* [PATCH v5 1/2] image.bbclass: add prohibited-paths QA test
@ 2017-11-27 19:28 Martyn Welch
2017-11-27 19:28 ` [PATCH v5 2/2] core-image.bbclass: add default IMAGE_QA_PROHIBIT_PATHS variable Martyn Welch
` (3 more replies)
0 siblings, 4 replies; 7+ messages in thread
From: Martyn Welch @ 2017-11-27 19:28 UTC (permalink / raw)
To: openembedded-core; +Cc: Otavio Salvador
Sometimes we wish to ensure that files or directories are not installed
somewhere that may prove detrimental to the operation of the system. For
example, this may be the case if files are placed in a directory that is
utilised as a mount point at run time, thus making them inaccessible once
when the mount point is being utilised.
Implement the prohibited paths QA test, which enables such locations to be
specified in a "IMAGE_QA_PROHIBITED_PATHS" variable. This implementation
allows for a colon separated list of paths to be provided. Shell style
wildcards can be used.
Signed-off-by: Fabien Lahoudere <fabien.lahoudere@collabora.co.uk>
Signed-off-by: Martyn Welch <martyn.welch@collabora.co.uk>
---
Changes since v1:
- Correcting author and SOB.
Changes since v2:
- Reimplemented as image rather than package level QA test.
- Changed variable from PROHIBITED_PATH to PROHIBITED_PATHS to better
reflect its use.
Changes since v3:
- Rename variable to IMAGE_QA_PROHIBITED_PATHS.
- Use str.startswith().
- Simplify if statement.
Changes since v4:
- Move QA test to new class "image-insane.bbclass".
meta/classes/image-insane.bbclass | 20 ++++++++++++++++++++
meta/classes/image.bbclass | 1 +
2 files changed, 21 insertions(+)
create mode 100644 meta/classes/image-insane.bbclass
diff --git a/meta/classes/image-insane.bbclass b/meta/classes/image-insane.bbclass
new file mode 100644
index 0000000..29935cf
--- /dev/null
+++ b/meta/classes/image-insane.bbclass
@@ -0,0 +1,20 @@
+python image_check_prohibited_paths () {
+ import glob
+ from oe.utils import ImageQAFailed
+
+ rootfs = d.getVar('IMAGE_ROOTFS')
+
+ path = (d.getVar('IMAGE_QA_PROHIBITED_PATHS') or "")
+ if path != "":
+ for p in path.split(':'):
+ if not p.startswith('/'):
+ raise ImageQAFailed("IMAGE_QA_PROHIBITED_PATHS \"%s\" must be an absolute path" % p, image_check_prohibited_paths)
+
+ match = glob.glob("%s%s" % (rootfs, p))
+ if match:
+ loc = ", ".join(item.replace(rootfs, '') for item in match)
+ raise ImageQAFailed("Match(es) for IMAGE_QA_PROHIBITED_PATHS \"%s\": %s" % (p, loc), image_check_prohibited_paths)
+}
+
+IMAGE_QA_COMMANDS += "image_check_prohibited_paths"
+
diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index d93de02..8b45abb 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -1,4 +1,5 @@
inherit rootfs_${IMAGE_PKGTYPE}
+inherit image-insane
# Only Linux SDKs support populate_sdk_ext, fall back to populate_sdk_base
# in the non-Linux SDK_OS case, such as mingw32
--
2.1.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH v5 2/2] core-image.bbclass: add default IMAGE_QA_PROHIBIT_PATHS variable
2017-11-27 19:28 [PATCH v5 1/2] image.bbclass: add prohibited-paths QA test Martyn Welch
@ 2017-11-27 19:28 ` Martyn Welch
2017-11-28 11:47 ` Otavio Salvador
2017-11-28 11:46 ` [PATCH v5 1/2] image.bbclass: add prohibited-paths QA test Otavio Salvador
` (2 subsequent siblings)
3 siblings, 1 reply; 7+ messages in thread
From: Martyn Welch @ 2017-11-27 19:28 UTC (permalink / raw)
To: openembedded-core; +Cc: Otavio Salvador
Add a default IMAGE_QA_PROHIBIT_PATHS variable containing paths known to
be mounted in the default fstab, which are known mount points or
directories which should be populated at runtime.
Suggested-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Martyn Welch <martyn.welch@collabora.co.uk>
---
Changes since v3:
- This patch added.
meta/classes/core-image.bbclass | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/meta/classes/core-image.bbclass b/meta/classes/core-image.bbclass
index a9a2cec..8d5fb97 100644
--- a/meta/classes/core-image.bbclass
+++ b/meta/classes/core-image.bbclass
@@ -56,6 +56,11 @@ IMAGE_FEATURES_REPLACES_ssh-server-openssh = "ssh-server-dropbear"
# IMAGE_FEATURES_CONFLICTS_foo = 'bar1 bar2'
# An error exception would be raised if both image features foo and bar1(or bar2) are included
+# IMAGE_QA_PROHIBITED_PATHS
+# Ensure images aren't including files in places that will be used as mount points or that are
+# reserved for runtime data.
+IMAGE_QA_PROHIBITED_PATHS ?= "/dev/pts/*:/media/*:/mnt/*:/proc/*:/run/*:/tmp/*:/var/run/*:/var/tmp/*:/var/volatile/*"
+
MACHINE_HWCODECS ??= ""
CORE_IMAGE_BASE_INSTALL = '\
--
2.1.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v5 1/2] image.bbclass: add prohibited-paths QA test
2017-11-27 19:28 [PATCH v5 1/2] image.bbclass: add prohibited-paths QA test Martyn Welch
2017-11-27 19:28 ` [PATCH v5 2/2] core-image.bbclass: add default IMAGE_QA_PROHIBIT_PATHS variable Martyn Welch
@ 2017-11-28 11:46 ` Otavio Salvador
2017-12-18 14:29 ` Martyn Welch
2018-04-13 9:27 ` Fabien Lahoudere
3 siblings, 0 replies; 7+ messages in thread
From: Otavio Salvador @ 2017-11-28 11:46 UTC (permalink / raw)
To: Martyn Welch; +Cc: Patches and discussions about the oe-core layer
On Mon, Nov 27, 2017 at 5:28 PM, Martyn Welch
<martyn.welch@collabora.co.uk> wrote:
> Sometimes we wish to ensure that files or directories are not installed
> somewhere that may prove detrimental to the operation of the system. For
> example, this may be the case if files are placed in a directory that is
> utilised as a mount point at run time, thus making them inaccessible once
> when the mount point is being utilised.
>
> Implement the prohibited paths QA test, which enables such locations to be
> specified in a "IMAGE_QA_PROHIBITED_PATHS" variable. This implementation
> allows for a colon separated list of paths to be provided. Shell style
> wildcards can be used.
>
> Signed-off-by: Fabien Lahoudere <fabien.lahoudere@collabora.co.uk>
> Signed-off-by: Martyn Welch <martyn.welch@collabora.co.uk>
Acked-by: Otavio Salvador <otavio@ossystems.com.br>
--
Otavio Salvador O.S. Systems
http://www.ossystems.com.br http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854 Mobile: +1 (347) 903-9750
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v5 2/2] core-image.bbclass: add default IMAGE_QA_PROHIBIT_PATHS variable
2017-11-27 19:28 ` [PATCH v5 2/2] core-image.bbclass: add default IMAGE_QA_PROHIBIT_PATHS variable Martyn Welch
@ 2017-11-28 11:47 ` Otavio Salvador
0 siblings, 0 replies; 7+ messages in thread
From: Otavio Salvador @ 2017-11-28 11:47 UTC (permalink / raw)
To: Martyn Welch; +Cc: Patches and discussions about the oe-core layer
On Mon, Nov 27, 2017 at 5:28 PM, Martyn Welch
<martyn.welch@collabora.co.uk> wrote:
> Add a default IMAGE_QA_PROHIBIT_PATHS variable containing paths known to
> be mounted in the default fstab, which are known mount points or
> directories which should be populated at runtime.
>
> Suggested-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
> Signed-off-by: Martyn Welch <martyn.welch@collabora.co.uk>
Acked-by: Otavio Salvador <otavio@ossystems.com.br>
--
Otavio Salvador O.S. Systems
http://www.ossystems.com.br http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854 Mobile: +1 (347) 903-9750
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v5 1/2] image.bbclass: add prohibited-paths QA test
2017-11-27 19:28 [PATCH v5 1/2] image.bbclass: add prohibited-paths QA test Martyn Welch
2017-11-27 19:28 ` [PATCH v5 2/2] core-image.bbclass: add default IMAGE_QA_PROHIBIT_PATHS variable Martyn Welch
2017-11-28 11:46 ` [PATCH v5 1/2] image.bbclass: add prohibited-paths QA test Otavio Salvador
@ 2017-12-18 14:29 ` Martyn Welch
2018-04-13 9:27 ` Fabien Lahoudere
3 siblings, 0 replies; 7+ messages in thread
From: Martyn Welch @ 2017-12-18 14:29 UTC (permalink / raw)
To: openembedded-core; +Cc: Otavio Salvador
This doesn't seem to be applied yet. Is there something else that is
needed?
