Re: [Xen-devel] [PATCH 5/5] RFC: test/depriv: Add a tool to check process-level depriv

2018-10-29 Thread Ian Jackson
George Dunlap writes ("Re: [PATCH 5/5] RFC: test/depriv: Add a tool to check process-level depriv"): > Oh, actually, 65534 is "nogroup", which is the default when you don't > add a specific group. > > Should we recommend creating a separate group for the Xen qemus in our > feature doc? Or

Re: [Xen-devel] [PATCH 5/5] RFC: test/depriv: Add a tool to check process-level depriv

2018-10-26 Thread George Dunlap
On 10/08/2018 05:28 PM, Anthony PERARD wrote: > On Fri, Oct 05, 2018 at 05:57:01PM +0100, George Dunlap wrote: >> +# TEST: Process / group id >> +# >> +# Read /proc//status, checking Uid and Gid lines >> +# >> +# Uid should be xen-qemuuser-range-base+$domid >> +# Gid should be 65534 ("nobody") >

Re: [Xen-devel] [PATCH 5/5] RFC: test/depriv: Add a tool to check process-level depriv

2018-10-26 Thread Ian Jackson
George Dunlap writes ("Re: [PATCH 5/5] RFC: test/depriv: Add a tool to check process-level depriv"): > FYI I do agree with all of those suggestions (both `set -e` and having > functions to handle failure in a consistent way); but I didn't want to > fix everything up in bash only to have to write

Re: [Xen-devel] [PATCH 5/5] RFC: test/depriv: Add a tool to check process-level depriv

2018-10-26 Thread George Dunlap
On 10/26/2018 03:06 PM, Ian Jackson wrote: > George Dunlap writes ("[PATCH 5/5] RFC: test/depriv: Add a tool to check > process-level depriv"): >> Add a tool to check whether the various process-level deprivileging >> operations have actually taken place on the process. > ... >> NB that a number

Re: [Xen-devel] [PATCH 5/5] RFC: test/depriv: Add a tool to check process-level depriv

2018-10-26 Thread Ian Jackson
George Dunlap writes ("[PATCH 5/5] RFC: test/depriv: Add a tool to check process-level depriv"): > Add a tool to check whether the various process-level deprivileging > operations have actually taken place on the process. ... > NB that a number of other requested changes (such as using `set -e`,

Re: [Xen-devel] [PATCH 5/5] RFC: test/depriv: Add a tool to check process-level depriv

2018-10-08 Thread Ian Jackson
Anthony PERARD writes ("Re: [PATCH 5/5] RFC: test/depriv: Add a tool to check process-level depriv"): > On Fri, Oct 05, 2018 at 05:57:01PM +0100, George Dunlap wrote: > > +# TEST: Process / group id > > +# > > +# Read /proc//status, checking Uid and Gid lines > > +# > > +# Uid should be

Re: [Xen-devel] [PATCH 5/5] RFC: test/depriv: Add a tool to check process-level depriv

2018-10-08 Thread Anthony PERARD
On Fri, Oct 05, 2018 at 05:57:01PM +0100, George Dunlap wrote: > +# TEST: Process / group id > +# > +# Read /proc//status, checking Uid and Gid lines > +# > +# Uid should be xen-qemuuser-range-base+$domid > +# Gid should be 65534 ("nobody") That is wrong. Gid doesn't have to be nobody. gid can be

[Xen-devel] [PATCH 5/5] RFC: test/depriv: Add a tool to check process-level depriv

2018-10-05 Thread George Dunlap
Add a tool to check whether the various process-level deprivileging operations have actually taken place on the process. The tool takes a domname or domid, and returns success or failure. Signed-off-by: George Dunlap --- Changes since v2: - Make grep for Uid line more strict - Fix Gid grep,