tests: Introduce check-file-access.pl

This script will check output generated by virtestmock against a
white list. All non matching records found are printed out. So
far, the white list is rather sparse at the moment.
This test should be ran only after all other tests finished, and
should cleanup the temporary file before their execution. Because
I'm unable to reflect these requirements in Makefile.am
correctly, I've introduced new target 'check-access' under which
this test is available.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
上级 6326865e
master openEuler-20.03-LTS openEuler-20.09 v1.3.5-maint v2.0-maint v2.1-maint v2.2-maint v3.0-maint v3.2-maint v3.7-maint v4.1-maint v4.10-maint v4.2-maint v4.3-maint v4.4-maint v4.5-maint v4.6-maint v4.7-maint v4.8-maint v4.9-maint v5.0-maint v5.1-maint v5.1.0-maint v5.2-maint v5.3-maint v6.5.0-rc2 v6.5.0-rc1 v6.4.0 v6.4.0-rc1 v6.3.0 v6.3.0-rc1 v6.2.0 v6.2.0-rc1 v6.1.0 v6.1.0-rc2 v6.1.0-rc1 v6.0.0 v6.0.0-rc2 v6.0.0-rc1 v5.10.0 v5.10.0-rc2 v5.10.0-rc1 v5.9.0 v5.9.0-rc1 v5.8.0 v5.8.0-rc2 v5.8.0-rc1 v5.7.0 v5.7.0-rc2 v5.7.0-rc1 v5.6.0 v5.6.0-rc2 v5.6.0-rc1 v5.5.0 v5.5.0-rc2 v5.5.0-rc1 v5.4.0 v5.4.0-rc2 v5.4.0-rc1 v5.3.0 v5.3.0-rc2 v5.3.0-rc1 v5.2.0 v5.2.0-rc2 v5.2.0-rc1 v5.1.0 v5.1.0-rc2 v5.1.0-rc1 v5.0.0 v5.0.0-rc2 v5.0.0-rc1 v4.10.0 v4.10.0-rc2 v4.10.0-rc1 v4.9.0 v4.9.0-rc1 v4.8.0 v4.8.0-rc2 v4.8.0-rc1 v4.7.0 v4.7.0-rc2 v4.7.0-rc1 v4.6.0 v4.6.0-rc2 v4.6.0-rc1 v4.5.0 v4.5.0-rc2 v4.5.0-rc1 v4.4.0 v4.4.0-rc2 v4.4.0-rc1 v4.3.0 v4.3.0-rc2 v4.3.0-rc1 v4.2.0 v4.2.0-rc2 v4.2.0-rc1 v4.1.0 v4.1.0-rc2 v4.1.0-rc1 v4.0.0 v4.0.0-rc2 v4.0.0-rc1 v3.10.0 v3.10.0-rc2 v3.10.0-rc1 v3.9.0 v3.9.0-rc2 v3.9.0-rc1 v3.8.0 v3.8.0-rc1 v3.7.0 v3.7.0-rc2 v3.7.0-rc1 v3.6.0 v3.6.0-rc2 v3.6.0-rc1 v3.5.0 v3.5.0-rc2 v3.5.0-rc1 v3.4.0 v3.4.0-rc2 v3.4.0-rc1 v3.3.0 v3.3.0-rc2 v3.3.0-rc1 v3.2.1 v3.2.0 v3.2.0-rc2 v3.2.0-rc1 v3.1.0 v3.1.0-rc2 v3.1.0-rc1 v3.0.0 v3.0.0-rc2 v3.0.0-rc1 v2.5.0 v2.5.0-rc2 v2.5.0-rc1 v2.4.0 v2.4.0-rc2 v2.4.0-rc1 v2.3.0 v2.3.0-rc2 v2.3.0-rc1 v2.2.1 v2.2.0 v2.2.0-rc2 v2.2.0-rc1 v2.1.0 v2.1.0-rc1 v2.0.0 v2.0.0-rc2 v2.0.0-rc1 v1.3.5 v1.3.5-rc1 CVE-2017-1000256 CVE-2017-2635 CVE-2016-5008
无相关合并请求
......@@ -67,6 +67,9 @@ rpm: clean
check-local: all tests
check-access:
@($(MAKE) $(AM_MAKEFLAGS) -C tests check-access)
cov: clean-cov
$(MKDIR_P) $(top_builddir)/coverage
$(LCOV) -c -o $(top_builddir)/coverage/libvirt.info.tmp \
......
