On 09/24/2018 11:57 AM, Ian Jackson wrote:
> George Dunlap writes ("[PATCH v2 2/6] test/depriv: Add a tool to check
> process-level depriv"):
>> Add a tool to check whether the various process-level deprivileging
>> operations have actually taken place on the process.
> ...
>> +# Example input:
>> +# Uid: 1193 1193 1193 1193
>> +input=$(grep Uid /proc/$dmpid/status)
>
> Are you sure this grep does not need to be more specific ? What if a
> new thing gets added, I don't know,
> Sponglefleep-Uid-Blarking: yes 42
Yes, it probably should be more specific.
>> +if [[ "$input" =~
>> ^Uid:[[:space:]]*([0-9]+)[[:space:]]*([0-9]+)[[:space:]]*([0-9]+)[[:space:]]*([0-9]+)$
>> ]] ; then
>
> I think I made most of my comments about this script in my other
> review comments.
>
> But, specifically, here: if you are confident about the format of the
> line in /proc/*/status, you could do
> fields=($input)
> for uid in ${fields[*]:1}; do
> compare uid with expected
I had something like that originally, but wasn't confident about it;
when I ended up having to write the regexp for /proc/*/limits, I wrote
one for here too to be a bit more safe.
Linus considers almost any user-space reliance on kernel behavior as
binding, so I suspect ($input) is probably safe enough if we want to
remove at least one nasty Bash regexp.
-George
_______________________________________________
Xen-devel mailing list
[email protected]
https://lists.xenproject.org/mailman/listinfo/xen-devel
