scripts: remove use of the term 'whitelist' from build helpers

The term "permitted list" is a better choice for the filtering
logic applied.

Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé 2020-06-16 09:39:12 +01:00
parent d66181c84e
commit d3475e71bc
5 changed files with 17 additions and 18 deletions

View File

@ -35,7 +35,7 @@
import re import re
import sys import sys
whitelist = { permitted = {
"connectClose": True, "connectClose": True,
"connectIsEncrypted": True, "connectIsEncrypted": True,
"connectIsSecure": True, "connectIsSecure": True,
@ -58,7 +58,7 @@ whitelist = {
# XXX this vzDomainMigrateConfirm3Params looks # XXX this vzDomainMigrateConfirm3Params looks
# bogus - determine why it doesn't have a valid # bogus - determine why it doesn't have a valid
# ACL check. # ACL check.
implwhitelist = { implpermitted = {
"vzDomainMigrateConfirm3Params": True, "vzDomainMigrateConfirm3Params": True,
} }
@ -230,8 +230,8 @@ def process_file(filename):
api not in ["no", "name"] and api not in ["no", "name"] and
table != "virStateDriver"): table != "virStateDriver"):
if (impl not in acls and if (impl not in acls and
api not in whitelist and api not in permitted and
impl not in implwhitelist): impl not in implpermitted):
print(("%s:%d Missing ACL check in " + print(("%s:%d Missing ACL check in " +
"function '%s' for '%s'") % "function '%s' for '%s'") %
(filename, lineno, impl, api), (filename, lineno, impl, api),

View File

@ -25,16 +25,16 @@ import re
import sys import sys
if len(sys.argv) != 3: if len(sys.argv) != 3:
print("syntax: %s ACCESS-FILE ACCESS-WHITELIST") print("syntax: %s ACCESS-FILE PERMITTED-ACCESS-FILE")
sys.exit(1) sys.exit(1)
access_file = sys.argv[1] access_file = sys.argv[1]
whitelist_file = sys.argv[2] permitted_file = sys.argv[2]
known_actions = ["open", "fopen", "access", "stat", "lstat", "connect"] known_actions = ["open", "fopen", "access", "stat", "lstat", "connect"]
files = [] files = []
whitelist = [] permitted = []
with open(access_file, "r") as fh: with open(access_file, "r") as fh:
for line in fh: for line in fh:
@ -52,7 +52,7 @@ with open(access_file, "r") as fh:
else: else:
raise Exception("Malformed line %s" % line) raise Exception("Malformed line %s" % line)
with open(whitelist_file, "r") as fh: with open(permitted_file, "r") as fh:
for line in fh: for line in fh:
line = line.rstrip("\n") line = line.rstrip("\n")
@ -70,7 +70,7 @@ with open(whitelist_file, "r") as fh:
"progname": m.group(4), "progname": m.group(4),
"testname": m.group(6), "testname": m.group(6),
} }
whitelist.append(rec) permitted.append(rec)
else: else:
m = re.search(r'''^(\S*)(:\s*(\S*)(\s*:\s*(.*))?)?$''', line) m = re.search(r'''^(\S*)(:\s*(\S*)(\s*:\s*(.*))?)?$''', line)
if m is not None: if m is not None:
@ -81,18 +81,18 @@ with open(whitelist_file, "r") as fh:
"progname": m.group(3), "progname": m.group(3),
"testname": m.group(5), "testname": m.group(5),
} }
whitelist.append(rec) permitted.append(rec)
else: else:
raise Exception("Malformed line %s" % line) raise Exception("Malformed line %s" % line)
# Now we should check if %traces is included in $whitelist. For # Now we should check if %traces is included in $permitted. For
# now checking just keys is sufficient # now checking just keys is sufficient
err = False err = False
for file in files: for file in files:
match = False match = False
for rule in whitelist: for rule in permitted:
if not re.match("^" + rule["path"] + "$", file["path"]): if not re.match("^" + rule["path"] + "$", file["path"]):
continue continue

View File

@ -23,7 +23,6 @@ noninlined = {}
mocked = {} mocked = {}
# Functions in public header don't get the noinline annotation # Functions in public header don't get the noinline annotation
# so whitelist them here
noninlined["virEventAddTimeout"] = True noninlined["virEventAddTimeout"] = True
# This one confuses the script as its defined in the mock file # This one confuses the script as its defined in the mock file
# but is actually just a local helper # but is actually just a local helper

View File

@ -458,14 +458,14 @@ check-access: file-access-clean
VIR_TEST_FILE_ACCESS=1 $(MAKE) $(AM_MAKEFLAGS) check VIR_TEST_FILE_ACCESS=1 $(MAKE) $(AM_MAKEFLAGS) check
$(RUNUTF8) $(PYTHON) $(top_srcdir)/scripts/check-file-access.py \ $(RUNUTF8) $(PYTHON) $(top_srcdir)/scripts/check-file-access.py \
$(abs_builddir)/test_file_access.txt \ $(abs_builddir)/test_file_access.txt \
$(abs_srcdir)/file_access_whitelist.txt | sort -u $(abs_srcdir)/permitted_file_access.txt | sort -u
file-access-clean: file-access-clean:
> test_file_access.txt > test_file_access.txt
endif WITH_LINUX endif WITH_LINUX
EXTRA_DIST += \ EXTRA_DIST += \
file_access_whitelist.txt permitted_file_access.txt
if WITH_TESTS if WITH_TESTS
noinst_PROGRAMS = $(test_programs) $(test_helpers) noinst_PROGRAMS = $(test_programs) $(test_helpers)

View File

@ -1,6 +1,6 @@
# This is a whitelist that allows accesses to files not in our # This is a list of files not in our build directory nor source
# build directory nor source directory. The records are in the # directory which are permitted to be accessed by tests. The
# following formats: # records are in the following formats:
# #
# $path: $progname: $testname # $path: $progname: $testname
# $path: $action: $progname: $testname # $path: $action: $progname: $testname