[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v2 6/6] RFC: tools/dm_restrict: Enable QEMU sandboxing


  • To: Ian Jackson <ian.jackson@xxxxxxxxxx>
  • From: George Dunlap <george.dunlap@xxxxxxxxxx>
  • Date: Tue, 25 Sep 2018 15:24:44 +0100
  • Autocrypt: addr=george.dunlap@xxxxxxxxxx; prefer-encrypt=mutual; keydata= xsFNBFPqG+MBEACwPYTQpHepyshcufo0dVmqxDo917iWPslB8lauFxVf4WZtGvQSsKStHJSj 92Qkxp4CH2DwudI8qpVbnWCXsZxodDWac9c3PordLwz5/XL41LevEoM3NWRm5TNgJ3ckPA+J K5OfSK04QtmwSHFP3G/SXDJpGs+oDJgASta2AOl9vPV+t3xG6xyfa2NMGn9wmEvvVMD44Z7R W3RhZPn/NEZ5gaJhIUMgTChGwwWDOX0YPY19vcy5fT4bTIxvoZsLOkLSGoZb/jHIzkAAznug Q7PPeZJ1kXpbW9EHHaUHiCD9C87dMyty0N3TmWfp0VvBCaw32yFtM9jUgB7UVneoZUMUKeHA fgIXhJ7I7JFmw3J0PjGLxCLHf2Q5JOD8jeEXpdxugqF7B/fWYYmyIgwKutiGZeoPhl9c/7RE Bf6f9Qv4AtQoJwtLw6+5pDXsTD5q/GwhPjt7ohF7aQZTMMHhZuS52/izKhDzIufl6uiqUBge 0lqG+/ViLKwCkxHDREuSUTtfjRc9/AoAt2V2HOfgKORSCjFC1eI0+8UMxlfdq2z1AAchinU0 eSkRpX2An3CPEjgGFmu2Je4a/R/Kd6nGU8AFaE8ta0oq5BSFDRYdcKchw4TSxetkG6iUtqOO ZFS7VAdF00eqFJNQpi6IUQryhnrOByw+zSobqlOPUO7XC5fjnwARAQABzSRHZW9yZ2UgVy4g RHVubGFwIDxkdW5sYXBnQHVtaWNoLmVkdT7CwYAEEwEKACoCGwMFCwkIBwMFFQoJCAsFFgID AQACHgECF4ACGQEFAlpk2IEFCQo9I54ACgkQpjY8MQWQtG1A1BAAnc0oX3+M/jyv4j/ESJTO U2JhuWUWV6NFuzU10pUmMqpgQtiVEVU2QbCvTcZS1U/S6bqAUoiWQreDMSSgGH3a3BmRNi8n HKtarJqyK81aERM2HrjYkC1ZlRYG+jS8oWzzQrCQiTwn3eFLJrHjqowTbwahoiMw/nJ+OrZO /VXLfNeaxA5GF6emwgbpshwaUtESQ/MC5hFAFmUBZKAxp9CXG2ZhTP6ROV4fwhpnHaz8z+BT NQz8YwA4gkmFJbDUA9I0Cm9D/EZscrCGMeaVvcyldbMhWS+aH8nbqv6brhgbJEQS22eKCZDD J/ng5ea25QnS0fqu3bMrH39tDqeh7rVnt8Yu/YgOwc3XmgzmAhIDyzSinYEWJ1FkOVpIbGl9 uR6seRsfJmUK84KCScjkBhMKTOixWgNEQ/zTcLUsfTh6KQdLTn083Q5aFxWOIal2hiy9UyqR