|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH v2 6/6] RFC: tools/dm_restrict: Enable QEMU sandboxing
On 09/24/2018 12:21 PM, Ian Jackson wrote:
> Apropos of our conversation on IRC, I looked at the checker script in
> detail.
>
>> #!/bin/bash
>>
>> domain="$1"
>
> Just noticed this, but: OMG no `set -e'.
> You probably want `set -o pipefail' too.
`set -e` never made any sense to me -- that's not the way I code in any
other language; why would scripting be any different? What's the
advantage of doing that in the current script?
>> dmpid=$(xenstore-read /local/domain/$domid/image/device-model-pid
>> 2>/dev/null)
>> if [[ -z "$dmpid" ]] ; then
>> echo "xenstore-read failed"
>> exit 1
>> fi
>
> Why do you throw away the stderr from xenstore-read ?
That's left over from a previous version of the script, where I didn't
check to see whether $1 was numeric, but rather tried to interpret it as
numeric and if it failed, then ran `xl domid` on it. I can take that out.
>
>> failed="false"
>
> Quotes are not needed here and seem un-idiomatic to me when the RHS is
> a simple atom.
Sure.
>> # TEST: Process / group id
> ...
>> # FIXME: deal with other UID configurations?
>
> Since the test will fail if you don't do this, I think this is very
> sub-critical and you could drop the fixme.
This was really a question for the reviewer; probably it should have
been RFC rather than FIXME.
The question is: should the script handle the case where
`xen-qemuuser-shared` is defined instead of `xen-qemuuser-range-base`?
>> # Example input:
>> # Uid: 1193 1193 1193 1193
>> input=$(grep Uid /proc/$dmpid/status)
>
> I have commented on this grep, and the subsequent regexpery, already.
>
> But also: you check the uid and the gid, but by duplicating the code.
> Surely this could be a shell function.
>
>> echo -n "Process UID: "
>
> If this had been me, I would have written
> begin_test "Process UID"
> and then
>
>> result="PASSED"
>
> test_passed
>
>> for i in {1..4}; do
>> if [[ "${BASH_REMATCH[$i]}" != "$tgt_uid" ]] ; then
>> result="FAILED"
>> failed="true"
>
> In particular, you open-code setting `failed' everywhere. If you miss
> one then that could hide a test failure. So
> test_failed
> But you want to print a reason so
> test_failed "got $uidorgid $actual_id wanted $tgt_id"
>
> As a bonus, doing this now means you can fix the test output format to
> be more parseable by changing the code in one place.
>
>> if [[ "$root" != "$tgt_chroot" ]] ; then
>> echo "FAILED"
>
> You could introduce
> test_condition 'root directory' "$root" != "$tgt_chroot"
> which calls test_passed or test_failed as appropriate.
>
> If you have it return the same exit status as the test, you can use it
> for the uids where you would say
> test_condition "one $uidorgid" $actual_id = $tgt_id || break
> and the rest of the time you would have to write
> test_condition 'root directory' "$root" != "$tgt_chroot" ||:
I'll take a look at doing this if we decide to stick with bash.
>> function check_rlimit() {
>> limit_name=$1
>> limit_string=$2
>> tgt=$3
>>
>> echo -n "rlimit $limit_name: "
>> input=$(grep "^$limit_string" /proc/$dmpid/limits)
> ...
>> if [[ "$input" =~
>> ^$limit_string[[:space:]]*([^[:space:]]+)[[:space:]]*([^[:space:]]+)[[:space:]]*[^[:space:]]+
>> ]] ; then
>
> Because of the unfortunate format of /proc/PID/limits, you do can't
> just do the
> fields=($input)
> trick but
> fields=(${input#* })
What will this do?
-George
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |