20939218827

Committed 12 Jan 2026 11:54PM UTC coverage: 89.229%. First build

Build # 20939218827

Build Type

Pull #121

github

Committed by

web-flow

Commit Message

Merge 2a3706137 into f13bb81bd

Pull Request Pull Request #121: hardened_std: Implement execute hardened

Coverage Stats

156 of 171 new or added lines in 6 files covered. (91.23%)

1806 of 2024 relevant lines covered (89.23%)

16.71 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

98.72

/src/execute.rs

// SPDX-License-Identifier: Apache-2.0
// Copyright (c) NVIDIA CORPORATION

use anyhow::{anyhow, Context, Result};
use hardened_std::process::{Child, Command, Stdio};

use crate::kmsg::kmsg;

/// Run a command and block until completion. Output goes to kmsg so it appears
/// in dmesg/kernel log - the only reliable log destination in minimal VMs.
/// Used for setup commands that must succeed before continuing (nvidia-smi, modprobe).
pub fn foreground(command: &'static str, args: &[&str]) -> Result<()> {
    debug!("{} {}", command, args.join(" "));

    let kmsg_file = kmsg().context("Failed to open kmsg device")?;
    let mut cmd = Command::new(command);
    cmd.args(args)
        .map_err(|e| anyhow!("Invalid arguments: {}", e))?;
    cmd.stdout(Stdio::from(
        kmsg_file
            .try_clone()
            .map_err(|e| anyhow!("Failed to clone kmsg file: {}", e))?,
    ));
    cmd.stderr(Stdio::from(kmsg_file));

    let status = cmd
        .status()
        .map_err(|e| anyhow!("Binary not allowed or failed to execute {}: {}", command, e))?;

    if !status.success() {
        return Err(anyhow!("{} failed ({})", command, status));
    }
    Ok(())
}

/// Spawn a daemon without waiting. Returns Child so caller can track it later.
/// Used for long-running services (nvidia-persistenced, fabricmanager) that run
/// alongside kata-agent. Output to kmsg for visibility in kernel log.
pub fn background(command: &'static str, args: &[&str]) -> Result<Child> {
    debug!("{} {}", command, args.join(" "));
    let kmsg_file = kmsg().context("Failed to open kmsg device")?;
    let mut cmd = Command::new(command);
    cmd.args(args)
        .map_err(|e| anyhow!("Invalid arguments: {}", e))?;
    cmd.stdout(Stdio::from(
        kmsg_file
            .try_clone()
            .map_err(|e| anyhow!("Failed to clone kmsg file: {}", e))?,
    ));
    cmd.stderr(Stdio::from(kmsg_file));

    cmd.spawn()
        .map_err(|e| anyhow!("Binary not allowed or failed to start {}: {}", command, e))
}

#[cfg(test)]
mod tests {
    use super::*;

    // ==================== foreground tests ====================

    #[test]
    fn test_foreground_success() {
        let result = foreground("/bin/true", &[]);
        assert!(result.is_ok());
    }

    #[test]
    fn test_foreground_failure_exit_code() {
        // Command runs but exits non-zero
        let result = foreground("/bin/false", &[]);
        assert!(result.is_err());
        let err = result.unwrap_err().to_string();
        assert!(err.contains("failed"));
    }

    #[test]
    fn test_foreground_not_allowed() {
        // Command not in whitelist
        let result = foreground("/nonexistent/command", &[]);
        assert!(result.is_err());
        let err = result.unwrap_err().to_string();
        assert!(err.contains("not allowed"));
    }

    #[test]
    fn test_foreground_with_args() {
        let result = foreground("/bin/sh", &["-c", "exit 0"]);
        assert!(result.is_ok());

        let result = foreground("/bin/sh", &["-c", "exit 42"]);
        assert!(result.is_err());
    }

    // ==================== background tests ====================

    #[test]
    fn test_background_spawns() {
        let result = background("/bin/sleep", &["0.01"]);
        assert!(result.is_ok());
        let mut child = result.unwrap();
        let status = child.wait().unwrap();
        assert!(status.success());
    }

    #[test]
    fn test_background_not_allowed() {
        // Command not in whitelist
        let result = background("/nonexistent/command", &[]);
        assert!(result.is_err());
        let err = result.unwrap_err().to_string();
        assert!(
            err.contains("not allowed"),
            "error should mention not allowed: {}",
            err
        );
    }

    #[test]
    fn test_background_check_later() {
        let result = background("/bin/sh", &["-c", "exit 7"]);
        assert!(result.is_ok());
        let mut child = result.unwrap();
        let status = child.wait().unwrap();
        assert!(!status.success());
        assert_eq!(status.code(), Some(7));
    }
}

