[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 5/5] RFC: test/depriv: Add a tool to check process-level depriv

To: George Dunlap <george.dunlap@xxxxxxxxxx>
From: Anthony PERARD <anthony.perard@xxxxxxxxxx>
Date: Mon, 8 Oct 2018 17:28:24 +0100
Cc: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxx>
Delivery-date: Mon, 08 Oct 2018 16:28:39 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Fri, Oct 05, 2018 at 05:57:01PM +0100, George Dunlap wrote:
> +# TEST: Process / group id
> +#
> +# Read /proc/<qpid>/status, checking Uid and Gid lines
> +#
> +# Uid should be xen-qemuuser-range-base+$domid
> +# Gid should be 65534 ("nobody")

That is wrong. Gid doesn't have to be nobody. gid can be chosen when
creating the base user id. (And I'm pretty sure "nobody" should be
avoided.)

> +# FIXME: deal with other UID configurations?
> +echo -n "Process UID: "
> +tgt_uid=$(id -u xen-qemuuser-range-base)
> +tgt_uid=$(( $tgt_uid + $domid ))
> +
> +# Example input:
> +# Uid:       1193    1193    1193    1193
> +input=$(grep ^Uid: /proc/$dmpid/status)
> +if [[ "$input" =~ 
> ^Uid:[[:space:]]+([0-9]+)[[:space:]]+([0-9]+)[[:space:]]+([0-9]+)[[:space:]]+([0-9]+)$
>  ]] ; then
> +    result="PASSED"
> +    for i in {1..4}; do
> +     if [[ "${BASH_REMATCH[$i]}" != "$tgt_uid" ]] ; then
> +         result="FAILED"
> +         failed="true"
> +         break
> +     fi
> +    done
> +else
> +    result="FAILED"
> +    failed="true"
> +fi
> +echo $result
> +
> +# Example input:
> +# Gid:       10020   10020   10020   10020
> +echo -n "Process GID: "
> +tgt_gid=$(id -g nobody)

This should be `id -g xen-qemuuser-range-base`.

-- 
Anthony PERARD

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH 5/5] RFC: test/depriv: Add a tool to check process-level depriv
  - From: George Dunlap
- Re: [Xen-devel] [PATCH 5/5] RFC: test/depriv: Add a tool to check process-level depriv
  - From: Ian Jackson

References:
- [Xen-devel] [PATCH 1/5] docs/qemu-deprivilege: Revise and update with status and future plans
  - From: George Dunlap
- [Xen-devel] [PATCH 5/5] RFC: test/depriv: Add a tool to check process-level depriv
  - From: George Dunlap

Prev by Date: Re: [Xen-devel] [PATCH 02/17] x86/mm: make mm.c build with !CONFIG_PV
Next by Date: Re: [Xen-devel] [PATCH 5/5] RFC: test/depriv: Add a tool to check process-level depriv
Previous by thread: [Xen-devel] [PATCH 5/5] RFC: test/depriv: Add a tool to check process-level depriv
Next by thread: Re: [Xen-devel] [PATCH 5/5] RFC: test/depriv: Add a tool to check process-level depriv
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.