzHhFgQG7yFUEepxLRUUtYsEpT6Rks2l4LCqG3hVD0URFIiTyuxJx3VC2Ta4L H3hxQtiaIpuXqq2D4z63h6vCx2wxfZc/WRHGbr4NAlB81l35Q/UHyMocVuYLj0llF0rwU4Aj iKZ5qWNSEdvEpL43fTvZYxQhDCjQTKbb38omu5P4kOf1HT7s+kmQKRtiLBlqHzK17D4K/180 ADw7a3gnmr5RumcZP3NGSSZA6jP5vNqQpNu4gqrPFWNQKQcW8HBiYFgq6SoLQQWbRxJDHvTR YJ2ms7oCe870gh4D1wFFqTLeyXiVqjddENGNaP8ZlCDw6EU82N8Bn5LXKjR1GWo2UK3CjrkH pTt3YYZvrhS2MO2EYEcWjyu6LALF/lS6z6LKeQZ+t9AdQUcILlrx9IxqXv6GvAoBLJY1jjGB q+/kRPrWXpoaQn7FXWGfMqU+NkY9enyrlw==
  • Cc: Anthony Perard <anthony.perard@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>
  • Delivery-date: Mon, 24 Sep 2018 14:28:18 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Openpgp: preference=signencrypt

On 09/24/2018 12:21 PM, Ian Jackson wrote:
> Apropos of our conversation on IRC, I looked at the checker script in
> detail.
> 
>> #!/bin/bash
>>
>> domain="$1"
> 
> Just noticed this, but: OMG no `set -e'.
> You probably want `set -o pipefail' too.

`set -e` never made any sense to me -- that's not the way I code in any
other language; why would scripting be any different?  What's the
advantage of doing that in the current script?

>> dmpid=$(xenstore-read /local/domain/$domid/image/device-model-pid 
>> 2>/dev/null)
>> if [[ -z "$dmpid" ]] ; then
>>     echo "xenstore-read failed"
>>     exit 1
>> fi
> 
> Why do you throw away the stderr from xenstore-read ?

That's left over from a previous version of the script, where I didn't
check to see whether $1 was numeric, but rather tried to interpret it as
numeric and if it failed, then ran `xl domid` on it.  I can take that out.

> 
>> failed="false"
> 
> Quotes are not needed here and seem un-idiomatic to me when the RHS is
> a simple atom.

Sure.

>> # TEST: Process / group id
> ...
>> # FIXME: deal with other UID configurations?
> 
> Since the test will fail if you don't do this, I think this is very
> sub-critical and you could drop the fixme.

This was really a question for the reviewer; probably it should have
been RFC rather than FIXME.

The question is: should the script handle the case where
`xen-qemuuser-shared` is defined instead of `xen-qemuuser-range-base`?

>> # Example input:
>> # Uid:       1193    1193    1193    1193
>> input=$(grep Uid /proc/$dmpid/status)
> 
> I have commented on this grep, and the subsequent regexpery, already.
> 
> But also: you check the uid and the gid, but by duplicating the code.
> Surely this could be a shell function.
> 
>> echo -n "Process UID: "
> 
> If this had been me, I would have written
>    begin_test "Process UID"
> and then
> 
>>     result="PASSED"
> 
>       test_passed
> 
>>     for i in {1..4}; do
>>      if [[ "${BASH_REMATCH[$i]}" != "$tgt_uid" ]] ; then
>>          result="FAILED"
>>          failed="true"
> 
> In particular, you open-code setting `failed' everywhere.  If you miss
> one then that could hide a test failure.  So
>             test_failed
> But you want to print a reason so
>             test_failed "got $uidorgid $actual_id wanted $tgt_id"
> 
> As a bonus, doing this now means you can fix the test output format to
> be more parseable by changing the code in one place.
> 
>>     if [[ "$root" != "$tgt_chroot" ]] ; then
>>      echo "FAILED"
> 
> You could introduce
>             test_condition 'root directory' "$root" != "$tgt_chroot"
> which calls test_passed or test_failed as appropriate.
> 
> If you have it return the same exit status as the test, you can use it
> for the uids where you would say
>         test_condition "one $uidorgid" $actual_id = $tgt_id || break
> and the rest of the time you would have to write
>             test_condition 'root directory' "$root" != "$tgt_chroot" ||:

I'll take a look at doing this if we decide to stick with bash.

>> function check_rlimit() {
>>     limit_name=$1
>>     limit_string=$2
>>     tgt=$3
>>
>>     echo -n "rlimit $limit_name: "
>>     input=$(grep "^$limit_string" /proc/$dmpid/limits)
> ...
>>     if [[ "$input" =~ 
>> ^$limit_string[[:space:]]*([^[:space:]]+)[[:space:]]*([^[:space:]]+)[[:space:]]*[^[:space:]]+
>>  ]] ; then
> 
> Because of the unfortunate format of /proc/PID/limits, you do can't
> just do the
>     fields=($input)
> trick but
>     fields=(${input#*  })

What will this do?

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.