diff options
author | hagbard <vyosdev@derith.de> | 2019-06-18 12:57:21 -0700 |
---|---|---|
committer | hagbard <vyosdev@derith.de> | 2019-06-18 12:57:21 -0700 |
commit | a06fe4e9c5298b5bad883ab6badc3ccefd32ff49 (patch) | |
tree | 63f8f02165ec492c43ceb550bcfbd6b80161b5f8 | |
parent | 6104cf2812bc454a3ec2585a9ace20974d87fccb (diff) | |
parent | b4efb2ddef5d749b3425b5a642da8316887aca48 (diff) | |
download | vyos-xe-guest-utilities-a06fe4e9c5298b5bad883ab6badc3ccefd32ff49.tar.gz vyos-xe-guest-utilities-a06fe4e9c5298b5bad883ab6badc3ccefd32ff49.zip |
Merge remote-tracking branch 'upstream/master' into current
-rw-r--r-- | .gitignore | 2 | ||||
-rw-r--r-- | Makefile | 10 | ||||
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | analyze.py | 80 | ||||
-rw-r--r-- | mk/xe-linux-distribution.service | 1 | ||||
-rw-r--r-- | mk/xen-vcpu-hotplug.rules | 2 | ||||
-rwxr-xr-x | security-check.sh | 33 |
7 files changed, 123 insertions, 7 deletions
@@ -23,3 +23,5 @@ _testmain.go *.exe *.test *.prof + +build/
\ No newline at end of file @@ -55,11 +55,11 @@ $(DISTDIR)/$(PACKAGE)_$(VERSION)-$(RELEASE)_$(ARCH).tgz: $(OBJECTS) install -m 755 $(OBJECTDIR)/xe-daemon $(STAGEDIR)/usr/sbin/xe-daemon ; \ install -d $(STAGEDIR)/usr/bin/ ; \ install -m 755 $(OBJECTDIR)/xenstore $(STAGEDIR)/usr/bin/xenstore ; \ - ln -sf /usr/bin/xenstore $(STAGEDIR)/usr/bin/xenstore-read ; \ - ln -sf /usr/bin/xenstore $(STAGEDIR)/usr/bin/xenstore-write ; \ - ln -sf /usr/bin/xenstore $(STAGEDIR)/usr/bin/xenstore-exists ; \ - ln -sf /usr/bin/xenstore $(STAGEDIR)/usr/bin/xenstore-rm ; \ - ln -sf /usr/bin/xenstore $(STAGEDIR)/usr/bin/xenstore-list ; \ + ln -sf xenstore $(STAGEDIR)/usr/bin/xenstore-read ; \ + ln -sf xenstore $(STAGEDIR)/usr/bin/xenstore-write ; \ + ln -sf xenstore $(STAGEDIR)/usr/bin/xenstore-exists ; \ + ln -sf xenstore $(STAGEDIR)/usr/bin/xenstore-rm ; \ + ln -sf xenstore $(STAGEDIR)/usr/bin/xenstore-list ; \ install -d $(STAGEDIR)/etc/udev/rules.d/ ; \ install -m 644 $(SOURCEDIR)/xen-vcpu-hotplug.rules $(STAGEDIR)/etc/udev/rules.d/z10_xen-vcpu-hotplug.rules ; \ cd $(STAGEDIR) ; \ @@ -3,7 +3,7 @@ go-guest-utilites =================== -This is the golang guest utilites for XenServer +This is the golang guest utilities for XenServer XenStore CLI diff --git a/analyze.py b/analyze.py new file mode 100644 index 0000000..abea29f --- /dev/null +++ b/analyze.py @@ -0,0 +1,80 @@ +import sys +import argparse +import json + + +def cnt_on_rule_id(issues, rule_id): + return len([issue for issue in issues if issue['rule_id'] == rule_id]) + + +def write_issue(f, issue, idx): + f.write('Issue %d\\n' % idx) + for k, v in issue.iteritems(): + f.write('|%s|%s|\\n' % (k, v)) + + +def analyze(js, formatted_issues_f): + issues = js['Issues'] + if not issues: + print "Security check: no security issue detected" + return 0 + + for issue in issues: + f = issue['file'] + f = '/'.join(f.split('/')[2:]) + issue['file'] = f + + must_fix = [] + better_fix = [] + for issue in issues: + if issue['severity'] == 'HIGH': + must_fix.append(issue) + else: + better_fix.append(issue) + + + with open(formatted_issues_f, 'w') as f: + idx = 1 + f.write('\\n*Must fix issues*\\n') + print '======== Must fix the potential security issues ========' + for issue in must_fix: + print json.dumps(issue, indent=4) + write_issue(f, issue, idx) + idx += 1 + + f.write('\\n----\\n*Optinal fix issues*\\n') + print '======== Optional to fix the potential security issues ========' + for issue in better_fix: + print json.dumps(issue, indent=4) + write_issue(f, issue, idx) + idx += 1 + + if must_fix: + return 1 + else: + return 0 + + +def parse_args_or_exit(argv=None): + """ + Parse command line options + """ + parser = argparse.ArgumentParser(description="Analyze security check result") + parser.add_argument("-i", metavar="check_result", + dest="check_result", help="json file of check result") + parser.add_argument("issues", metavar="issues", + help="formatted issues") + + args = parser.parse_args(argv) + + return args + +def main(argv): + args = parse_args_or_exit(argv) + check_result = args.check_result + with open(args.check_result) as f: + js = json.load(f) + sys.exit(analyze(js, args.issues)) + +if __name__ == '__main__': + main(sys.argv[1:]) diff --git a/mk/xe-linux-distribution.service b/mk/xe-linux-distribution.service index a1cf4b1..4e60a85 100644 --- a/mk/xe-linux-distribution.service +++ b/mk/xe-linux-distribution.service @@ -1,5 +1,6 @@ [Unit] Description=Linux Guest Agent +ConditionVirtualization=xen [Service] ExecStartPre=/usr/share/oem/xs/xe-linux-distribution /var/cache/xe-linux-distribution diff --git a/mk/xen-vcpu-hotplug.rules b/mk/xen-vcpu-hotplug.rules index ecb200e..a28f895 100644 --- a/mk/xen-vcpu-hotplug.rules +++ b/mk/xen-vcpu-hotplug.rules @@ -1 +1 @@ -ACTION=="add", SUBSYSTEM=="cpu", RUN+="/bin/sh -c '[ ! -e /sys$devpath/online ] || echo 1 > /sys$devpath/online'" +ACTION=="add", SUBSYSTEM=="cpu", RUN+="/bin/sh -c '( ! /usr/bin/xenstore-exists unique-domain-id 2>/dev/null ) || [ ! -e /sys$devpath/online ] || echo 1 > /sys$devpath/online'" diff --git a/security-check.sh b/security-check.sh new file mode 100755 index 0000000..7994875 --- /dev/null +++ b/security-check.sh @@ -0,0 +1,33 @@ +#!/bin/bash +set -x + +top_dir=$(pwd) +out_dir="" + +if [ ! -z $1 ];then + mkdir -p $1 + out_dir=$1 +fi + +tmp_dir=`mktemp -d` +cd $tmp_dir + +if [ ! -f ./bin/gosec ];then + curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s 2.0.0 +fi + +result_file=result.json +issue_file=issues.txt + +./bin/gosec -fmt=json -out=${result_file} ${top_dir}/... + + +python ${top_dir}/analyze.py -i ${result_file} ${issue_file} +ret=$? + +rm $result_file +chmod 666 $issue_file +if [ "x" != "x$out_dir" ];then + mv $issue_file $out_dir +fi +exit $ret |