libvirt/scripts/check-file-access.py

#!/usr/bin/env python3
#
# Copyright (C) 2016-2019 Red Hat, Inc.
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library.  If not, see
# <http://www.gnu.org/licenses/>.
#
# This script is supposed to check test_file_access.txt file and
# warn about file accesses outside our working tree.
#
#

import os
import re
import sys
import tempfile

abs_builddir = os.environ.get('abs_builddir', '')
abs_srcdir = os.environ.get('abs_srcdir', '')

access_fd, access_file = tempfile.mkstemp(dir=abs_builddir,
                                          prefix='file-access-',
                                          suffix='.txt')
permitted_file = os.path.join(abs_srcdir, 'permitted_file_access.txt')

os.environ['VIR_TEST_FILE_ACCESS_OUTPUT'] = access_file

test = ' '.join(sys.argv[1:])

ret = os.system(test)

if ret != 0 or os.read(access_fd, 10) == b'':
    os.close(access_fd)
    os.remove(access_file)
    sys.exit(ret)

known_actions = ["open", "fopen", "access", "stat", "lstat", "connect"]

files = []
permitted = []

with os.fdopen(access_fd, "r") as fh:
    for line in fh:
        line = line.rstrip("\n")

        m = re.search(r'''^(\S*):\s*(\S*):\s*(\S*)(\s*:\s*(.*))?$''', line)
        if m is not None:
            rec = {
                "path": m.group(1),
                "action": m.group(2),
                "progname": m.group(3),
                "testname": m.group(5),
            }
            files.append(rec)
        else:
            raise Exception("Malformed line %s" % line)

with open(permitted_file, "r") as fh:
    for line in fh:
        line = line.rstrip("\n")

        if re.search(r'''^\s*#.*$''', line):
            continue  # comment
        if line == "":
            continue

        m = re.search(r'''^(\S*):\s*(\S*)(:\s*(\S*)(\s*:\s*(.*))?)?$''', line)
        if m is not None and m.group(2) in known_actions:
            # $path: $action: $progname: $testname
            rec = {
                "path": m.group(1),
                "action": m.group(3),
                "progname": m.group(4),
                "testname": m.group(6),
            }
            permitted.append(rec)
        else:
            m = re.search(r'''^(\S*)(:\s*(\S*)(\s*:\s*(.*))?)?$''', line)
            if m is not None:
                # $path: $progname: $testname
                rec = {
                    "path": m.group(1),
                    "action": None,
                    "progname": m.group(3),
                    "testname": m.group(5),
                }
                permitted.append(rec)
            else:
                raise Exception("Malformed line %s" % line)


# Now we should check if %traces is included in $permitted. For
# now checking just keys is sufficient
err = False
for file in files:
    match = False

    for rule in permitted:
        if not re.match("^" + rule["path"] + "$", file["path"]):
            continue

        if (rule["action"] is not None and
                not re.match("^" + rule["action"] + "$", file["action"])):
            continue

        if (rule["progname"] is not None and
                not re.match("^" + rule["progname"] + "$", file["progname"])):
            continue

        if (rule["testname"] is not None and
                file["testname"] is not None and
                not re.match("^" + rule["testname"] + "$", file["testname"])):
            continue

        match = True

    if not match:
        err = True
        print("%s: %s: %s" %
              (file["path"], file["action"], file["progname"]),
              end="")
        if file["testname"] is not None:
            print(": %s" % file["testname"], end="")
        print("")

os.remove(access_file)

if err:
    sys.exit(1)
sys.exit(0)
tests: rewrite file access checker in Python As part of a goal to eliminate Perl from libvirt build tools, rewrite the check-file-access.pl tool in Python. This was a straight conversion, manually going line-by-line to change the syntax from Perl to Python. Thus the overall structure of the file and approach is the same. Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> 2019-08-30 15:22:54 +03:00			`#!/usr/bin/env python3`
			`#`
			`# Copyright (C) 2016-2019 Red Hat, Inc.`
			`#`
			`# This library is free software; you can redistribute it and/or`
			`# modify it under the terms of the GNU Lesser General Public`
			`# License as published by the Free Software Foundation; either`
			`# version 2.1 of the License, or (at your option) any later version.`
			`#`
			`# This library is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU`
			`# Lesser General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU Lesser General Public`
			`# License along with this library. If not, see`
			`# <http://www.gnu.org/licenses/>.`
			`#`
			`# This script is supposed to check test_file_access.txt file and`
			`# warn about file accesses outside our working tree.`
			`#`
			`#`

meson: tests: add file access test setup We need to modify check-file-access.py to be usable as wrapper for libvirt tests. This way we can run the tests using this command: meson test --setup access which will run all tests using check-file-access.py as a wrapper. With autotools all file access are written into single file for all tests and compared once the whole test suite is done. With Meson we will compare the file access after every single test because it is used as wrapper now. That requires writing the file access into separate files for every single test as they are executed in parallel. Since the wrapper is used for all tests in Meson including tests outside of tests directory we have to check for presence of the output file. We should also cleanup after ourselves. Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Neal Gompa <ngompa13@gmail.com> 2020-07-28 15:29:32 +03:00			`import os`
tests: rewrite file access checker in Python As part of a goal to eliminate Perl from libvirt build tools, rewrite the check-file-access.pl tool in Python. This was a straight conversion, manually going line-by-line to change the syntax from Perl to Python. Thus the overall structure of the file and approach is the same. Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> 2019-08-30 15:22:54 +03:00			`import re`
			`import sys`
meson: tests: add file access test setup We need to modify check-file-access.py to be usable as wrapper for libvirt tests. This way we can run the tests using this command: meson test --setup access which will run all tests using check-file-access.py as a wrapper. With autotools all file access are written into single file for all tests and compared once the whole test suite is done. With Meson we will compare the file access after every single test because it is used as wrapper now. That requires writing the file access into separate files for every single test as they are executed in parallel. Since the wrapper is used for all tests in Meson including tests outside of tests directory we have to check for presence of the output file. We should also cleanup after ourselves. Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Neal Gompa <ngompa13@gmail.com> 2020-07-28 15:29:32 +03:00			`import tempfile`
tests: rewrite file access checker in Python As part of a goal to eliminate Perl from libvirt build tools, rewrite the check-file-access.pl tool in Python. This was a straight conversion, manually going line-by-line to change the syntax from Perl to Python. Thus the overall structure of the file and approach is the same. Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> 2019-08-30 15:22:54 +03:00
meson: tests: add file access test setup We need to modify check-file-access.py to be usable as wrapper for libvirt tests. This way we can run the tests using this command: meson test --setup access which will run all tests using check-file-access.py as a wrapper. With autotools all file access are written into single file for all tests and compared once the whole test suite is done. With Meson we will compare the file access after every single test because it is used as wrapper now. That requires writing the file access into separate files for every single test as they are executed in parallel. Since the wrapper is used for all tests in Meson including tests outside of tests directory we have to check for presence of the output file. We should also cleanup after ourselves. Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Neal Gompa <ngompa13@gmail.com> 2020-07-28 15:29:32 +03:00			`abs_builddir = os.environ.get('abs_builddir', '')`
			`abs_srcdir = os.environ.get('abs_srcdir', '')`

			`access_fd, access_file = tempfile.mkstemp(dir=abs_builddir,`
			`prefix='file-access-',`
			`suffix='.txt')`
			`permitted_file = os.path.join(abs_srcdir, 'permitted_file_access.txt')`

			`os.environ['VIR_TEST_FILE_ACCESS_OUTPUT'] = access_file`
tests: rewrite file access checker in Python As part of a goal to eliminate Perl from libvirt build tools, rewrite the check-file-access.pl tool in Python. This was a straight conversion, manually going line-by-line to change the syntax from Perl to Python. Thus the overall structure of the file and approach is the same. Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> 2019-08-30 15:22:54 +03:00
meson: tests: add file access test setup We need to modify check-file-access.py to be usable as wrapper for libvirt tests. This way we can run the tests using this command: meson test --setup access which will run all tests using check-file-access.py as a wrapper. With autotools all file access are written into single file for all tests and compared once the whole test suite is done. With Meson we will compare the file access after every single test because it is used as wrapper now. That requires writing the file access into separate files for every single test as they are executed in parallel. Since the wrapper is used for all tests in Meson including tests outside of tests directory we have to check for presence of the output file. We should also cleanup after ourselves. Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Neal Gompa <ngompa13@gmail.com> 2020-07-28 15:29:32 +03:00			`test = ' '.join(sys.argv[1:])`

