fix: use subprocess instead of os.system in locktests.py

[orbisai0security]

Summary

Fix critical severity security issue in testcases/network/nfsv4/locks/locktests.py.

Vulnerability

Field	Value
ID	V-001
Severity	CRITICAL
Scanner	multi_agent_ai
Rule	V-001
File	testcases/network/nfsv4/locks/locktests.py:53

Description: The NFS lock test script locktests.py constructs shell command strings from external inputs (command-line arguments or parameters) and passes them directly to os.system(). The os.system() call invokes /bin/sh -c, meaning any shell metacharacters in the command string are interpreted by the shell. Five separate call sites are affected. Because NFS tests commonly run as root, a successful injection results in arbitrary command execution with full system privileges.

Changes

• testcases/network/nfsv4/locks/locktests.py

Verification

• Build passes
• Scanner re-scan confirms fix
• LLM code review passed

---

Automated security fix by OrbisAI Security

[metan-ucw]

@pevik the test looks more or less abandoned, should we remove the complete locktests.py instead?

[pevik]

@pevik the test looks more or less abandoned, should we remove the complete locktests.py instead?

I tried in the past (https://lore.kernel.org/linux-nfs/20200720091449.19813-1-pvorel@suse.cz/), there are answers:

from J. Bruce Fields (ex. NFSD maintainer)
https://lore.kernel.org/linux-nfs/20200720170117.GB25707@fieldses.org/

Looks like they may test some things (ACL enforcement, multi-client
locking), that our other test suites don't.

On the other hand, if nobody's actually running them then maybe it's on
us to adopt them if we want them. (Not volunteering for now.)

and Christoph Hellwig:
https://lore.kernel.org/linux-nfs/20200720151742.GA16973@infradead.org/

NFS tests using the kernel sound like a prime candidate for xfstests.

I wonder if we should just send RFC patch and Cc linux-nfs@vger.kernel.org and fstests@vger.kernel.org.

[metan-ucw]

@pevik I guess that we can try that after the May release.