......@@ -451,6 +451,19 @@ test_libraries += virusbmock.la \
$(NULL)
endif WITH_LINUX
if WITH_LINUX
check-access: file-access-clean
VIR_TEST_FILE_ACCESS=1 $(MAKE) $(AM_MAKEFLAGS) check
$(PERL) check-file-access.pl | sort -u
file-access-clean:
> test_file_access.txt
endif WITH_LINUX
EXTRA_DIST += \
check-file-access.pl \
file_access_whitelist.txt
if WITH_TESTS
noinst_PROGRAMS = $(test_programs) $(test_helpers)
noinst_LTLIBRARIES = $(test_libraries)
......
#!/usr/bin/perl -w
#
# Copyright (C) 2016 Red Hat, Inc.
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library. If not, see
# <http://www.gnu.org/licenses/>.
#
# This script is supposed to check test_file_access.txt file and
# warn about file accesses outside our working tree.
#
#
use strict;
use warnings;
my $access_file = "test_file_access.txt";
my $whitelist_file = "file_access_whitelist.txt";
my @files;
my @whitelist;
open FILE, "<", $access_file or die "Unable to open $access_file: $!";
while (<FILE>) {
chomp;
if (/^(\S*):\s*(\S*)(\s*:\s*(.*))?$/) {
my %rec;
${rec}{path} = $1;
${rec}{progname} = $2;
if (defined $4) {
${rec}{testname} = $4;
}
push (@files, \%rec);
} else {
die "Malformed line $_";
}
}
close FILE;
open FILE, "<", $whitelist_file or die "Unable to open $whitelist_file: $!";
while (<FILE>) {
chomp;
if (/^\s*#.*$/) {
# comment
} elsif (/^(\S*)(:\s*(\S*)(\s*:\s*(.*))?)?$/) {
my %rec;
${rec}{path} = $1;
if (defined $3) {
${rec}{progname} = $3;
}
if (defined $5) {
${rec}{testname} = $5;
}
push (@whitelist, \%rec);
} else {
die "Malformed line $_";
}
}
close FILE;
# Now we should check if %traces is included in $whitelist. For
# now checking just keys is sufficient
my $error = 0;
for my $file (@files) {
my $match = 0;
for my $rule (@whitelist) {
if (not %${file}{path} =~ m/^$rule->{path}$/) {
next;
}
if (defined %${rule}{progname} and
not %${file}{progname} =~ m/^$rule->{progname}$/) {
next;
}
if (defined %${rule}{testname} and
defined %${file}{testname} and
not %${file}{testname} =~ m/^$rule->{testname}$/) {
next;
}
$match = 1;
}
if (not $match) {
$error = 1;
print "$file->{path}: $file->{progname}";
print ": $file->{testname}" if defined %${file}{testname};
print "\n";
}
}
exit $error;
# This is a whitelist that allows accesses to files not in our
# build directory nor source directory. The records are in the
# following format:
#
# $path: $progname: $testname
#
# All these three are evaluated as perl RE. So to allow /dev/sda
# and /dev/sdb, you can just '/dev/sd[a-b]', or to allow
# /proc/$pid/status you can '/proc/\d+/status' and so on.
# Moreover, $progname and $testname can be empty, in which which
# case $path is allowed for all tests.
/bin/cat: sysinfotest
/bin/dirname: sysinfotest: x86 sysinfo
/bin/sleep: commandtest
/bin/true: commandtest
/dev/null
/dev/urandom
/etc/hosts
/proc/\d+/status
# This is just a dummy example, DO NOT USE IT LIKE THAT!
.*: nonexistent-test-touching-everything
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册
反馈
建议
客服 返回
顶部