672705831f
As motivation for this; we have had two breakouts of dib in recent memory. One was a failure to unmount through symlinks in the core code (I335316019ef948758392b03e91f9869102a472b9) and the other was removing host keys on the build-system (Ib01d71ff9415a0ae04d963f6e380aab9ac2260ce). For the most part, dib runs unprivileged. Bits of the core code are hopefully well tested (modulo bugs like the first one!). We give free reign inside the chroot (although there is still some potential there for adverse external affects via bind mounts). Where we could be a bit safer (and could have prevented at least the second of these breakouts) is with some better checking that the "sudo" calls *outside* the chroot at least looked sane. This adds a basic check that we're using chroot or image paths when calling sudo in those parts of elements that run *outside* the chroot. Various files are updated to accomodate this check; mostly by just ignoring it for existing code (I have not audited these calls). Nobody is pretending this type of checking makes dib magically safe, or removes the issues with it needing to do things as root during the build. But this can help find egregious errors like the key removal. Change-Id: I161a5aea1d29dcdc7236f70d372c53246ec73749
221 lines
6.9 KiB
Bash
Executable file
221 lines
6.9 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
# Copyright 2014 Red Hat, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
|
# implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# This script checks all files in the "elements" directory for some
|
|
# common mistakes and exits with a non-zero status if it finds any.
|
|
|
|
set -eu
|
|
set -o pipefail
|
|
|
|
parse_exclusions() {
|
|
# Per-file exclusions
|
|
# Example: # dib-lint: disable=sete setpipefail
|
|
local filename=$1
|
|
local disable_pattern="# dib-lint: disable="
|
|
local exclusions=$(grep "^$disable_pattern.*$" $filename | sed "s/$disable_pattern//g")
|
|
|
|
# Global exclusions read from tox.ini
|
|
# Example section in tox.ini:
|
|
# [dib-lint]
|
|
# ignore = sete setu
|
|
section="dib-lint"
|
|
option="ignore"
|
|
global_exclusions=$(python -c \
|
|
"import ConfigParser; \
|
|
conf=ConfigParser.ConfigParser(); \
|
|
conf.read('tox.ini'); \
|
|
print conf.get('$section', '$option') if conf.has_option('$section', '$option') else ''"
|
|
)
|
|
echo $exclusions $global_exclusions
|
|
}
|
|
|
|
excluded() {
|
|
local test_name=$1
|
|
for e in $exclusions; do
|
|
if [ "$e" = "$test_name" ]; then
|
|
return 0
|
|
fi
|
|
done
|
|
return 1
|
|
}
|
|
|
|
error() {
|
|
echo -e "ERROR: $1"
|
|
rc=1
|
|
}
|
|
|
|
rc=0
|
|
TMPDIR=$(mktemp -d /tmp/tmp.XXXXXXXXXX)
|
|
trap "rm -rf $TMPDIR" EXIT
|
|
for i in $(find elements -type f \
|
|
-not -name \*~ \
|
|
-not -name \#\*\# \
|
|
-not -name \*.orig \
|
|
-not -name \*.rst \
|
|
-not -name \*.yaml \
|
|
-not -name \*.py \
|
|
-not -name \*.pyc); do
|
|
|
|
exclusions=("$(parse_exclusions $i)")
|
|
|
|
# Check that files starting with a shebang are +x
|
|
firstline=$(head -n 1 "$i")
|
|
if [ "${firstline:0:2}" = "#!" ]; then
|
|
if [ ! -x "$i" ] && ! excluded executable; then
|
|
error "$i is not executable"
|
|
fi
|
|
|
|
# Ensure 4 spaces indent are used
|
|
if [ "$(file -b --mime-type $i)" = "text/x-python" ]; then
|
|
flake8 $i || error "$i failed flake8"
|
|
else
|
|
if ! excluded indent ; then
|
|
indent_regex='^\( \{4\}\)* \{1,3\}[^ ]'
|
|
if grep -q "$indent_regex" ${i}; then
|
|
error "$i should use 4 spaces indent"
|
|
# outline the failing lines with line number
|
|
grep -n "$indent_regex" ${i}
|
|
fi
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
# Check alphabetical ordering of element-deps
|
|
if [ $(basename $i) = "element-deps" ]; then
|
|
UNSORTED=${TMPDIR}/element-deps.unsorted
|
|
SORTED=${TMPDIR}/element-deps.sorted
|
|
grep -v -e '^#' -e '^$' $i > ${UNSORTED}
|
|
sort ${UNSORTED} > ${SORTED}
|
|
if [ -n "$(diff -c ${UNSORTED} ${SORTED})" ]; then
|
|
error "$i is not sorted alphabetically"
|
|
diff -y ${UNSORTED} ${SORTED}
|
|
fi
|
|
fi
|
|
|
|
# for consistency, let's just use #!/bin/bash everywhere (not
|
|
# /usr/bin/env, etc)
|
|
regex='^#!.*bash'
|
|
if [[ "$firstline" =~ $regex &&
|
|
"$firstline" != "#!/bin/bash" ]]; then
|
|
error "$i : only use #!/bin/bash for scripts"
