[PATCH openbmc] Package whitelist.conf in obmc-phosphor-image

Patrick Williams patrick at stwcx.xyz
Tue Jun 21 08:49:00 AEST 2016


On Mon, Jun 20, 2016 at 09:10:42AM -0500, OpenBMC Patches wrote:
> From: tomjose <tomjoseph at in.ibm.com>
> 
> IPMI whitelisted commands are added in whitelist.conf
> which would be consumed by ipmid daemon. Only whitelisted
> IPMI commands are executed in restricted mode.
> ---
>  .../recipes-phosphor/host-ipmid/host-ipmid.bb      |  5 ++++-
>  .../host-ipmid/host-ipmid.bbappend                 |  1 +
>  .../host-ipmid/host-ipmid/files/whitelist.conf     | 26 ++++++++++++++++++++++
>  3 files changed, 31 insertions(+), 1 deletion(-)
>  create mode 100644 meta-phosphor/common/recipes-phosphor/host-ipmid/host-ipmid.bbappend
>  create mode 100644 meta-phosphor/common/recipes-phosphor/host-ipmid/host-ipmid/files/whitelist.conf
> 
> diff --git a/meta-phosphor/common/recipes-phosphor/host-ipmid/host-ipmid.bb b/meta-phosphor/common/recipes-phosphor/host-ipmid/host-ipmid.bb
> index 23728cb..b3dba1a 100644
> --- a/meta-phosphor/common/recipes-phosphor/host-ipmid/host-ipmid.bb
> +++ b/meta-phosphor/common/recipes-phosphor/host-ipmid/host-ipmid.bb
> @@ -17,7 +17,8 @@ TARGET_CFLAGS   += "-fpic"
>  RDEPENDS_${PN} += "clear-once"
>  RDEPENDS_${PN} += "settings"
>  RDEPENDS_${PN} += "network"
> -SRC_URI += "git://github.com/openbmc/phosphor-host-ipmid"
> +SRC_URI += "git://github.com/openbmc/phosphor-host-ipmid \
> +            file://whitelist.conf"

We need a mechanism to have different files per package that we then
combine together at build time.  'host-ipmid',
'openpower-host-ipmi-oem', and 'ipmi-fru-parser' all of a different
subset of the providers.  If we remove 'openpower-host-ipmi-oem' and
replace it with 'anotherarch-host-ipmi-oem' we likely need a different
set of white-listed commands.

>  
>  do_install() {
>          install -m 0755 -d ${D}${libdir}/host-ipmid
> +        install -m 0755 -d ${D}${datadir}/host-ipmid

If we continue to make this runtime parsing, the directory needs to be
passed into the makefile as part of 'do_compile'.  We should not be
forced to use the directory that is defaulted in the package's makefile.

> diff --git a/meta-phosphor/common/recipes-phosphor/host-ipmid/host-ipmid.bbappend b/meta-phosphor/common/recipes-phosphor/host-ipmid/host-ipmid.bbappend
> new file mode 100644
> index 0000000..b2051b6
> --- /dev/null
> +++ b/meta-phosphor/common/recipes-phosphor/host-ipmid/host-ipmid.bbappend
> @@ -0,0 +1 @@
> +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}/files:"

We have not taken this approach for other packages.  ${PN} is already
supported as a default SRC_URI location.  Why put the 'files'
subdirectory in this case?  And why have a .bbappend file when the
original package recipe is in the same directory?

> diff --git a/meta-phosphor/common/recipes-phosphor/host-ipmid/host-ipmid/files/whitelist.conf b/meta-phosphor/common/recipes-phosphor/host-ipmid/host-ipmid/files/whitelist.conf
> new file mode 100644
> index 0000000..20dd429
> --- /dev/null
> +++ b/meta-phosphor/common/recipes-phosphor/host-ipmid/host-ipmid/files/whitelist.conf
> @@ -0,0 +1,26 @@
> +<NetFn><Command>

So a non-parsed line becomes a "comment"?

> +0x00:0x02
> +0x00:0x08
> +0x00:0x09
> +0x04:0x2D
> +0x04:0x2F

Would be very useful to have comments on all of these lines.
    0x00:0x02 # Function-Foo : Command-Bar
is much more consumable to humans.

-- 
Patrick Williams
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20160620/2566f503/attachment.sig>


More information about the openbmc mailing list