			`ret = os.system(test)`

			`if ret != 0 or os.read(access_fd, 10) == b'':`
			`os.close(access_fd)`
			`os.remove(access_file)`
			`sys.exit(ret)`
tests: rewrite file access checker in Python As part of a goal to eliminate Perl from libvirt build tools, rewrite the check-file-access.pl tool in Python. This was a straight conversion, manually going line-by-line to change the syntax from Perl to Python. Thus the overall structure of the file and approach is the same. Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> 2019-08-30 15:22:54 +03:00
			`known_actions = ["open", "fopen", "access", "stat", "lstat", "connect"]`

			`files = []`
scripts: remove use of the term 'whitelist' from build helpers The term "permitted list" is a better choice for the filtering logic applied. Reviewed-by: Peter Krempa <pkrempa@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> 2020-06-16 11:39:12 +03:00			`permitted = []`
tests: rewrite file access checker in Python As part of a goal to eliminate Perl from libvirt build tools, rewrite the check-file-access.pl tool in Python. This was a straight conversion, manually going line-by-line to change the syntax from Perl to Python. Thus the overall structure of the file and approach is the same. Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> 2019-08-30 15:22:54 +03:00
meson: tests: add file access test setup We need to modify check-file-access.py to be usable as wrapper for libvirt tests. This way we can run the tests using this command: meson test --setup access which will run all tests using check-file-access.py as a wrapper. With autotools all file access are written into single file for all tests and compared once the whole test suite is done. With Meson we will compare the file access after every single test because it is used as wrapper now. That requires writing the file access into separate files for every single test as they are executed in parallel. Since the wrapper is used for all tests in Meson including tests outside of tests directory we have to check for presence of the output file. We should also cleanup after ourselves. Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Neal Gompa <ngompa13@gmail.com> 2020-07-28 15:29:32 +03:00			`with os.fdopen(access_fd, "r") as fh:`
tests: rewrite file access checker in Python As part of a goal to eliminate Perl from libvirt build tools, rewrite the check-file-access.pl tool in Python. This was a straight conversion, manually going line-by-line to change the syntax from Perl to Python. Thus the overall structure of the file and approach is the same. Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> 2019-08-30 15:22:54 +03:00			`for line in fh:`
			`line = line.rstrip("\n")`

			`m = re.search(r'''^(\S):\s(\S):\s(\S)(\s:\s(.))?$''', line)`
			`if m is not None:`
			`rec = {`
			`"path": m.group(1),`
			`"action": m.group(2),`
			`"progname": m.group(3),`
			`"testname": m.group(5),`
			`}`
			`files.append(rec)`
			`else:`
			`raise Exception("Malformed line %s" % line)`

scripts: remove use of the term 'whitelist' from build helpers The term "permitted list" is a better choice for the filtering logic applied. Reviewed-by: Peter Krempa <pkrempa@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> 2020-06-16 11:39:12 +03:00			`with open(permitted_file, "r") as fh:`
tests: rewrite file access checker in Python As part of a goal to eliminate Perl from libvirt build tools, rewrite the check-file-access.pl tool in Python. This was a straight conversion, manually going line-by-line to change the syntax from Perl to Python. Thus the overall structure of the file and approach is the same. Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> 2019-08-30 15:22:54 +03:00			`for line in fh:`
			`line = line.rstrip("\n")`

			`if re.search(r'''^\s#.$''', line):`
			`continue # comment`
			`if line == "":`
			`continue`

			`m = re.search(r'''^(\S):\s(\S)(:\s(\S)(\s:\s(.))?)?$''', line)`
			`if m is not None and m.group(2) in known_actions:`
			`# $path: $action: $progname: $testname`
			`rec = {`
			`"path": m.group(1),`
			`"action": m.group(3),`
			`"progname": m.group(4),`
			`"testname": m.group(6),`
			`}`
scripts: remove use of the term 'whitelist' from build helpers The term "permitted list" is a better choice for the filtering logic applied. Reviewed-by: Peter Krempa <pkrempa@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> 2020-06-16 11:39:12 +03:00			`permitted.append(rec)`
tests: rewrite file access checker in Python As part of a goal to eliminate Perl from libvirt build tools, rewrite the check-file-access.pl tool in Python. This was a straight conversion, manually going line-by-line to change the syntax from Perl to Python. Thus the overall structure of the file and approach is the same. Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> 2019-08-30 15:22:54 +03:00			`else:`
			`m = re.search(r'''^(\S)(:\s(\S)(\s:\s(.))?)?$''', line)`
			`if m is not None:`
			`# $path: $progname: $testname`
			`rec = {`
			`"path": m.group(1),`
			`"action": None,`
			`"progname": m.group(3),`
			`"testname": m.group(5),`
			`}`
scripts: remove use of the term 'whitelist' from build helpers The term "permitted list" is a better choice for the filtering logic applied. Reviewed-by: Peter Krempa <pkrempa@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> 2020-06-16 11:39:12 +03:00			`permitted.append(rec)`
tests: rewrite file access checker in Python As part of a goal to eliminate Perl from libvirt build tools, rewrite the check-file-access.pl tool in Python. This was a straight conversion, manually going line-by-line to change the syntax from Perl to Python. Thus the overall structure of the file and approach is the same. Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> 2019-08-30 15:22:54 +03:00			`else:`
			`raise Exception("Malformed line %s" % line)`


scripts: remove use of the term 'whitelist' from build helpers The term "permitted list" is a better choice for the filtering logic applied. Reviewed-by: Peter Krempa <pkrempa@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> 2020-06-16 11:39:12 +03:00			`# Now we should check if %traces is included in $permitted. For`
tests: rewrite file access checker in Python As part of a goal to eliminate Perl from libvirt build tools, rewrite the check-file-access.pl tool in Python. This was a straight conversion, manually going line-by-line to change the syntax from Perl to Python. Thus the overall structure of the file and approach is the same. Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> 2019-08-30 15:22:54 +03:00			`# now checking just keys is sufficient`
			`err = False`
			`for file in files:`
			`match = False`

scripts: remove use of the term 'whitelist' from build helpers The term "permitted list" is a better choice for the filtering logic applied. Reviewed-by: Peter Krempa <pkrempa@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> 2020-06-16 11:39:12 +03:00			`for rule in permitted:`
tests: rewrite file access checker in Python As part of a goal to eliminate Perl from libvirt build tools, rewrite the check-file-access.pl tool in Python. This was a straight conversion, manually going line-by-line to change the syntax from Perl to Python. Thus the overall structure of the file and approach is the same. Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> 2019-08-30 15:22:54 +03:00			`if not re.match("^" + rule["path"] + "$", file["path"]):`
			`continue`

			`if (rule["action"] is not None and`
			`not re.match("^" + rule["action"] + "$", file["action"])):`
			`continue`

			`if (rule["progname"] is not None and`
			`not re.match("^" + rule["progname"] + "$", file["progname"])):`
			`continue`

			`if (rule["testname"] is not None and`
			`file["testname"] is not None and`
			`not re.match("^" + rule["testname"] + "$", file["testname"])):`
			`continue`

			`match = True`

			`if not match:`
			`err = True`
			`print("%s: %s: %s" %`
			`(file["path"], file["action"], file["progname"]),`
			`end="")`
			`if file["testname"] is not None:`
			`print(": %s" % file["testname"], end="")`
			`print("")`

meson: tests: add file access test setup We need to modify check-file-access.py to be usable as wrapper for libvirt tests. This way we can run the tests using this command: meson test --setup access which will run all tests using check-file-access.py as a wrapper. With autotools all file access are written into single file for all tests and compared once the whole test suite is done. With Meson we will compare the file access after every single test because it is used as wrapper now. That requires writing the file access into separate files for every single test as they are executed in parallel. Since the wrapper is used for all tests in Meson including tests outside of tests directory we have to check for presence of the output file. We should also cleanup after ourselves. Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Neal Gompa <ngompa13@gmail.com> 2020-07-28 15:29:32 +03:00			`os.remove(access_file)`

tests: rewrite file access checker in Python As part of a goal to eliminate Perl from libvirt build tools, rewrite the check-file-access.pl tool in Python. This was a straight conversion, manually going line-by-line to change the syntax from Perl to Python. Thus the overall structure of the file and approach is the same. Reviewed-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> 2019-08-30 15:22:54 +03:00			`if err:`
			`sys.exit(1)`
			`sys.exit(0)`