Squash dac_admin privsep context.
As discussed at the PTG, squash the dac_admin privsep context into the sysadmin context. Change-Id: I10142be4baa404835fabebd50f7f976ca6ec402e blueprint: hurrah-for-privsep
This commit is contained in:
Michael Still
parent
8ea68a5ebe
commit
e00d8eb759
|
|
@ -198,10 +198,10 @@ scsi_id: CommandFilter, /lib/udev/scsi_id, root
|
|||
# and (implicitly) the actual python code invoked.
|
||||
privsep-rootwrap-os_brick: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*
|
||||
|
||||
privsep-rootwrap-dac_admin: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, nova.privsep.dac_admin_pctxt, --privsep_sock_path, /tmp/.*
|
||||
|
||||
privsep-rootwrap-dacnet_admin: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, nova.privsep.dacnet_admin_pctxt, --privsep_sock_path, /tmp/.*
|
||||
|
||||
privsep-rootwrap-sys_admin: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, nova.privsep.sys_admin_pctxt, --privsep_sock_path, /tmp/.*
|
||||
|
||||
# nova/virt/libvirt/storage/dmcrypt.py:
|
||||
cryptsetup: CommandFilter, cryptsetup, root
|
||||
|
||||
|
|
|
|||
|
|
@ -18,19 +18,6 @@
|
|||
from oslo_privsep import capabilities
|
||||
from oslo_privsep import priv_context
|
||||
|
||||
# NOTE(tonyb): DAC == Discriminatory Access Control. Basically this context
|
||||
# can bypass permissions checks in the file-system.
|
||||
dac_admin_pctxt = priv_context.PrivContext(
|
||||
'nova',
|
||||
cfg_section='nova_dac_admin',
|
||||
pypath=__name__ + '.dac_admin_pctxt',
|
||||
capabilities=[capabilities.CAP_CHOWN,
|
||||
capabilities.CAP_DAC_OVERRIDE,
|
||||
capabilities.CAP_DAC_READ_SEARCH,
|
||||
capabilities.CAP_FOWNER],
|
||||
)
|
||||
|
||||
|
||||
# NOTE(mikal): DAC + CAP_NET_ADMIN, required for network sysfs changes
|
||||
dacnet_admin_pctxt = priv_context.PrivContext(
|
||||
'nova',
|
||||
|
|
|
|||
|
|
@ -14,8 +14,7 @@
|
|||
# under the License.
|
||||
|
||||
"""
|
||||
libvirt specific routines that use the dac_admin_pctxt to bypass file-system
|
||||
checks.
|
||||
libvirt specific routines.
|
||||
"""
|
||||
|
||||
import errno
|
||||
|
|
@ -24,7 +23,7 @@ import os
|
|||
import nova.privsep
|
||||
|
||||
|
||||
@nova.privsep.dac_admin_pctxt.entrypoint
|
||||
@nova.privsep.sys_admin_pctxt.entrypoint
|
||||
def last_bytes(path, num):
|
||||
# NOTE(mikal): this is implemented in this contrived manner because you
|
||||
# can't mock a decorator in python (they're loaded at file parse time,
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
"""Routines that use the dac_admin_pctxt to bypass file-system checks"""
|
||||
"""Routines that bypass file-system checks."""
|
||||
|
||||
import os
|
||||
|
||||
|
|
@ -23,7 +23,7 @@ from nova import exception
|
|||
import nova.privsep
|
||||
|
||||
|
||||
@nova.privsep.dac_admin_pctxt.entrypoint
|
||||
@nova.privsep.sys_admin_pctxt.entrypoint
|
||||
def readfile(path):
|
||||
if not os.path.exists(path):
|
||||
raise exception.FileNotFound(file_path=path)
|
||||
|
|
@ -31,7 +31,7 @@ def readfile(path):
|
|||
return f.read()
|
||||
|
||||
|
||||
@nova.privsep.dac_admin_pctxt.entrypoint
|
||||
@nova.privsep.sys_admin_pctxt.entrypoint
|
||||
def writefile(path, mode, content):
|
||||
if not os.path.exists(path):
|
||||
raise exception.FileNotFound(file_path=path)
|
||||
|
|
@ -39,33 +39,33 @@ def writefile(path, mode, content):
|
|||
f.write(content)
|
||||
|
||||
|
||||
@nova.privsep.dac_admin_pctxt.entrypoint
|
||||
@nova.privsep.sys_admin_pctxt.entrypoint
|
||||
def readlink(path):
|
||||
if not os.path.exists(path):
|
||||
raise exception.FileNotFound(file_path=path)
|
||||
return os.readlink(path)
|
||||
|
||||
|
||||
@nova.privsep.dac_admin_pctxt.entrypoint
|
||||
@nova.privsep.sys_admin_pctxt.entrypoint
|
||||
def chown(path, uid=-1, gid=-1):
|
||||
if not os.path.exists(path):
|
||||
raise exception.FileNotFound(file_path=path)
|
||||
return os.chown(path, uid, gid)
|
||||
|
||||
|
||||
@nova.privsep.dac_admin_pctxt.entrypoint
|
||||
@nova.privsep.sys_admin_pctxt.entrypoint
|
||||
def makedirs(path):
|
||||
fileutils.ensure_tree(path)
|
||||
|
||||
|
||||
@nova.privsep.dac_admin_pctxt.entrypoint
|
||||
@nova.privsep.sys_admin_pctxt.entrypoint
|
||||
def chmod(path, mode):
|
||||
if not os.path.exists(path):
|
||||
raise exception.FileNotFound(file_path=path)
|
||||
os.chmod(path, mode)
|
||||
|
||||
|
||||
@nova.privsep.dac_admin_pctxt.entrypoint
|
||||
@nova.privsep.sys_admin_pctxt.entrypoint
|
||||
def utime(path):
|
||||
if not os.path.exists(path):
|
||||
raise exception.FileNotFound(file_path=path)
|
||||
|
|
@ -79,6 +79,6 @@ def utime(path):
|
|||
|
||||
class path(object):
|
||||
@staticmethod
|
||||
@nova.privsep.dac_admin_pctxt.entrypoint
|
||||
@nova.privsep.sys_admin_pctxt.entrypoint
|
||||
def exists(path):
|
||||
return os.path.exists(path)
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
upgrade:
|
||||
- |
|
||||
A dac-admin privsep daemon has been added and needs to be included in your
|
||||
A sys-admin privsep daemon has been added and needs to be included in your
|
||||
rootwrap configuration.
|
||||
- |
|
||||
A dacnet-admin privsep daemon has been added and needs to be included in
|
||||
|
|
|
|||
Loading…
Reference in New Issue