scripts/check-aclrules.py: check ACL for domain_driver.c ACL callers

This script works under two specific conditions. For each opened file,
search for all functions that has ACL calls and store them, and see
if there is a vir*DriverPtr struct declared in it. For each implementation
found, check if there is an ACL verification inside it, and error out if
none was found. The script also supports the concept of stub, where another
function takes the responsibility for the ACL call instead of the
original API.

Unfortunately this is not enough to cover the new scenario we have now,
with domain_driver.c containing helper functions that execute the ACL
calls. The script does not store state between files because, until now,
it wasn't needed to - APIs and stubs and vir*DriverPtr declarations were
always in the same file. Also, the script will not check for ACL in functions
that does not belong to a vir*DriverPtr interface. What we have now in
domain_driver.c breaks both assumptions: the functions are in a different
file, and there is no vir*DriverPtr being implemented in the file that
uses these functions.

This patch changes check-aclrules.py to accomodate this scenario. The helpers
that have ACL checks are stored beforehand in aclFuncHelpers, allowing other
files to use them to recognize a stub situation. In case the current file
being analyzed is domain_driver.c itself, we'll do a manual check using
aclFuncHelpers to verify that these functions indeed have ACL checks.

Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>

diff --git a/scripts/check-aclrules.py b/scripts/check-aclrules.py
index 2335e8cfdd1575418ff05ac5ccbcf062bff31c2f..ed6805058b6c01d0856bc5d5933f98959bcf2758 100755 (executable)
--- a/scripts/check-aclrules.py
+++ b/scripts/check-aclrules.py
@@ -62,6 +62,14 @@ implpermitted = {
     "vzDomainMigrateConfirm3Params": True,
 }
 
+aclFuncHelpers = {
+    "virDomainDriverNodeDeviceDetachFlags": True,
+    "virDomainDriverNodeDeviceReset": True,
+    "virDomainDriverNodeDeviceReAttach": True,
+}
+
+aclFuncHelperFile = "domain_driver.c"
+
 lastfile = None
 
 
@@ -136,8 +144,14 @@ def process_file(filename):
     maybefunc = None
     intable = False
     table = None
+    aclHelperFileCheck = False
+
+    acls = aclFuncHelpers
+
+    if aclFuncHelperFile in filename:
+        acls = {}
+        aclHelperFileCheck = True
 
-    acls = {}
     aclfilters = {}
     errs = False
     with open(filename, "r") as fh:
@@ -262,6 +276,15 @@ def process_file(filename):
             if "}" in line:
                 brace = brace - 1
 
+    if aclHelperFileCheck:
+        for helper in aclFuncHelpers:
+            if helper not in acls:
+                print(("%s:%d Missing ACL check in helper function '%s'") %
+                      (filename, lineno, helper),
+                      file=sys.stderr)
+
+                errs = True
+
     return errs
 
 

diff --git a/src/hypervisor/meson.build b/src/hypervisor/meson.build
index 32d5ab365fdc77e9fac372272da2d97d381f7884..70801c0820072d87e6f8bdbe5938c58a3fba2a7c 100644 (file)
--- a/src/hypervisor/meson.build
+++ b/src/hypervisor/meson.build
@@ -5,6 +5,8 @@ hypervisor_sources = [
   'virhostdev.c',
 ]
 
+stateful_driver_source_files += files(hypervisor_sources)
+
 hypervisor_lib = static_library(
   'virt_hypervisor',
   [