[libvirt] [PATCH v2 3/3] tests: Introduce check-file-access.pl
Peter Krempa
pkrempa at redhat.com
Thu May 12 07:09:08 UTC 2016
On Tue, May 10, 2016 at 17:24:14 +0200, Michal Privoznik wrote:
> This script will check output generated by virtestmock against a
> white list. All non matching records found are printed out. So
> far, the white list is rather sparse at the moment.
> This test should be ran only after all other tests finished, and
> should cleanup the temporary file before their execution. Because
> I'm unable to reflect these requirements in Makefile.am
> correctly, I've introduced new target 'check-access' under which
> this test is available.
>
> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
> ---
> Makefile.am | 3 ++
> tests/Makefile.am | 13 +++++
> tests/check-file-access.pl | 106 ++++++++++++++++++++++++++++++++++++++++
> tests/file_access_whitelist.txt | 23 +++++++++
> 4 files changed, 145 insertions(+)
> create mode 100755 tests/check-file-access.pl
> create mode 100644 tests/file_access_whitelist.txt
>
> diff --git a/Makefile.am b/Makefile.am
> index c52a4cb..da07e6c 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -67,6 +67,9 @@ rpm: clean
>
> check-local: all tests
>
> +check-access:
> + @($(MAKE) $(AM_MAKEFLAGS) -C tests check-access)
> +
> cov: clean-cov
> $(MKDIR_P) $(top_builddir)/coverage
> $(LCOV) -c -o $(top_builddir)/coverage/libvirt.info.tmp \
> diff --git a/tests/Makefile.am b/tests/Makefile.am
> index da68f2e..7cd641d 100644
> --- a/tests/Makefile.am
> +++ b/tests/Makefile.am
> @@ -451,6 +451,19 @@ test_libraries += virusbmock.la \
> $(NULL)
> endif WITH_LINUX
>
> +if WITH_LINUX
> +check-access: file-access-clean
> + $(MAKE) $(AM_MAKEFLAGS) check
> + $(PERL) check-file-access.pl
I added '| sort -u' while trying this. There's a lot of multiplicated
lines.
> +
> +file-access-clean:
> + > test_file_access.txt
> +endif WITH_LINUX
> +
> +EXTRA_DIST += \
> + check-file-access.pl \
> + file_access_whitelist.txt
> +
> if WITH_TESTS
> noinst_PROGRAMS = $(test_programs) $(test_helpers)
> noinst_LTLIBRARIES = $(test_libraries)
> diff --git a/tests/check-file-access.pl b/tests/check-file-access.pl
> new file mode 100755
> index 0000000..6e59201
> --- /dev/null
> +++ b/tests/check-file-access.pl
> @@ -0,0 +1,106 @@
> +#!/usr/bin/perl -w
> +#
> +# Copyright (C) 2016 Red Hat, Inc.
> +#
> +# This library is free software; you can redistribute it and/or
> +# modify it under the terms of the GNU Lesser General Public
> +# License as published by the Free Software Foundation; either
> +# version 2.1 of the License, or (at your option) any later version.
> +#
> +# This library is distributed in the hope that it will be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> +# Lesser General Public License for more details.
> +#
> +# You should have received a copy of the GNU Lesser General Public
> +# License along with this library. If not, see
> +# <http://www.gnu.org/licenses/>.
> +#
> +# This script is supposed to check test_file_access.txt file and
> +# warn about file accesses outside our working tree.
> +#
> +#
> +
> +use strict;
> +use warnings;
> +
> +my $access_file = "test_file_access.txt";
> +my $whitelist_file = "file_access_whitelist.txt";
> +
> +my @files;
> +my @whitelist;
> +
> +open FILE, "<", $access_file or die "Unable to open $access_file: $!";
> +while (<FILE>) {
> + chomp;
> + if (/^\s*#.*$/) {
> + # comment
Will this file ever contain comments?
> + } elsif (/^(\S*):\s*(\S*)(\s*:\s*(.*))?$/) {
> + my %rec;
> + ${rec}{path} = $1;
> + ${rec}{progname} = $2;
> + if (defined $4) {
> + ${rec}{testname} = $4;
> + }
> + push (@files, \%rec);
> + } else {
> + die "Malformed line $_";
> + }
> +}
> +close FILE;
> +
> +open FILE, "<", $whitelist_file or die "Unable to open $whitelist_file: $!";
> +while (<FILE>) {
> + chomp;
> + if (/^\s*#.*$/) {
> + # comment
> + } elsif (/^(\S*)(:\s*(\S*)(\s*:\s*(.*))?)?$/) {
> + my %rec;
> + ${rec}{path} = $1;
> + if (defined $3) {
> + ${rec}{progname} = $3;
> + }
> + if (defined $5) {
> + ${rec}{testname} = $5;
> + }
> + push (@whitelist, \%rec);
> + } else {
> + die "Malformed line $_";
> + }
> +}
> +close FILE;
> +
> +# Now we should check if %traces is included in $whitelist. For
> +# now checking just keys is sufficient
> +my $error = 0;
> +for my $file (@files) {
> + my $match = 0;
> +
> + for my $rule (@whitelist) {
> + if (not %${file}{path} =~ m/^$rule->{path}$/) {
> + next;
> + }
> +
> + if (defined %${rule}{progname} and
> + not %${file}{progname} =~ m/^$rule->{progname}$/) {
> + next;
> + }
> +
> + if (defined %${rule}{testname} and
> + defined %${file}{testname} and
> + not %${file}{testname} =~ m/^$rule->{testname}$/) {
> + next;
> + }
> +
> + $match = 1;
> + }
> +
> + if (not $match) {
> + $error = 1;
> + print "$file->{path}: $file->{progname}";
> + print ": $file->{testname}" if defined %${file}{testname};
> + print "\n";
> + }
> +}
> +
> +$error;
perl complains that the above line is useless. Also the script doesn't
return failure if it finds files out of the build path.
> diff --git a/tests/file_access_whitelist.txt b/tests/file_access_whitelist.txt
> new file mode 100644
> index 0000000..850b285
> --- /dev/null
> +++ b/tests/file_access_whitelist.txt
> @@ -0,0 +1,23 @@
> +# This is a whitelist that allows accesses to files not in our
> +# build directory nor source directory. The records are in the
> +# following format:
> +#
> +# $path: $progname: $testname
> +#
> +# All these three are evaluated as perl RE. So to allow /dev/sda
> +# and /dev/sdb, you can just '/dev/sd[a-b]', or to allow
> +# /proc/$pid/status you can '/proc/\d+/status' and so on.
> +# Moreover, $progname and $testname can be empty, in which which
> +# case $path is allowed for all tests.
> +
> +/bin/cat: sysinfotest
> +/bin/dirname: sysinfotest: x86 sysinfo
> +/bin/sleep: commandtest
> +/bin/true: commandtest
> +/dev/null
> +/dev/urandom
> +/etc/hosts
> +/proc/\d+/status
My test run showed that there is a looot of stuff to add unfortunately.
Looks good to me, but my perl knowledge is rather poor.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20160512/50a4a871/attachment-0001.sig>
More information about the libvir-list
mailing list