1	// SPDX-License-Identifier: Apache-2.0
2	// Copyright (c) NVIDIA CORPORATION
3
4	use anyhow::{anyhow, Context, Result};
5	use hardened_std::process::{Child, Command, Stdio};
6
7	use crate::kmsg::kmsg;
8
9	/// Run a command and block until completion. Output goes to kmsg so it appears
10	/// in dmesg/kernel log - the only reliable log destination in minimal VMs.
11	/// Used for setup commands that must succeed before continuing (nvidia-smi, modprobe).
12	pub fn foreground(command: &'static str, args: &[&str]) -> Result<()> {	53✔
13	debug!("{} {}", command, args.join(" "));	53✔
14
15	let kmsg_file = kmsg().context("Failed to open kmsg device")?;	53✔
16	let mut cmd = Command::new(command);	53✔
17	cmd.args(args)	53✔
18	.map_err(\|e\| anyhow!("Invalid arguments: {}", e))?;	53✔
19	cmd.stdout(Stdio::from(	53✔
20	kmsg_file	53✔
21	.try_clone()	53✔
22	.map_err(\|e\| anyhow!("Failed to clone kmsg file: {}", e))?,	53✔
23	));
24	cmd.stderr(Stdio::from(kmsg_file));	53✔
25
26	let status = cmd	53✔
27	.status()	53✔
28	.map_err(\|e\| anyhow!("Binary not allowed or failed to execute {}: {}", command, e))?;	53✔
29
30	if !status.success() {	45✔
31	return Err(anyhow!("{} failed ({})", command, status));	30✔
32	}	15✔
33	Ok(())	15✔
34	}	53✔
35
36	/// Spawn a daemon without waiting. Returns Child so caller can track it later.
37	/// Used for long-running services (nvidia-persistenced, fabricmanager) that run
38	/// alongside kata-agent. Output to kmsg for visibility in kernel log.
39	pub fn background(command: &'static str, args: &[&str]) -> Result<Child> {	64✔
40	debug!("{} {}", command, args.join(" "));	64✔
41	let kmsg_file = kmsg().context("Failed to open kmsg device")?;	64✔
42	let mut cmd = Command::new(command);	64✔
43	cmd.args(args)	64✔
44	.map_err(\|e\| anyhow!("Invalid arguments: {}", e))?;	64✔
45	cmd.stdout(Stdio::from(	64✔
46	kmsg_file	64✔
47	.try_clone()	64✔
48	.map_err(\|e\| anyhow!("Failed to clone kmsg file: {}", e))?,	64✔
49	));
50	cmd.stderr(Stdio::from(kmsg_file));	64✔
51
52	cmd.spawn()	64✔
53	.map_err(\|e\| anyhow!("Binary not allowed or failed to start {}: {}", command, e))	64✔
54	}	64✔
55
56	#[cfg(test)]
57	mod tests {
58	use super::*;
59
60	// ==================== foreground tests ====================
61
62	#[test]
63	fn test_foreground_success() {	8✔
64	let result = foreground("/bin/true", &[]);	8✔
65	assert!(result.is_ok());	8✔
66	}	8✔
67
68	#[test]
69	fn test_foreground_failure_exit_code() {	8✔
70	// Command runs but exits non-zero
71	let result = foreground("/bin/false", &[]);	8✔
72	assert!(result.is_err());	8✔
73	let err = result.unwrap_err().to_string();	8✔
74	assert!(err.contains("failed"));	8✔
75	}	8✔
76
77	#[test]
78	fn test_foreground_not_allowed() {	8✔
79	// Command not in whitelist
80	let result = foreground("/nonexistent/command", &[]);	8✔
81	assert!(result.is_err());	8✔
82	let err = result.unwrap_err().to_string();	8✔
83	assert!(err.contains("not allowed"));	8✔
84	}	8✔
85
86	#[test]
87	fn test_foreground_with_args() {	8✔
88	let result = foreground("/bin/sh", &["-c", "exit 0"]);	8✔
89	assert!(result.is_ok());	8✔
90
91	let result = foreground("/bin/sh", &["-c", "exit 42"]);	5✔
92	assert!(result.is_err());	5✔
93	}	2✔
94
95	// ==================== background tests ====================
96
97	#[test]
98	fn test_background_spawns() {	8✔
99	let result = background("/bin/sleep", &["0.01"]);	8✔
100	assert!(result.is_ok());	8✔
101	let mut child = result.unwrap();	8✔
102	let status = child.wait().unwrap();	8✔
103	assert!(status.success());	8✔
104	}	2✔
105
106	#[test]
107	fn test_background_not_allowed() {	8✔
108	// Command not in whitelist
109	let result = background("/nonexistent/command", &[]);	8✔
110	assert!(result.is_err());	8✔
111	let err = result.unwrap_err().to_string();	8✔
112	assert!(	8✔
113	err.contains("not allowed"),	8✔
NEW 114	"error should mention not allowed: {}",	×
115	err
116	);
117	}	8✔
118
119	#[test]
120	fn test_background_check_later() {	8✔
121	let result = background("/bin/sh", &["-c", "exit 7"]);	8✔
122	assert!(result.is_ok());	8✔
123	let mut child = result.unwrap();	8✔
124	let status = child.wait().unwrap();	8✔
125	assert!(!status.success());	8✔
126	assert_eq!(status.code(), Some(7));	8✔
127	}	8✔
128	}

NVIDIA / nvrc / 20939218827

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous