Re: [PATCH v2 10/10] scripts/check-aclrules.py: check ACL for domain_driver.c ACL callers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 2/17/21 1:41 PM, Ján Tomko wrote:
On a Tuesday in 2021, Daniel Henrique Barboza wrote:
This script works under two specific conditions. For each opened file,
search for all functions that has ACL calls and store them, and see
if there is a vir*DriverPtr struct declared in it. For each implementation
found, check if there is an ACL verification inside it, and error out if
none was found. The script also supports the concept of stub, where another
function takes the responsibility for the ACL call instead of the
original API.

Unfortunately this is not enough to cover the new scenario we have now,
with domain_driver.c containing helper functions that execute the ACL
calls. The script does not store state between files because, until now,
it wasn't needed to - APIs and stubs and vir*DriverPtr declarations were
always in the same file. Also, the script will not check for ACL in functions
that does not belong to a vir*DriverPtr interface. What we have now in
domain_driver.c breaks both assumptions: the functions are in a different
file, and there is no vir*DriverPtr being implemented in the file that
uses these functions.

This patch changes check-aclrules.py to accomodate this scenario. The helpers
that have ACL checks are stored beforehand in aclFuncHelpers, allowing other
files to use them to recognize a stub situation. In case the current file
being analyzed is domain_driver.c itself, we'll do a manual check using
aclFuncHelpers to verify that these functions indeed have ACL checks.

Signed-off-by: Daniel Henrique Barboza <danielhb413@xxxxxxxxx>
---
scripts/check-aclrules.py  | 25 ++++++++++++++++++++++++-
src/hypervisor/meson.build |  2 ++
2 files changed, 26 insertions(+), 1 deletion(-)


Reviewed-by: Ján Tomko <jtomko@xxxxxxxxxx>

Also, consider suppressing cc's in your .gitconfig:

[sendemail]
     suppresscc = all
     signedoffbycc = no

(Sadly I don't remember whether the last line is actually needed)


Usually I delete the copies of patches I get via cc: and only deal with
the copies sent to the mailing list, but it looks like here you CC'd me
only on the patches I've already reviewed, which does not seem useful :)

Ooops, sorry about that. I forgot that git sendmail also adds CCs via reviewed-by
tags (not sure why). I'll use supresscc=all to be safe.


Thanks for the review!



DHB



Jano




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux