From a7bedd7428ffb5516a897475552fe928a9abc57f Mon Sep 17 00:00:00 2001 From: Rodolfo Alonso Hernandez Date: Thu, 4 Feb 2021 17:32:51 +0000 Subject: [PATCH] Remove rootwrap execution (3) Replace rootwrap execution with privsep context execution. This series of patches will progressively replace any rootwrap call. This patch migrates the execution of "ebtables" command to privsep. Story: #2007686 Task: #41558 Change-Id: I05deec2f021e1b146fa3f6f7f9b37084df06d59d --- etc/neutron/rootwrap.d/ebtables.filters | 11 ----- .../drivers/linuxbridge/agent/arp_protect.py | 2 +- .../linuxbridge/agent/test_arp_protect.py | 40 +++++++++---------- 3 files changed, 21 insertions(+), 32 deletions(-) delete mode 100644 etc/neutron/rootwrap.d/ebtables.filters diff --git a/etc/neutron/rootwrap.d/ebtables.filters b/etc/neutron/rootwrap.d/ebtables.filters deleted file mode 100644 index 8e810e7b551..00000000000 --- a/etc/neutron/rootwrap.d/ebtables.filters +++ /dev/null @@ -1,11 +0,0 @@ -# neutron-rootwrap command filters for nodes on which neutron is -# expected to control network -# -# This file should be owned by (and only-writeable by) the root user - -# format seems to be -# cmd-name: filter-name, raw-command, user, args - -[Filters] - -ebtables: CommandFilter, ebtables, root diff --git a/neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py b/neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py index 6ed3f7ed909..600e63c2183 100644 --- a/neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py +++ b/neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py @@ -233,4 +233,4 @@ NAMESPACE = None def ebtables(comm, table='nat'): execute = ip_lib.IPWrapper(NAMESPACE).netns.execute return execute(['ebtables', '-t', table, '--concurrent'] + comm, - run_as_root=True) + run_as_root=True, privsep_exec=True) diff --git a/neutron/tests/unit/plugins/ml2/drivers/linuxbridge/agent/test_arp_protect.py b/neutron/tests/unit/plugins/ml2/drivers/linuxbridge/agent/test_arp_protect.py index 41d2ac703c3..c30956251c4 100644 --- a/neutron/tests/unit/plugins/ml2/drivers/linuxbridge/agent/test_arp_protect.py +++ b/neutron/tests/unit/plugins/ml2/drivers/linuxbridge/agent/test_arp_protect.py @@ -67,39 +67,39 @@ class TestLinuxBridgeARPSpoofing(base.BaseTestCase): mock.call(['ebtables', '-t', 'nat', '--concurrent', '-L'], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), mock.ANY, mock.ANY, mock.call(['ebtables', '-t', 'nat', '--concurrent', '-N', 'neutronMAC-%s' % vif, '-P', 'DROP'], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), mock.ANY, mock.call(['ebtables', '-t', 'nat', '--concurrent', '-A', 'PREROUTING', '-i', vif, '-j', mac_chain], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), mock.call(['ebtables', '-t', 'nat', '--concurrent', '-A', mac_chain, '-i', vif, '--among-src', '%s' % ','.join(sorted(mac_addresses)), '-j', 'RETURN'], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), mock.ANY, mock.ANY, mock.call(['ebtables', '-t', 'nat', '--concurrent', '-N', spoof_chain, '-P', 'DROP'], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), mock.call(['ebtables', '-t', 'nat', '--concurrent', '-F', spoof_chain], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), ] for addr in sorted(ip_addresses): expected.extend([ @@ -108,7 +108,7 @@ class TestLinuxBridgeARPSpoofing(base.BaseTestCase): '--arp-ip-src', addr, '-j', 'ACCEPT'], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), ]) expected.extend([ mock.ANY, @@ -117,7 +117,7 @@ class TestLinuxBridgeARPSpoofing(base.BaseTestCase): spoof_chain, '-p', 'ARP'], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), ]) arp_protect.setup_arp_spoofing_protection(vif, port) @@ -138,67 +138,67 @@ class TestLinuxBridgeARPSpoofing(base.BaseTestCase): mock.call(['ebtables', '-t', 'nat', '--concurrent', '-L'], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), mock.ANY, mock.call(['ebtables', '-t', 'nat', '--concurrent', '-D', 'PREROUTING', '-i', VIF, '-j', spoof_chain, '-p', 'ARP'], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), mock.call(['ebtables', '-t', 'nat', '--concurrent', '-F', spoof_chain], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), mock.call(['ebtables', '-t', 'nat', '--concurrent', '-X', spoof_chain], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), mock.ANY, mock.call(['ebtables', '-t', 'nat', '--concurrent', '-F', mac_chain], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), mock.call(['ebtables', '-t', 'nat', '--concurrent', '-X', mac_chain], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), mock.call(['ebtables', '-t', 'filter', '--concurrent', '-L'], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), mock.ANY, mock.call(['ebtables', '-t', 'filter', '--concurrent', '-D', 'FORWARD', '-i', VIF, '-j', spoof_chain, '-p', 'ARP'], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), mock.call(['ebtables', '-t', 'filter', '--concurrent', '-F', spoof_chain], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), mock.call(['ebtables', '-t', 'filter', '--concurrent', '-X', spoof_chain], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), mock.ANY, mock.call(['ebtables', '-t', 'filter', '--concurrent', '-F', mac_chain], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), mock.call(['ebtables', '-t', 'filter', '--concurrent', '-X', mac_chain], check_exit_code=True, extra_ok_codes=None, log_fail_as_error=True, run_as_root=True, - privsep_exec=False), + privsep_exec=True), ] arp_protect.delete_arp_spoofing_protection([VIF])