VQydowXy4Xx58rqvZjuYzdGDdAUlZ+D2O3Jp28ez5SikA/ZaaoGI9S1VWvQsQdzNfD2D+xfL qfd9yv7gko9eTJzv5zFr2MedtRb/nCrMTnvLkwNX4abB5+19JGneeRU4jy7yDYAhUXcI/waS /hHioT9MOjMh+DoLCgeZJYaOcgQdORY/IclLiLq4yFnG+4Ocft8igp79dbYYHkAkmC9te/2x Kq9nEd0Hg288EO/OwE0EVFq6vQEIAO2idItaUEplEemV2Q9mBA8YmtgckdLmaE0uzdDWL9To 1PL+qdNe7tBXKOfkKI7v32fe0nB4aecRlQJOZMWQRQ0+KLyXdJyHkq9221sHzcxsdcGs7X3c 17ep9zASq+wIYqAdZvr7pN9a3nVHZ4W7bzezuNDAvn4EpOf/o0RsWNyDlT6KECs1DuzOdRqD oOMJfYmtx9hMzqBoTdr6U20/KgnC/dmWWcJAUZXaAFp+3NYRCkk7k939VaUpoY519CeLrymd Vdke66KCiWBQXMkgtMGvGk5gLQLy4H3KXvpXoDrYKgysy7jeOccxI8owoiOdtbfM8TTDyWPR Ygjzb9LApA8AEQEAAcLBZQQYAQoADwIbDAUCWmTXMwUJB+tP9gAKCRCmNjwxBZC0bb+2D/9h jn1k5WcRHlu19WGuH6q0Kgm1LRT7PnnSz904igHNElMB5a7wRjw5kdNwU3sRm2nnmHeOJH8k Yj2Hn1QgX5SqQsysWTHWOEseGeoXydx9zZZkt3oQJM+9NV1VjK0bOXwqhiQyEUWz5/9l467F S/k4FJ5CHNRumvhLa0l2HEEu5pxq463HQZHDt4YE/9Y74eXOnYCB4nrYxQD/GSXEZvWryEWr eDoaFqzq1TKtzHhFgQG7yFUEepxLRUUtYsEpT6Rks2l4LCqG3hVD0URFIiTyuxJx3VC2Ta4L H3hxQtiaIpuXqq2D4z63h6vCx2wxfZc/WRHGbr4NAlB81l35Q/UHyMocVuYLj0llF0rwU4Aj iKZ5qWNSEdvEpL43fTvZYxQhDCjQTKbb38omu5P4kOf1HT7s+kmQKRtiLBlqHzK17D4K/180 ADw7a3gnmr5RumcZP3NGSSZA6jP5vNqQpNu4gqrPFWNQKQcW8HBiYFgq6SoLQQWbRxJDHvTR YJ2ms7oCe870gh4D1wFFqTLeyXiVqjddENGNaP8ZlCDw6EU82N8Bn5LXKjR1GWo2UK3CjrkH pTt3YYZvrhS2MO2EYEcWjyu6LALF/lS6z6LKeQZ+t9AdQUcILlrx9IxqXv6GvAoBLJY1jjGB q+/kRPrWXpoaQn7FXWGfMqU+NkY9enyrlw==
  • Cc: Anthony Perard <anthony.perard@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>
  • Delivery-date: Tue, 25 Sep 2018 14:31:33 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Openpgp: preference=signencrypt

