2019-12-03 16:29:12 +00:00
|
|
|
#!/usr/bin/env python3
|
2019-08-30 12:22:54 +00:00
|
|
|
#
|
|
|
|
# Copyright (C) 2013-2019 Red Hat, Inc.
|
|
|
|
#
|
|
|
|
# This library is free software; you can redistribute it and/or
|
|
|
|
# modify it under the terms of the GNU Lesser General Public
|
|
|
|
# License as published by the Free Software Foundation; either
|
|
|
|
# version 2.1 of the License, or (at your option) any later version.
|
|
|
|
#
|
|
|
|
# This library is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
# Lesser General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU Lesser General Public
|
|
|
|
# License along with this library. If not, see
|
|
|
|
# <http://www.gnu.org/licenses/>.
|
|
|
|
#
|
|
|
|
# This script validates that the driver implementation of any
|
|
|
|
# public APIs contain ACL checks.
|
|
|
|
#
|
|
|
|
# As the script reads each source file, it attempts to identify
|
|
|
|
# top level function names.
|
|
|
|
#
|
|
|
|
# When reading the body of the functions, it looks for anything
|
|
|
|
# that looks like an API called named XXXEnsureACL. It will
|
|
|
|
# validate that the XXX prefix matches the name of the function
|
|
|
|
# it occurs in.
|
|
|
|
#
|
|
|
|
# When it later finds the virDriverPtr table, for each entry
|
|
|
|
# point listed, it will validate if there was a previously
|
|
|
|
# detected EnsureACL call recorded.
|
|
|
|
#
|
|
|
|
|
|
|
|
import re
|
|
|
|
import sys
|
|
|
|
|
2020-06-16 08:39:12 +00:00
|
|
|
permitted = {
|
2019-08-30 12:22:54 +00:00
|
|
|
"connectClose": True,
|
|
|
|
"connectIsEncrypted": True,
|
|
|
|
"connectIsSecure": True,
|
|
|
|
"connectIsAlive": True,
|
|
|
|
"networkOpen": True,
|
|
|
|
"networkClose": True,
|
|
|
|
"nwfilterOpen": True,
|
|
|
|
"nwfilterClose": True,
|
|
|
|
"secretOpen": True,
|
|
|
|
"secretClose": True,
|
|
|
|
"storageOpen": True,
|
|
|
|
"storageClose": True,
|
|
|
|
"interfaceOpen": True,
|
|
|
|
"interfaceClose": True,
|
|
|
|
"connectURIProbe": True,
|
|
|
|
"localOnly": True,
|
|
|
|
"domainQemuAttach": True,
|
|
|
|
}
|
|
|
|
|
|
|
|
# XXX this vzDomainMigrateConfirm3Params looks
|
|
|
|
# bogus - determine why it doesn't have a valid
|
|
|
|
# ACL check.
|
2020-06-16 08:39:12 +00:00
|
|
|
implpermitted = {
|
2019-08-30 12:22:54 +00:00
|
|
|
"vzDomainMigrateConfirm3Params": True,
|
|
|
|
}
|
|
|
|
|
scripts/check-aclrules.py: check ACL for domain_driver.c ACL callers
This script works under two specific conditions. For each opened file,
search for all functions that has ACL calls and store them, and see
if there is a vir*DriverPtr struct declared in it. For each implementation
found, check if there is an ACL verification inside it, and error out if
none was found. The script also supports the concept of stub, where another
function takes the responsibility for the ACL call instead of the
original API.
Unfortunately this is not enough to cover the new scenario we have now,
with domain_driver.c containing helper functions that execute the ACL
calls. The script does not store state between files because, until now,
it wasn't needed to - APIs and stubs and vir*DriverPtr declarations were
always in the same file. Also, the script will not check for ACL in functions
that does not belong to a vir*DriverPtr interface. What we have now in
domain_driver.c breaks both assumptions: the functions are in a different
file, and there is no vir*DriverPtr being implemented in the file that
uses these functions.
This patch changes check-aclrules.py to accomodate this scenario. The helpers
that have ACL checks are stored beforehand in aclFuncHelpers, allowing other
files to use them to recognize a stub situation. In case the current file
being analyzed is domain_driver.c itself, we'll do a manual check using
aclFuncHelpers to verify that these functions indeed have ACL checks.
