cleanup TCB/forbid_xxx.jsonnet, factorize in common.libsonnet (semgre…

…p#9882) test plan: make check
shombo · Mar 5, 2024 · 018f7e7 · 018f7e7
1 parent dde6675
commit 018f7e7
Show file tree

Hide file tree

Showing 7 changed files with 52 additions and 29 deletions.
diff --git a/TCB/common.libsonnet b/TCB/common.libsonnet
@@ -0,0 +1,16 @@
+{
+  exclude_paths: [
+    'TCB/*',
+    'tools/*',
+    'scripts/*',
+    'stats/*',
+    '*_main.ml',
+    'Main.ml',
+    'Test*.ml',
+    'Unit_*.ml',
+  ],
+
+  exclude: {
+    exclude: self.exclude_paths,
+  },
+}
diff --git a/TCB/forbid_chdir.jsonnet b/TCB/forbid_chdir.jsonnet
@@ -0,0 +1,22 @@
+local common = import 'common.libsonnet';
+
+{
+  rules: [
+    {
+      id: 'forbid-chdir',
+      match: { any: [
+#TODO
+#        'Unix.chdir','UUnix.chdir',
+	#	'Sys.chdir', 'USys.chdir',
+	'TODO.chdir',
+      ] },
+      languages: ['ocaml'],
+      paths: common.exclude,
+      severity: 'ERROR',
+      message: |||
+        Do not use directly chdir. Use the safer CapSys.chdir().
+      |||,
+    },
+  ],
+
+}
diff --git a/TCB/forbid_everything.jsonnet b/TCB/forbid_everything.jsonnet
@@ -7,6 +7,7 @@
 local forbid_exit = import 'forbid_exit.jsonnet';
 local forbid_network = import 'forbid_network.jsonnet';
 local forbid_exec = import 'forbid_exec.jsonnet';
+local forbid_chdir = import 'forbid_chdir.jsonnet';
 //TODO: forbid_fs, forbid_process, etc.
 local forbid_tmp = import "forbid_tmp.jsonnet";
 local forbid_misc = import 'forbid_misc.jsonnet';
@@ -15,6 +16,7 @@ local forbid_misc = import 'forbid_misc.jsonnet';
     forbid_exit.rules +
     forbid_network.rules +
     forbid_exec.rules +
+    forbid_chdir.rules +
     forbid_tmp.rules +
     forbid_misc.rules
 }
diff --git a/TCB/forbid_exec.jsonnet b/TCB/forbid_exec.jsonnet
@@ -1,3 +1,5 @@
+local common = import 'common.libsonnet';
+
 // helpers
 local unix_funcs = [
   'system',
@@ -38,13 +40,7 @@ local unix_funcs = [
           [],
       },
       languages: ['ocaml'],
-      paths: {
-        exclude: [
-           'TCB/*',
-           'tools/*', 'scripts/*', 'stats/*',
-           'Test*.ml',  'Unit_*.ml',
-        ],
-      },
+      paths: common.exclude,
       severity: 'ERROR',
       message: |||
         Do not invoke directly external commands. Use the safer CapExec.ml module.

diff --git a/TCB/forbid_exit.jsonnet b/TCB/forbid_exit.jsonnet
@@ -1,3 +1,5 @@
+local common = import 'common.libsonnet';
+
 {
   rules: [
     {
@@ -10,14 +12,7 @@
 	'UUnix._exit'
       ] },
       languages: ['ocaml'],
-      paths: {
-        exclude: [
-           'TCB/*',
-           'tools/*', 'scripts/*',
-            '*_main.ml', 'Main.ml',
-            'Test*.ml',
-         ],
-      },
+      paths: common.exclude,
       severity: 'ERROR',
       message: |||
         Do not use directly exit(). Either raise Common.UnixExit or use the

diff --git a/TCB/forbid_misc.jsonnet b/TCB/forbid_misc.jsonnet
@@ -1,3 +1,5 @@
+local common = import 'common.libsonnet';
+
 {
   rules: [
     {
@@ -6,14 +8,7 @@
 	'Random.$F',
       ] },
       languages: ['ocaml'],
-      paths: {
-        exclude: [
-           'TCB/*',
-           'tools/*', 'scripts/*',
-            '*_main.ml', 'Main.ml',
-            'Test*.ml', 'Unit*.ml',
-         ],
-      },
+      paths: common.exclude,
       severity: 'ERROR',
       message: |||
         Do not use directly Random; use the safer CapRandom module.

diff --git a/TCB/forbid_tmp.jsonnet b/TCB/forbid_tmp.jsonnet
@@ -1,3 +1,5 @@
+local common = import 'common.libsonnet';
+
 // helpers
 local funcs = [
   "temp_file",
@@ -21,12 +23,7 @@ local funcs = [
       },
       languages: ['ocaml'],
       paths: {
-        exclude: [
-           "UTmp.ml", "CapTmp.ml",
-           'TCB/*',
-           'tools/*', 'scripts/*', 'stats/*',
-           'Test*.ml',  'Unit_*.ml',
-        ],
+        exclude: common.exclude_paths + ["UTmp.ml", "CapTmp.ml"],
       },
       severity: 'ERROR',
       message: |||