On 09/25/2018 12:02 PM, Ian Jackson wrote:
> George Dunlap writes ("Re: [PATCH v2 6/6] RFC: tools/dm_restrict: Enable QEMU 
> sandboxing"):
>> On 09/24/2018 12:21 PM, Ian Jackson wrote:
>>> Just noticed this, but: OMG no `set -e'.
>>> You probably want `set -o pipefail' too.
>>
>> `set -e` never made any sense to me -- that's not the way I code in any
>> other language; why would scripting be any different?  What's the
>> advantage of doing that in the current script?
> 
> ?
> 
> Many modern languages throw exceptions.  set -e is a bit like that.
> If you don't say set -e then you need to wrap every everything in your
> entire script with an error check.

I'm not sure you can call such languages "modern" anymore. :-)  Neither
golang nor rust have exceptions, for example, by deliberate choice. I've
read golang's rationale for why not, and I tend to agree with them.
People complain about the fact that you always have to check errors in
golang, but it generally prods you to think about what would actually
happen if something went wrong at each point and do something sensible.
Rust seems to be following a similar example.

I suppose the difference between bash and golang / rust is that the
compiler prods you to actually do the checking, whereas in bash nothing
prods you to do the check; so `set -e` is actually somewhat safer: if
you forget to check a critical success / failure, exiting is probably
going to cause less havoc than blindly continuing.

> For example, you write
> 
>>>> dmpid=$(xenstore-read /local/domain/$domid/image/device-model-pid 
>>>> 2>/dev/null)
>>>> if [[ -z "$dmpid" ]] ; then
>>>>     echo "xenstore-read failed"
>>>>     exit 1
>>>> fi
>>>
>>> Why do you throw away the stderr from xenstore-read ?
>>
>> That's left over from a previous version of the script, where I didn't
>> check to see whether $1 was numeric, but rather tried to interpret it as
>> numeric and if it failed, then ran `xl domid` on it.  I can take that out.
> 
> but with set -e you can write only
> 
>     dmpid=$(xenstore-read /local/domain/$domid/image/device-model-pid)
> 
> and the subsequent if is not needed.

I think you misunderstood what I meant.  The original code looked
something like this:

# See if $domain is a domid
dmpid=$(xenstore-read /local/domain/$domain/... >2 /dev/null )
if [[ -z "$dmpid" ]] ; then
  # That didn't work; maybe it was a domain name instead
  domid=$(xl domid $domain)
  dmpid=$(xenstore-read /local/domain/$domid/...)

  # ... more error handling
fi

Without the pipe to /dev/null, if a user uses a domain name (i.e.,
'c6-01'), then the script will succeed, but there will be a spurious
error message when the first xenstore-read fails.

With `set -e`, I'd not only have to pipe to null, I'd also have to add
in "|| true" or something to keep the shell from exiting on an error.

In the current code, printing the error message is obviously better than
throwing it away.  But I still feel better checking the result and
giving a sensible follow-up error message than having a failure silently
exit, because I prefer to explicitly think about what happens when
things fail (and remind the people reading the code to do so as well).

>> The question is: should the script handle the case where
>> `xen-qemuuser-shared` is defined instead of `xen-qemuuser-range-base`?
> 
> I think it is fine if it doesn't.  If someone wants that feature it is
> easy to add it.

Ack

>>>> function check_rlimit() {
>>>>     limit_name=$1
>>>>     limit_string=$2
>>>>     tgt=$3
>>>>
>>>>     echo -n "rlimit $limit_name: "
>>>>     input=$(grep "^$limit_string" /proc/$dmpid/limits)
>>> ...
>>>>     if [[ "$input" =~ 
>>>> ^$limit_string[[:space:]]*([^[:space:]]+)[[:space:]]*([^[:space:]]+)[[:space:]]*[^[:space:]]+
>>>>  ]] ; then
>>>
>>> Because of the unfortunate format of /proc/PID/limits, you do can't
>>> just do the
>>>     fields=($input)
>>> trick but
>>>     fields=(${input#*  })
>>
>> What will this do?
> 
> The expression
>   ${input#*  }
> is the contents of input with the shortest prefix matching `*  '
> stripped off the front.  That will eat all the words at the start,
> which are separated by one space each, and find the first pair of
> adjacent spaces.  So if input is
>   'Max processes             63603                63603                
> processes 
> then "${input#*  }" is
>   '           63603                63603                processes 
> 
> Expanding it without the surrounding " " causes it to be word-split in
> the usual way, producing
>   63603 63603 processes
> and then this is assigned to a new bash array variable `fields'
> which can then be indexed to find the values.

That's an idea.  I'm not sure I like it much better than using a regexp
(now that the runes have been written), but I'll think about it.

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.