Martyn
On Mon, 2017-11-27 at 19:28 +0000, Martyn Welch wrote:
> Sometimes we wish to ensure that files or directories are not installed
> somewhere that may prove detrimental to the operation of the system. For
> example, this may be the case if files are placed in a directory that is
> utilised as a mount point at run time, thus making them inaccessible once
> when the mount point is being utilised.
>
> Implement the prohibited paths QA test, which enables such locations to be
> specified in a "IMAGE_QA_PROHIBITED_PATHS" variable. This implementation
> allows for a colon separated list of paths to be provided. Shell style
> wildcards can be used.
>
> Signed-off-by: Fabien Lahoudere <fabien.lahoudere@collabora.co.uk>
> Signed-off-by: Martyn Welch <martyn.welch@collabora.co.uk>
> ---
> Changes since v1:
> - Correcting author and SOB.
>
> Changes since v2:
> - Reimplemented as image rather than package level QA test.
> - Changed variable from PROHIBITED_PATH to PROHIBITED_PATHS to better
> reflect its use.
>
> Changes since v3:
> - Rename variable to IMAGE_QA_PROHIBITED_PATHS.
> - Use str.startswith().
> - Simplify if statement.
>
> Changes since v4:
> - Move QA test to new class "image-insane.bbclass".
>
> meta/classes/image-insane.bbclass | 20 ++++++++++++++++++++
> meta/classes/image.bbclass | 1 +
> 2 files changed, 21 insertions(+)
> create mode 100644 meta/classes/image-insane.bbclass
>
> diff --git a/meta/classes/image-insane.bbclass b/meta/classes/image-insane.bbclass
> new file mode 100644
> index 0000000..29935cf
> --- /dev/null
> +++ b/meta/classes/image-insane.bbclass
> @@ -0,0 +1,20 @@
> +python image_check_prohibited_paths () {
> + import glob
> + from oe.utils import ImageQAFailed
> +
> + rootfs = d.getVar('IMAGE_ROOTFS')
> +
> + path = (d.getVar('IMAGE_QA_PROHIBITED_PATHS') or "")
> + if path != "":
> + for p in path.split(':'):
> + if not p.startswith('/'):
> + raise ImageQAFailed("IMAGE_QA_PROHIBITED_PATHS \"%s\" must be an absolute path" % p, image_check_prohibited_paths)
> +
> + match = glob.glob("%s%s" % (rootfs, p))
> + if match:
> + loc = ", ".join(item.replace(rootfs, '') for item in match)
> + raise ImageQAFailed("Match(es) for IMAGE_QA_PROHIBITED_PATHS \"%s\": %s" % (p, loc), image_check_prohibited_paths)
> +}
> +
> +IMAGE_QA_COMMANDS += "image_check_prohibited_paths"
> +
> diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
> index d93de02..8b45abb 100644
> --- a/meta/classes/image.bbclass
> +++ b/meta/classes/image.bbclass
> @@ -1,4 +1,5 @@
> inherit rootfs_${IMAGE_PKGTYPE}
> +inherit image-insane
>
> # Only Linux SDKs support populate_sdk_ext, fall back to populate_sdk_base
> # in the non-Linux SDK_OS case, such as mingw32
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v5 1/2] image.bbclass: add prohibited-paths QA test
2017-11-27 19:28 [PATCH v5 1/2] image.bbclass: add prohibited-paths QA test Martyn Welch
` (2 preceding siblings ...)
2017-12-18 14:29 ` Martyn Welch
@ 2018-04-13 9:27 ` Fabien Lahoudere
2018-04-13 11:27 ` Otavio Salvador
3 siblings, 1 reply; 7+ messages in thread
From: Fabien Lahoudere @ 2018-04-13 9:27 UTC (permalink / raw)
To: openembedded-core; +Cc: Martyn Welch, Leonardo Sandoval, Otavio Salvador
Hi
This patch doesn't seem to be applied.
Is there additional comments or something blocking?
Thanks
Fabien
On Mon, 2017-11-27 at 19:28 +0000, Martyn Welch wrote:
> Sometimes we wish to ensure that files or directories are not installed
> somewhere that may prove detrimental to the operation of the system. For
> example, this may be the case if files are placed in a directory that is
> utilised as a mount point at run time, thus making them inaccessible once
> when the mount point is being utilised.
