Remove rootwrap execution (3)
Replace rootwrap execution with privsep context execution. This series of patches will progressively replace any rootwrap call. This patch migrates the execution of "ebtables" command to privsep. Story: #2007686 Task: #41558 Change-Id: I05deec2f021e1b146fa3f6f7f9b37084df06d59d
This commit is contained in:
parent
7928b0d755
commit
a7bedd7428
|
@ -1,11 +0,0 @@
|
||||||
# neutron-rootwrap command filters for nodes on which neutron is
|
|
||||||
# expected to control network
|
|
||||||
#
|
|
||||||
# This file should be owned by (and only-writeable by) the root user
|
|
||||||
|
|
||||||
# format seems to be
|
|
||||||
# cmd-name: filter-name, raw-command, user, args
|
|
||||||
|
|
||||||
[Filters]
|
|
||||||
|
|
||||||
ebtables: CommandFilter, ebtables, root
|
|
|
@ -233,4 +233,4 @@ NAMESPACE = None
|
||||||
def ebtables(comm, table='nat'):
|
def ebtables(comm, table='nat'):
|
||||||
execute = ip_lib.IPWrapper(NAMESPACE).netns.execute
|
execute = ip_lib.IPWrapper(NAMESPACE).netns.execute
|
||||||
return execute(['ebtables', '-t', table, '--concurrent'] + comm,
|
return execute(['ebtables', '-t', table, '--concurrent'] + comm,
|
||||||
run_as_root=True)
|
run_as_root=True, privsep_exec=True)
|
||||||
|
|
|
@ -67,39 +67,39 @@ class TestLinuxBridgeARPSpoofing(base.BaseTestCase):
|
||||||
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-L'],
|
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-L'],
|
||||||
check_exit_code=True, extra_ok_codes=None,
|
check_exit_code=True, extra_ok_codes=None,
|
||||||
log_fail_as_error=True, run_as_root=True,
|
log_fail_as_error=True, run_as_root=True,
|
||||||
privsep_exec=False),
|
privsep_exec=True),
|
||||||
mock.ANY,
|
mock.ANY,
|
||||||
mock.ANY,
|
mock.ANY,
|
||||||
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-N',
|
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-N',
|
||||||
'neutronMAC-%s' % vif, '-P', 'DROP'],
|
'neutronMAC-%s' % vif, '-P', 'DROP'],
|
||||||
check_exit_code=True, extra_ok_codes=None,
|
check_exit_code=True, extra_ok_codes=None,
|
||||||
log_fail_as_error=True, run_as_root=True,
|
log_fail_as_error=True, run_as_root=True,
|
||||||
privsep_exec=False),
|
privsep_exec=True),
|
||||||
mock.ANY,
|
mock.ANY,
|
||||||
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-A',
|
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-A',
|
||||||
'PREROUTING', '-i', vif, '-j', mac_chain],
|
'PREROUTING', '-i', vif, '-j', mac_chain],
|
||||||
check_exit_code=True, extra_ok_codes=None,
|
check_exit_code=True, extra_ok_codes=None,
|
||||||
log_fail_as_error=True, run_as_root=True,
|
log_fail_as_error=True, run_as_root=True,
|
||||||
privsep_exec=False),
|
privsep_exec=True),
|
||||||
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-A',
|
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-A',
|
||||||
mac_chain, '-i', vif,
|
mac_chain, '-i', vif,
|
||||||
'--among-src', '%s' % ','.join(sorted(mac_addresses)),
|
'--among-src', '%s' % ','.join(sorted(mac_addresses)),
|
||||||
'-j', 'RETURN'],
|
'-j', 'RETURN'],
|
||||||
check_exit_code=True, extra_ok_codes=None,
|
check_exit_code=True, extra_ok_codes=None,
|
||||||
log_fail_as_error=True, run_as_root=True,
|
log_fail_as_error=True, run_as_root=True,
|
||||||
privsep_exec=False),
|
privsep_exec=True),
|
||||||
mock.ANY,
|
mock.ANY,
|
||||||
mock.ANY,
|
mock.ANY,
|
||||||
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-N',
|
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-N',
|
||||||
spoof_chain, '-P', 'DROP'],
|
spoof_chain, '-P', 'DROP'],
|
||||||
check_exit_code=True, extra_ok_codes=None,
|
check_exit_code=True, extra_ok_codes=None,
|
||||||
log_fail_as_error=True, run_as_root=True,
|
log_fail_as_error=True, run_as_root=True,
|
||||||
privsep_exec=False),
|
privsep_exec=True),
|
||||||
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-F',
|
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-F',
|
||||||
spoof_chain],
|
spoof_chain],
|
||||||
check_exit_code=True, extra_ok_codes=None,
|
check_exit_code=True, extra_ok_codes=None,
|
||||||
log_fail_as_error=True, run_as_root=True,
|
log_fail_as_error=True, run_as_root=True,
|
||||||
privsep_exec=False),
|
privsep_exec=True),
|
||||||
]
|
]
|
||||||
for addr in sorted(ip_addresses):
|
for addr in sorted(ip_addresses):
|
||||||
expected.extend([
|
expected.extend([
|
||||||
|
@ -108,7 +108,7 @@ class TestLinuxBridgeARPSpoofing(base.BaseTestCase):
|
||||||
'--arp-ip-src', addr, '-j', 'ACCEPT'],
|
'--arp-ip-src', addr, '-j', 'ACCEPT'],
|
||||||
check_exit_code=True, extra_ok_codes=None,
|
check_exit_code=True, extra_ok_codes=None,
|
||||||
log_fail_as_error=True, run_as_root=True,
|
log_fail_as_error=True, run_as_root=True,
|
||||||
privsep_exec=False),
|
privsep_exec=True),
|
||||||
])
|
])
|
||||||
expected.extend([
|
expected.extend([
|
||||||
mock.ANY,
|
mock.ANY,
|
||||||
|
@ -117,7 +117,7 @@ class TestLinuxBridgeARPSpoofing(base.BaseTestCase):
|
||||||
spoof_chain, '-p', 'ARP'],
|
spoof_chain, '-p', 'ARP'],
|
||||||
check_exit_code=True, extra_ok_codes=None,
|
check_exit_code=True, extra_ok_codes=None,
|
||||||
log_fail_as_error=True, run_as_root=True,
|
log_fail_as_error=True, run_as_root=True,
|
||||||
privsep_exec=False),
|
privsep_exec=True),
|
||||||
])
|
])
|
||||||
|
|
||||||
arp_protect.setup_arp_spoofing_protection(vif, port)
|
arp_protect.setup_arp_spoofing_protection(vif, port)
|
||||||
|
@ -138,67 +138,67 @@ class TestLinuxBridgeARPSpoofing(base.BaseTestCase):
|
||||||
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-L'],
|
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-L'],
|
||||||
check_exit_code=True, extra_ok_codes=None,
|
check_exit_code=True, extra_ok_codes=None,
|
||||||
log_fail_as_error=True, run_as_root=True,
|
log_fail_as_error=True, run_as_root=True,
|
||||||
privsep_exec=False),
|
privsep_exec=True),
|
||||||
mock.ANY,
|
mock.ANY,
|
||||||
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-D',
|
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-D',
|
||||||
'PREROUTING', '-i', VIF, '-j', spoof_chain,
|
'PREROUTING', '-i', VIF, '-j', spoof_chain,
|
||||||
'-p', 'ARP'],
|
'-p', 'ARP'],
|
||||||
check_exit_code=True, extra_ok_codes=None,
|
check_exit_code=True, extra_ok_codes=None,
|
||||||
log_fail_as_error=True, run_as_root=True,
|
log_fail_as_error=True, run_as_root=True,
|
||||||
privsep_exec=False),
|
privsep_exec=True),
|
||||||
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-F',
|
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-F',
|
||||||
spoof_chain],
|
spoof_chain],
|
||||||
check_exit_code=True, extra_ok_codes=None,
|
check_exit_code=True, extra_ok_codes=None,
|
||||||
log_fail_as_error=True, run_as_root=True,
|
log_fail_as_error=True, run_as_root=True,
|
||||||
privsep_exec=False),
|
privsep_exec=True),
|
||||||
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-X',
|
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-X',
|
||||||
spoof_chain],
|
spoof_chain],
|
||||||
check_exit_code=True, extra_ok_codes=None,
|
check_exit_code=True, extra_ok_codes=None,
|
||||||
log_fail_as_error=True, run_as_root=True,
|
log_fail_as_error=True, run_as_root=True,
|
||||||
privsep_exec=False),
|
privsep_exec=True),
|
||||||
mock.ANY,
|
mock.ANY,
|
||||||
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-F',
|
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-F',
|
||||||
mac_chain],
|
mac_chain],
|
||||||
check_exit_code=True, extra_ok_codes=None,
|
check_exit_code=True, extra_ok_codes=None,
|
||||||
log_fail_as_error=True, run_as_root=True,
|
log_fail_as_error=True, run_as_root=True,
|
||||||
privsep_exec=False),
|
privsep_exec=True),
|
||||||
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-X',
|
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-X',
|
||||||
mac_chain],
|
mac_chain],
|
||||||
check_exit_code=True, extra_ok_codes=None,
|
check_exit_code=True, extra_ok_codes=None,
|
||||||
log_fail_as_error=True, run_as_root=True,
|
log_fail_as_error=True, run_as_root=True,
|
||||||
privsep_exec=False),
|
privsep_exec=True),
|
||||||
mock.call(['ebtables', '-t', 'filter', '--concurrent', '-L'],
|
mock.call(['ebtables', '-t', 'filter', '--concurrent', '-L'],
|
||||||
check_exit_code=True, extra_ok_codes=None,
|
check_exit_code=True, extra_ok_codes=None,
|
||||||
log_fail_as_error=True, run_as_root=True,
|
log_fail_as_error=True, run_as_root=True,
|
||||||
privsep_exec=False),
|
privsep_exec=True),
|
||||||
mock.ANY,
|
mock.ANY,
|
||||||
mock.call(['ebtables', '-t', 'filter', '--concurrent', '-D',
|
mock.call(['ebtables', '-t', 'filter', '--concurrent', '-D',
|
||||||
'FORWARD', '-i', VIF, '-j', spoof_chain,
|
'FORWARD', '-i', VIF, '-j', spoof_chain,
|
||||||
'-p', 'ARP'],
|
'-p', 'ARP'],
|
||||||
check_exit_code=True, extra_ok_codes=None,
|
check_exit_code=True, extra_ok_codes=None,
|
||||||
log_fail_as_error=True, run_as_root=True,
|
log_fail_as_error=True, run_as_root=True,
|
||||||
privsep_exec=False),
|
privsep_exec=True),
|
||||||
mock.call(['ebtables', '-t', 'filter', '--concurrent', '-F',
|
mock.call(['ebtables', '-t', 'filter', '--concurrent', '-F',
|
||||||
spoof_chain],
|
spoof_chain],
|
||||||
check_exit_code=True, extra_ok_codes=None,
|
check_exit_code=True, extra_ok_codes=None,
|
||||||
log_fail_as_error=True, run_as_root=True,
|
log_fail_as_error=True, run_as_root=True,
|
||||||
privsep_exec=False),
|
privsep_exec=True),
|
||||||
mock.call(['ebtables', '-t', 'filter', '--concurrent', '-X',
|
mock.call(['ebtables', '-t', 'filter', '--concurrent', '-X',
|
||||||
spoof_chain],
|
spoof_chain],
|
||||||
check_exit_code=True, extra_ok_codes=None,
|
check_exit_code=True, extra_ok_codes=None,
|
||||||
log_fail_as_error=True, run_as_root=True,
|
log_fail_as_error=True, run_as_root=True,
|
||||||
privsep_exec=False),
|
privsep_exec=True),
|
||||||
mock.ANY,
|
mock.ANY,
|
||||||
mock.call(['ebtables', '-t', 'filter', '--concurrent', '-F',
|
mock.call(['ebtables', '-t', 'filter', '--concurrent', '-F',
|
||||||
mac_chain],
|
mac_chain],
|
||||||
check_exit_code=True, extra_ok_codes=None,
|
check_exit_code=True, extra_ok_codes=None,
|
||||||
log_fail_as_error=True, run_as_root=True,
|
log_fail_as_error=True, run_as_root=True,
|
||||||
privsep_exec=False),
|
privsep_exec=True),
|
||||||
mock.call(['ebtables', '-t', 'filter', '--concurrent', '-X',
|
mock.call(['ebtables', '-t', 'filter', '--concurrent', '-X',
|
||||||
mac_chain],
|
mac_chain],
|
||||||
check_exit_code=True, extra_ok_codes=None,
|
check_exit_code=True, extra_ok_codes=None,
|
||||||
log_fail_as_error=True, run_as_root=True,
|
log_fail_as_error=True, run_as_root=True,
|
||||||
privsep_exec=False),
|
privsep_exec=True),
|
||||||
]
|
]
|
||||||
|
|
||||||
arp_protect.delete_arp_spoofing_protection([VIF])
|
arp_protect.delete_arp_spoofing_protection([VIF])
|
||||||
|
|
Loading…
Reference in New Issue