diff --git a/Makefile.am b/Makefile.am
index c52a4cbc43..da07e6c0d2 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -67,6 +67,9 @@ rpm: clean
 
 check-local: all tests
 
+check-access:
+	@($(MAKE) $(AM_MAKEFLAGS) -C tests check-access)
+
 cov: clean-cov
 	$(MKDIR_P) $(top_builddir)/coverage
 	$(LCOV) -c -o $(top_builddir)/coverage/libvirt.info.tmp \
diff --git a/tests/Makefile.am b/tests/Makefile.am
index ca3c8c34a1..238f6da020 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -451,6 +451,19 @@ test_libraries += virusbmock.la \
 		$(NULL)
 endif WITH_LINUX
 
+if WITH_LINUX
+check-access: file-access-clean
+	VIR_TEST_FILE_ACCESS=1 $(MAKE) $(AM_MAKEFLAGS) check
+	$(PERL) check-file-access.pl | sort -u
+
+file-access-clean:
+	> test_file_access.txt
+endif WITH_LINUX
+
+EXTRA_DIST += \
+	check-file-access.pl \
+	file_access_whitelist.txt
+
 if WITH_TESTS
 noinst_PROGRAMS = $(test_programs) $(test_helpers)
 noinst_LTLIBRARIES = $(test_libraries)
diff --git a/tests/check-file-access.pl b/tests/check-file-access.pl
new file mode 100755
index 0000000000..0c75ae9984
--- /dev/null
+++ b/tests/check-file-access.pl
@@ -0,0 +1,104 @@
+#!/usr/bin/perl -w
+#
+# Copyright (C) 2016 Red Hat, Inc.
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library.  If not, see
+# <http://www.gnu.org/licenses/>.
+#
+# This script is supposed to check test_file_access.txt file and
+# warn about file accesses outside our working tree.
+#
+#
+
+use strict;
+use warnings;
+
+my $access_file = "test_file_access.txt";
+my $whitelist_file = "file_access_whitelist.txt";
+
+my @files;
+my @whitelist;
+
+open FILE, "<", $access_file or die "Unable to open $access_file: $!";
+while (<FILE>) {
+    chomp;
+    if (/^(\S*):\s*(\S*)(\s*:\s*(.*))?$/) {
+        my %rec;
+        ${rec}{path} = $1;
+        ${rec}{progname} = $2;
+        if (defined $4) {
+            ${rec}{testname} = $4;
+        }
+        push (@files, \%rec);
+    } else {
+        die "Malformed line $_";
+    }
+}
+close FILE;
+
+open FILE, "<", $whitelist_file or die "Unable to open $whitelist_file: $!";
+while (<FILE>) {
+    chomp;
+    if (/^\s*#.*$/) {
+        # comment
+    } elsif (/^(\S*)(:\s*(\S*)(\s*:\s*(.*))?)?$/) {
+        my %rec;
+        ${rec}{path} = $1;
+        if (defined $3) {
+            ${rec}{progname} = $3;
+        }
+        if (defined $5) {
+            ${rec}{testname} = $5;
+        }
+        push (@whitelist, \%rec);
+    } else {
+        die "Malformed line $_";
+    }
+}
+close FILE;
+
+# Now we should check if %traces is included in $whitelist. For
+# now checking just keys is sufficient
+my $error = 0;
+for my $file (@files) {
+    my $match = 0;
+
+    for my $rule (@whitelist) {
+        if (not %${file}{path} =~ m/^$rule->{path}$/) {
+            next;
+        }
+
+        if (defined %${rule}{progname} and
+            not %${file}{progname} =~ m/^$rule->{progname}$/) {
+            next;
+        }
+
+        if (defined %${rule}{testname} and
+            defined %${file}{testname} and
+            not %${file}{testname} =~ m/^$rule->{testname}$/) {
+            next;
+        }
+
+        $match = 1;
+    }
+
+    if (not $match) {
+        $error = 1;
+        print "$file->{path}: $file->{progname}";
+        print ": $file->{testname}" if defined %${file}{testname};
+        print "\n";
+    }
+}
+
+exit $error;
diff --git a/tests/file_access_whitelist.txt b/tests/file_access_whitelist.txt
new file mode 100644
index 0000000000..850b28506e
--- /dev/null
+++ b/tests/file_access_whitelist.txt
@@ -0,0 +1,23 @@
+# This is a whitelist that allows accesses to files not in our
+# build directory nor source directory. The records are in the
+# following format:
+#
+#  $path: $progname: $testname
+#
+# All these three are evaluated as perl RE. So to allow /dev/sda
+# and /dev/sdb, you can just '/dev/sd[a-b]', or to allow
+# /proc/$pid/status you can '/proc/\d+/status' and so on.
+# Moreover, $progname and $testname can be empty, in which which
+# case $path is allowed for all tests.
+
+/bin/cat: sysinfotest
+/bin/dirname: sysinfotest: x86 sysinfo
+/bin/sleep: commandtest
+/bin/true: commandtest
+/dev/null
+/dev/urandom
+/etc/hosts
+/proc/\d+/status
+
+# This is just a dummy example, DO NOT USE IT LIKE THAT!
+.*: nonexistent-test-touching-everything