diff --git a/etc/neutron/rootwrap.d/ebtables.filters b/etc/neutron/rootwrap.d/ebtables.filters deleted file mode 100644 index 8e810e7b551..00000000000 --- a/etc/neutron/rootwrap.d/ebtables.filters +++ /dev/null @@ -1,11 +0,0 @@ -# neutron-rootwrap command filters for nodes on which neutron is -# expected to control network -# -# This file should be owned by (and only-writeable by) the root user - -# format seems to be -# cmd-name: filter-name, raw-command, user, args - -[Filters] - -ebtables: CommandFilter, ebtables, root diff --git a/neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py b/neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py index 6ed3f7ed909..600e63c2183 100644 --- a/neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py +++ b/neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py @@ -233,4 +233,4 @@ NAMESPACE = None def ebtables(comm, table='nat'): execute = ip_lib.IPWrapper(NAMESPACE).netns.execute return execute(['ebtables', '-t', table, '--concurrent'] + comm, - run_as_root=True) + run_as_root=True, privsep_exec=True) diff --git a/neutron/tests/unit/plugins/ml2/drivers/linuxbridge/agent/test_arp_protect.py b/neutron/tests/unit/plugins/ml2/drivers/linuxbridge/agent/test_arp_protect.py index 41d2ac703c3..c30956251c4 100644 --- a/neutron/tests/unit/plugins/ml2/drivers/linuxbridge/agent/test_arp_protect.py +++ b/neutron/tests/unit/plugins/ml2/drivers/linuxbridge/agent/test_arp_protect.py @@ -67,39 +67,39 @@ class TestLinuxBridgeARPSpoofing(base.BaseTestCase): mock.call(['ebtables', '-t', 'nat', '--concurrent', '-L'], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), mock.ANY, mock.ANY, mock.call(['ebtables', '-t', 'nat', '--concurrent', '-N', 'neutronMAC-%s' % vif, '-P', 'DROP'], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), mock.ANY, mock.call(['ebtables', '-t', 'nat', '--concurrent', '-A', 'PREROUTING', '-i', vif, '-j', mac_chain], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), mock.call(['ebtables', '-t', 'nat', '--concurrent', '-A', mac_chain, '-i', vif, '--among-src', '%s' % ','.join(sorted(mac_addresses)), '-j', 'RETURN'], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), mock.ANY, mock.ANY, mock.call(['ebtables', '-t', 'nat', '--concurrent', '-N', spoof_chain, '-P', 'DROP'], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), mock.call(['ebtables', '-t', 'nat', '--concurrent', '-F', spoof_chain], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), ] for addr in sorted(ip_addresses): expected.extend([ @@ -108,7 +108,7 @@ class TestLinuxBridgeARPSpoofing(base.BaseTestCase): '--arp-ip-src', addr, '-j', 'ACCEPT'], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), ]) expected.extend([ mock.ANY, @@ -117,7 +117,7 @@ class TestLinuxBridgeARPSpoofing(base.BaseTestCase): spoof_chain, '-p', 'ARP'], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), ]) arp_protect.setup_arp_spoofing_protection(vif, port) @@ -138,67 +138,67 @@ class TestLinuxBridgeARPSpoofing(base.BaseTestCase): mock.call(['ebtables', '-t', 'nat', '--concurrent', '-L'], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), mock.ANY, mock.call(['ebtables', '-t', 'nat', '--concurrent', '-D', 'PREROUTING', '-i', VIF, '-j', spoof_chain, '-p', 'ARP'], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), mock.call(['ebtables', '-t', 'nat', '--concurrent', '-F', spoof_chain], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), mock.call(['ebtables', '-t', 'nat', '--concurrent', '-X', spoof_chain], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), mock.ANY, mock.call(['ebtables', '-t', 'nat', '--concurrent', '-F', mac_chain], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), mock.call(['ebtables', '-t', 'nat', '--concurrent', '-X', mac_chain], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), mock.call(['ebtables', '-t', 'filter', '--concurrent', '-L'], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), mock.ANY, mock.call(['ebtables', '-t', 'filter', '--concurrent', '-D', 'FORWARD', '-i', VIF, '-j', spoof_chain, '-p', 'ARP'], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), mock.call(['ebtables', '-t', 'filter', '--concurrent', '-F', spoof_chain], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), mock.call(['ebtables', '-t', 'filter', '--concurrent', '-X', spoof_chain], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), mock.ANY, mock.call(['ebtables', '-t', 'filter', '--concurrent', '-F', mac_chain], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), mock.call(['ebtables', '-t', 'filter', '--concurrent', '-X', mac_chain], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), ] arp_protect.delete_arp_spoofing_protection([VIF])