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
2021-02-02 20:44:34 +00:00
|
|
|
aclFuncHelpers = {
|
|
|
|
"virDomainDriverNodeDeviceDetachFlags": True,
|
|
|
|
"virDomainDriverNodeDeviceReset": True,
|
|
|
|
"virDomainDriverNodeDeviceReAttach": True,
|
|
|
|
}
|
|
|
|
|
|
|
|
aclFuncHelperFile = "domain_driver.c"
|
|
|
|
|
2019-08-30 12:22:54 +00:00
|
|
|
lastfile = None
|
|
|
|
|
|
|
|
|
|
|
|
def fixup_name(name):
|
|
|
|
name.replace("Nwfilter", "NWFilter")
|
|
|
|
name.replace("Pm", "PM")
|
|
|
|
name.replace("Scsi", "SCSI")
|
|
|
|
if name.endswith("Xml"):
|
|
|
|
name = name[:-3] + "XML"
|
|
|
|
elif name.endswith("Uri"):
|
|
|
|
name = name[:-3] + "URI"
|
|
|
|
elif name.endswith("Uuid"):
|
|
|
|
name = name[:-4] + "UUID"
|
|
|
|
elif name.endswith("Id"):
|
|
|
|
name = name[:-2] + "ID"
|
|
|
|
elif name.endswith("Mac"):
|
|
|
|
name = name[:-3] + "MAC"
|
|
|
|
elif name.endswith("Cpu"):
|
|
|
|
name = name[:-3] + "MAC"
|
|
|
|
elif name.endswith("Os"):
|
|
|
|
name = name[:-2] + "OS"
|
|
|
|
elif name.endswith("Nmi"):
|
|
|
|
name = name[:-3] + "NMI"
|
|
|
|
elif name.endswith("Fstrim"):
|
|
|
|
name = name[:-6] + "FSTrim"
|
|
|
|
elif name.endswith("Wwn"):
|
|
|
|
name = name[:-3] + "WWN"
|
|
|
|
|
|
|
|
return name
|
|
|
|
|
|
|
|
|
|
|
|
def name_to_ProcName(name):
|
|
|
|
elems = []
|
2019-11-20 18:05:13 +00:00
|
|
|
if "_" in name or name.lower() in ["open", "close"]:
|
2019-08-30 12:22:54 +00:00
|
|
|
elems = [n.lower().capitalize() for n in name.split("_")]
|
|
|
|
else:
|
|
|
|
elems = [name]
|
|
|
|
|
|
|
|
elems = [fixup_name(n) for n in elems]
|
|
|
|
procname = "".join(elems)
|
|
|
|
|
|
|
|
return procname[0:1].lower() + procname[1:]
|
|
|
|
|
|
|
|
|
|
|
|
proto = sys.argv[1]
|
|
|
|
|
|
|
|
filteredmap = {}
|
|
|
|
with open(proto, "r") as fh:
|
|
|
|
incomment = False
|
|
|
|
filtered = False
|
|
|
|
|
|
|
|
for line in fh:
|
2019-11-20 18:05:13 +00:00
|
|
|
if "/**" in line:
|
2019-08-30 12:22:54 +00:00
|
|
|
incomment = True
|
|
|
|
filtered = False
|
|
|
|
elif incomment:
|
2019-11-20 18:05:13 +00:00
|
|
|
if "* @aclfilter" in line:
|
2019-08-30 12:22:54 +00:00
|
|
|
filtered = True
|
|
|
|
elif filtered:
|
|
|
|
m = re.search(r'''REMOTE_PROC_(.*)\s+=\s*\d+''', line)
|
|
|
|
if m is not None:
|
|
|
|
api = name_to_ProcName(m.group(1))
|
|
|
|
# Event filtering is handled in daemon/remote.c
|
|
|
|
# instead of drivers
|
2019-11-20 19:10:13 +00:00
|
|
|
if "_EVENT_REGISTER" not in line:
|
2019-08-30 12:22:54 +00:00
|
|
|
filteredmap[api] = True
|
|
|
|
incomment = False
|
|
|
|
|
|
|
|
|
|
|
|
def process_file(filename):
|
|
|
|
brace = 0
|
|
|
|
maybefunc = None
|
|
|
|
intable = False
|
|
|
|
table = None
|
scripts/check-aclrules.py: check ACL for domain_driver.c ACL callers
This script works under two specific conditions. For each opened file,
search for all functions that has ACL calls and store them, and see
if there is a vir*DriverPtr struct declared in it. For each implementation
found, check if there is an ACL verification inside it, and error out if
none was found. The script also supports the concept of stub, where another
function takes the responsibility for the ACL call instead of the
original API.
Unfortunately this is not enough to cover the new scenario we have now,
with domain_driver.c containing helper functions that execute the ACL
calls. The script does not store state between files because, until now,
it wasn't needed to - APIs and stubs and vir*DriverPtr declarations were
always in the same file. Also, the script will not check for ACL in functions
that does not belong to a vir*DriverPtr interface. What we have now in
domain_driver.c breaks both assumptions: the functions are in a different
file, and there is no vir*DriverPtr being implemented in the file that
uses these functions.
This patch changes check-aclrules.py to accomodate this scenario. The helpers
that have ACL checks are stored beforehand in aclFuncHelpers, allowing other
files to use them to recognize a stub situation. In case the current file
being analyzed is domain_driver.c itself, we'll do a manual check using
aclFuncHelpers to verify that these functions indeed have ACL checks.
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
2021-02-02 20:44:34 +00:00
|
|
|
aclHelperFileCheck = False
|
|
|
|
|
|
|
|
acls = aclFuncHelpers
|
|
|
|
|
|
|
|
if aclFuncHelperFile in filename:
|
|
|
|
acls = {}
|
|
|
|
aclHelperFileCheck = True
|
2019-08-30 12:22:54 +00:00
|
|
|
|
|
|
|
aclfilters = {}
|
|
|
|
errs = False
|
|
|
|
with open(filename, "r") as fh:
|
|
|
|
lineno = 0
|
|
|
|
for line in fh:
|
|
|
|
lineno = lineno + 1
|
|
|
|
if brace == 0:
|
|
|
|
# Looks for anything which appears to be a function
|
|
|
|
# body name. Doesn't matter if we pick up bogus stuff
|
|
|
|
# here, as long as we don't miss valid stuff
|
2019-11-20 18:13:29 +00:00
|
|
|
m = None
|
|
|
|
if "(" in line:
|
|
|
|
m = re.search(r'''\b(\w+)\(''', line)
|
2019-08-30 12:22:54 +00:00
|
|
|
if m is not None:
|
|
|
|
maybefunc = m.group(1)
|
|
|
|
elif brace > 0:
|
2019-11-20 18:13:29 +00:00
|
|
|
ensureacl = None
|
|
|
|
checkacl = None
|
|
|
|
stub = None
|
|
|
|
if "EnsureACL" in line:
|
|
|
|
ensureacl = re.search(r'''(\w+)EnsureACL''', line)
|
|
|
|
if "CheckACL" in line:
|
|
|
|
checkacl = re.search(r'''(\w+)CheckACL''', line)
|
|
|
|
if "(" in line:
|
|
|
|
stub = re.search(r'''\b(\w+)\(''', line)
|
2019-08-30 12:22:54 +00:00
|
|
|
if ensureacl is not None:
|
|
|
|
# Record the fact that maybefunc contains an
|
|
|
|
# ACL call, and make sure it is the right call!
|
|
|
|
func = ensureacl.group(1)
|
|
|
|
if func.startswith("vir"):
|
|
|
|
func = func[3:]
|
|
|
|
|
|
|
|
if maybefunc is None:
|
|
|
|
print("%s:%d Unexpected check '%s' outside function" %
|
|
|
|
(filename, lineno, func), file=sys.stderr)
|
|
|
|
errs = True
|
|
|
|
else:
|
|
|
|
if not maybefunc.lower().endswith(func.lower()):
|
|
|
|
print(("%s:%d Mismatch check 'vir%sEnsureACL'" +
|
|
|
|
"for function '%s'") %
|
|
|
|
(filename, lineno, func, maybefunc),
|
|
|
|
file=sys.stderr)
|
|
|
|
errs = True
|
|
|
|
acls[maybefunc] = True
|
|
|
|
elif checkacl:
|
|
|
|
# Record the fact that maybefunc contains an
|
|
|
|
# ACL filter call, and make sure it is the right call!
|
|
|
|
func = checkacl.group(1)
|
|
|
|
if func.startswith("vir"):
|
|
|
|
func = func[3:]
|
|
|
|
|
|
|
|
if maybefunc is None:
|
|
|
|
print("%s:%d Unexpected check '%s' outside function" %
|
|
|
|
(filename, lineno, func), file=sys.stderr)
|
|
|
|
errs = True
|
|
|
|
else:
|
|
|
|
if not maybefunc.lower().endswith(func.lower()):
|
|
|
|
print(("%s:%d Mismatch check 'vir%sCheckACL' " +
|
|
|
|
"for function '%s'") %
|
|
|
|
(filename, lineno, func, maybefunc),
|
|
|
|
file=sys.stderr)
|
|
|
|
errs = True
|
|
|
|
aclfilters[maybefunc] = True
|
|
|
|
elif stub:
|
|
|
|
# Handles case where we replaced an API with a new
|
|
|
|
# one which adds new parameters, and we're left with
|
|
|
|
# a simple stub calling the new API.
|
|
|
|
callfunc = stub.group(1)
|
|
|
|
if callfunc in acls:
|
|
|
|
acls[maybefunc] = True
|
|
|
|
|
|
|
|
if callfunc in aclfilters:
|
|
|
|
aclfilters[maybefunc] = True
|
|
|
|
|
|
|
|
# Pass the vir*DriverPtr tables and make sure that
|
|
|
|
# every func listed there, has an impl which calls
|
|
|
|
# an ACL function
|
|
|
|
if intable:
|
2019-11-20 18:13:29 +00:00
|
|
|
assign = None
|
|
|
|
if "=" in line:
|
|
|
|
assign = re.search(r'''\.(\w+)\s*=\s*(\w+),?''', line)
|
2019-11-20 18:05:13 +00:00
|
|
|
if "}" in line:
|
2019-08-30 12:22:54 +00:00
|
|
|
intable = False
|
|
|
|
table = None
|
|
|
|
elif assign is not None:
|
|
|
|
api = assign.group(1)
|
|
|
|
impl = assign.group(2)
|
|
|
|
|
|
|
|
if (impl != "NULL" and
|
|
|
|
api not in ["no", "name"] and
|
|
|
|
table != "virStateDriver"):
|
|
|
|
if (impl not in acls and
|
2020-06-16 08:39:12 +00:00
|
|
|
api not in permitted and
|
|
|
|
impl not in implpermitted):
|
2019-08-30 12:22:54 +00:00
|
|
|
print(("%s:%d Missing ACL check in " +
|
|
|
|
"function '%s' for '%s'") %
|
|
|
|
(filename, lineno, impl, api),
|
|
|
|
file=sys.stderr)
|
|
|
|
errs = True
|
|
|
|
|
|
|
|
if api in filteredmap and impl not in aclfilters:
|
|
|
|
print(("%s:%d Missing ACL filter in " +
|
|
|
|
"function '%s' for '%s'") %
|
|
|
|
(filename, lineno, impl, api),
|
|
|
|
file=sys.stderr)
|
|
|
|
errs = True
|
|
|
|
else:
|
2019-11-20 18:13:29 +00:00
|
|
|
m = None
|
|
|
|
if "Driver" in line:
|
|
|
|
m = re.search(r'''^(?:static\s+)?(vir(?:\w+)?Driver)\s+''',
|
|
|
|
line)
|
2019-08-30 12:22:54 +00:00
|
|
|
if m is not None:
|
|
|
|
name = m.group(1)
|
|
|
|
if name not in ["virNWFilterCallbackDriver",
|
|
|
|
"virNWFilterTechDriver",
|
|
|
|
"virDomainConfNWFilterDriver"]:
|
|
|
|
intable = True
|
|
|
|
table = name
|
|
|
|
|
2019-11-20 18:05:13 +00:00
|
|
|
if "{" in line:
|
2019-08-30 12:22:54 +00:00
|
|
|
brace = brace + 1
|
2019-11-20 18:05:13 +00:00
|
|
|
if "}" in line:
|
2019-08-30 12:22:54 +00:00
|
|
|
brace = brace - 1
|
|
|
|
|
scripts/check-aclrules.py: check ACL for domain_driver.c ACL callers
This script works under two specific conditions. For each opened file,
search for all functions that has ACL calls and store them, and see
if there is a vir*DriverPtr struct declared in it. For each implementation
found, check if there is an ACL verification inside it, and error out if
none was found. The script also supports the concept of stub, where another
function takes the responsibility for the ACL call instead of the
original API.
Unfortunately this is not enough to cover the new scenario we have now,
with domain_driver.c containing helper functions that execute the ACL
calls. The script does not store state between files because, until now,
it wasn't needed to - APIs and stubs and vir*DriverPtr declarations were
always in the same file. Also, the script will not check for ACL in functions
that does not belong to a vir*DriverPtr interface. What we have now in
domain_driver.c breaks both assumptions: the functions are in a different
file, and there is no vir*DriverPtr being implemented in the file that
uses these functions.
This patch changes check-aclrules.py to accomodate this scenario. The helpers
that have ACL checks are stored beforehand in aclFuncHelpers, allowing other
files to use them to recognize a stub situation. In case the current file
being analyzed is domain_driver.c itself, we'll do a manual check using
aclFuncHelpers to verify that these functions indeed have ACL checks.
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
2021-02-02 20:44:34 +00:00
|
|
|
if aclHelperFileCheck:
|
|
|
|
for helper in aclFuncHelpers:
|
|
|
|
if helper not in acls:
|
|
|
|
print(("%s:%d Missing ACL check in helper function '%s'") %
|
|
|
|
(filename, lineno, helper),
|
|
|
|
file=sys.stderr)
|
|
|
|
|
|
|
|
errs = True
|
|
|
|
|
2019-08-30 12:22:54 +00:00
|
|
|
return errs
|
|
|
|
|
|
|
|
|
|
|
|
status = 0
|
|
|
|
for filename in sys.argv[2:]:
|
|
|
|
if process_file(filename):
|
|
|
|
status = 1
|
|
|
|
|
|
|
|
sys.exit(status)
|