From 33ddfaf4e6f50c45d103063805dcdf6b70320daf Mon Sep 17 00:00:00 2001 From: Daniel Henrique Barboza Date: Tue, 2 Feb 2021 17:44:34 -0300 Subject: [PATCH] scripts/check-aclrules.py: check ACL for domain_driver.c ACL callers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This script works under two specific conditions. For each opened file, search for all functions that has ACL calls and store them, and see if there is a vir*DriverPtr struct declared in it. For each implementation found, check if there is an ACL verification inside it, and error out if none was found. The script also supports the concept of stub, where another function takes the responsibility for the ACL call instead of the original API. Unfortunately this is not enough to cover the new scenario we have now, with domain_driver.c containing helper functions that execute the ACL calls. The script does not store state between files because, until now, it wasn't needed to - APIs and stubs and vir*DriverPtr declarations were always in the same file. Also, the script will not check for ACL in functions that does not belong to a vir*DriverPtr interface. What we have now in domain_driver.c breaks both assumptions: the functions are in a different file, and there is no vir*DriverPtr being implemented in the file that uses these functions. This patch changes check-aclrules.py to accomodate this scenario. The helpers that have ACL checks are stored beforehand in aclFuncHelpers, allowing other files to use them to recognize a stub situation. In case the current file being analyzed is domain_driver.c itself, we'll do a manual check using aclFuncHelpers to verify that these functions indeed have ACL checks. Reviewed-by: Ján Tomko Signed-off-by: Daniel Henrique Barboza --- scripts/check-aclrules.py | 25 ++++++++++++++++++++++++- src/hypervisor/meson.build | 2 ++ 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/scripts/check-aclrules.py b/scripts/check-aclrules.py index 2335e8cfdd..ed6805058b 100755 --- a/scripts/check-aclrules.py +++ b/scripts/check-aclrules.py @@ -62,6 +62,14 @@ implpermitted = { "vzDomainMigrateConfirm3Params": True, } +aclFuncHelpers = { + "virDomainDriverNodeDeviceDetachFlags": True, + "virDomainDriverNodeDeviceReset": True, + "virDomainDriverNodeDeviceReAttach": True, +} + +aclFuncHelperFile = "domain_driver.c" + lastfile = None @@ -136,8 +144,14 @@ def process_file(filename): maybefunc = None intable = False table = None + aclHelperFileCheck = False + + acls = aclFuncHelpers + + if aclFuncHelperFile in filename: + acls = {} + aclHelperFileCheck = True - acls = {} aclfilters = {} errs = False with open(filename, "r") as fh: @@ -262,6 +276,15 @@ def process_file(filename): if "}" in line: brace = brace - 1 + if aclHelperFileCheck: + for helper in aclFuncHelpers: + if helper not in acls: + print(("%s:%d Missing ACL check in helper function '%s'") % + (filename, lineno, helper), + file=sys.stderr) + + errs = True + return errs diff --git a/src/hypervisor/meson.build b/src/hypervisor/meson.build index 32d5ab365f..70801c0820 100644 --- a/src/hypervisor/meson.build +++ b/src/hypervisor/meson.build @@ -5,6 +5,8 @@ hypervisor_sources = [ 'virhostdev.c', ] +stateful_driver_source_files += files(hypervisor_sources) + hypervisor_lib = static_library( 'virt_hypervisor', [