|
|
fi
|
|
|
|
# Check that all scripts are set -eu -o pipefail and look for
|
|
# DIB_DEBUG_TRACE
|
|
# NOTE(bnemec): This doesn't verify that the set call occurs high
|
|
# enough in the file to be useful, but hopefully nobody will be
|
|
# sticking set calls at the end of their file to trick us. And if
|
|
# they are, that's easy enough to catch in reviews.
|
|
# Also, this is only going to check bash scripts - we've decided to
|
|
# explicitly require bash for any scripts that don't have a specific
|
|
# need to run under other shells, and any exceptions to that rule
|
|
# may not want these checks either.
|
|
if [[ "$firstline" =~ '#!/bin/bash' ]]; then
|
|
if ! excluded sete; then
|
|
if [ -z "$(grep "^set -[^ ]*e" $i)" ]; then
|
|
error "$i is not set -e"
|
|
fi
|
|
fi
|
|
if ! excluded setu; then
|
|
if [ -z "$(grep "^set -[^ ]*u" $i)" ]; then
|
|
error "$i is not set -u"
|
|
fi
|
|
fi
|
|
if ! excluded setpipefail; then
|
|
if [ -z "$(grep "^set -o pipefail" $i)" ]; then
|
|
error "$i is not set -o pipefail"
|
|
fi
|
|
fi
|
|
if ! excluded dibdebugtrace; then
|
|
if [ -z "$(grep "DIB_DEBUG_TRACE" $i)" ]; then
|
|
error "$i does not follow DIB_DEBUG_TRACE"
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
|
|
# check that sudo calls in phases run outside the chroot look
|
|
# "safe"; meaning that they seem to operate within the chroot
|
|
# somehow. This is not fool-proof, but catches egregious errors,
|
|
# and makes you think about it if you're doing something outside
|
|
# the box.
|
|
if ! excluded safe_sudo; then
|
|
if [[ $(dirname $i) =~ (root.d|extra-data.d|block-device.d|finalise.d|cleanup.d) ]]; then
|
|
while read LINE
|
|
do
|
|
if [[ $LINE =~ "sudo " ]]; then
|
|
# messy regex ahead! Don't match:
|
|
# - explicitly ignored
|
|
# - basic comments
|
|
# - install-packages ... sudo ...
|
|
# - any of the paths passed into the out-of-chroot elements
|
|
if [[ $LINE =~ (dib-lint: safe_sudo|^#|install-packages|TARGET_ROOT|IMAGE_BLOCK_DEVICE|TMP_MOUNT_PATH|TMP_IMAGE_PATH) ]]; then
|
|
continue
|
|
fi
|
|
error "$i : potentially unsafe sudo\n -- $LINE"
|
|
fi
|
|
done < $i
|
|
fi
|
|
fi
|
|
|
|
done
|
|
|
|
for i in $(find elements -type f -and -name '*.rst' -or -type f -executable); do
|
|
# Check for tab indentation
|
|
if ! excluded tabindent; then
|
|
if grep -q $'^ *\t' ${i}; then
|
|
error "$i contains tab characters"
|
|
fi
|
|
fi
|
|
|
|
if ! excluded newline; then
|
|
if [ "$(tail -c 1 $i)" != "" ]; then
|
|
error "No newline at end of file: $i"
|
|
fi
|
|
fi
|
|
done
|
|
|
|
if ! excluded mddocs; then
|
|
md_docs=$(find elements -name '*.md')
|
|
if [ -n "$md_docs" ]; then
|
|
error ".md docs found: $md_docs"
|
|
fi
|
|
fi
|
|
|
|
for i in $(find elements -name '*.yaml' \
|
|
-o \( -name pkg-map -type f -a \! -executable \)); do
|
|
py_check="
|
|
import json
|
|
import yaml
|
|
import sys
|
|
try:
|
|
objs = json.load(open('$i'))
|
|
sys.exit(0)
|
|
except ValueError:
|
|
pass
|
|
try:
|
|
objs = yaml.load(open('$i'))
|
|
sys.exit(0)
|
|
except yaml.parser.ParserError:
|
|
pass
|
|
sys.exit(1)"
|
|
if ! python -c "$py_check"; then
|
|
error "$i is not a valid yaml/json file"
|
|
fi
|
|
done
|
|
|
|
exit $rc
|