>
> Implement the prohibited paths QA test, which enables such locations to be
> specified in a "IMAGE_QA_PROHIBITED_PATHS" variable. This implementation
> allows for a colon separated list of paths to be provided. Shell style
> wildcards can be used.
>
> Signed-off-by: Fabien Lahoudere <fabien.lahoudere@collabora.co.uk>
> Signed-off-by: Martyn Welch <martyn.welch@collabora.co.uk>
> ---
> Changes since v1:
> - Correcting author and SOB.
>
> Changes since v2:
> - Reimplemented as image rather than package level QA test.
> - Changed variable from PROHIBITED_PATH to PROHIBITED_PATHS to better
> reflect its use.
>
> Changes since v3:
> - Rename variable to IMAGE_QA_PROHIBITED_PATHS.
> - Use str.startswith().
> - Simplify if statement.
>
> Changes since v4:
> - Move QA test to new class "image-insane.bbclass".
>
> meta/classes/image-insane.bbclass | 20 ++++++++++++++++++++
> meta/classes/image.bbclass | 1 +
> 2 files changed, 21 insertions(+)
> create mode 100644 meta/classes/image-insane.bbclass
>
> diff --git a/meta/classes/image-insane.bbclass b/meta/classes/image-insane.bbclass
> new file mode 100644
> index 0000000..29935cf
> --- /dev/null
> +++ b/meta/classes/image-insane.bbclass
> @@ -0,0 +1,20 @@
> +python image_check_prohibited_paths () {
> + import glob
> + from oe.utils import ImageQAFailed
> +
> + rootfs = d.getVar('IMAGE_ROOTFS')
> +
> + path = (d.getVar('IMAGE_QA_PROHIBITED_PATHS') or "")
> + if path != "":
> + for p in path.split(':'):
> + if not p.startswith('/'):
> + raise ImageQAFailed("IMAGE_QA_PROHIBITED_PATHS \"%s\" must be an absolute path" %
> p, image_check_prohibited_paths)
> +
> + match = glob.glob("%s%s" % (rootfs, p))
> + if match:
> + loc = ", ".join(item.replace(rootfs, '') for item in match)
> + raise ImageQAFailed("Match(es) for IMAGE_QA_PROHIBITED_PATHS \"%s\": %s" % (p,
> loc), image_check_prohibited_paths)
> +}
> +
> +IMAGE_QA_COMMANDS += "image_check_prohibited_paths"
> +
> diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
> index d93de02..8b45abb 100644
> --- a/meta/classes/image.bbclass
> +++ b/meta/classes/image.bbclass
> @@ -1,4 +1,5 @@
> inherit rootfs_${IMAGE_PKGTYPE}
> +inherit image-insane
>
> # Only Linux SDKs support populate_sdk_ext, fall back to populate_sdk_base
> # in the non-Linux SDK_OS case, such as mingw32
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v5 1/2] image.bbclass: add prohibited-paths QA test
2018-04-13 9:27 ` Fabien Lahoudere
@ 2018-04-13 11:27 ` Otavio Salvador
0 siblings, 0 replies; 7+ messages in thread
From: Otavio Salvador @ 2018-04-13 11:27 UTC (permalink / raw)
To: Fabien Lahoudere
Cc: Martyn Welch, Leonardo Sandoval,
Patches and discussions about the oe-core layer
On Fri, Apr 13, 2018 at 6:27 AM, Fabien Lahoudere
<fabien.lahoudere@collabora.co.uk> wrote:
> This patch doesn't seem to be applied.
> Is there additional comments or something blocking?
I see no reason for it not being applied.
--
Otavio Salvador O.S. Systems
http://www.ossystems.com.br http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854 Mobile: +1 (347) 903-9750
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2018-04-13 11:27 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-11-27 19:28 [PATCH v5 1/2] image.bbclass: add prohibited-paths QA test Martyn Welch
2017-11-27 19:28 ` [PATCH v5 2/2] core-image.bbclass: add default IMAGE_QA_PROHIBIT_PATHS variable Martyn Welch
2017-11-28 11:47 ` Otavio Salvador
2017-11-28 11:46 ` [PATCH v5 1/2] image.bbclass: add prohibited-paths QA test Otavio Salvador
2017-12-18 14:29 ` Martyn Welch
2018-04-13 9:27 ` Fabien Lahoudere
2018-04-13 11:27 ` Otavio Salvador
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.