Stop device_owner from being set to 'network:*'
This patch adjusts the FieldCheck class in the policy engine to allow a regex rule. It then leverages that to prevent users from setting the device_owner field to anything that starts with 'network:' on networks which they do not own. This policy adjustment is necessary because any ports with a device_owner that starts with 'network:' will not have any security group rules applied because it is assumed they are trusted network devices (e.g. router ports, DHCP ports, etc). These security rules include the anti-spoofing protection for DHCP, IPv6 ICMP messages, and IP headers. Without this policy adjustment, tenants can abuse this trust when connected to a shared network with other tenants by setting their VM port's device_owner field to 'network:<anything>' and hijack other tenants' traffic via DHCP spoofing or MAC/IP spoofing. Closes-Bug: #1489111 Change-Id: Ia64cf16142e0e4be44b5b0ed72c8e00792d770f9
This commit is contained in:
parent
dea7a21561
commit
08f3c9dae0
|
@ -56,7 +56,9 @@
|
|||
"update_network:router:external": "rule:admin_only",
|
||||
"delete_network": "rule:admin_or_owner",
|
||||
|
||||
"network_device": "field:port:device_owner=~^network:",
|
||||
"create_port": "",
|
||||
"create_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc",
|
||||
"create_port:mac_address": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
||||
"create_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
||||
"create_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
||||
|
@ -71,6 +73,7 @@
|
|||
"get_port:binding:host_id": "rule:admin_only",
|
||||
"get_port:binding:profile": "rule:admin_only",
|
||||
"update_port": "rule:admin_or_owner or rule:context_is_advsvc",
|
||||
"update_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc",
|
||||
"update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
|
||||
"update_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
||||
"update_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
||||
|
|
|
@ -56,7 +56,9 @@
|
|||
"update_network:router:external": "rule:admin_only",
|
||||
"delete_network": "rule:admin_or_owner",
|
||||
|
||||
"network_device": "field:port:device_owner=~^network:",
|
||||
"create_port": "",
|
||||
"create_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc",
|
||||
"create_port:mac_address": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
||||
"create_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
||||
"create_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
||||
|
@ -71,6 +73,7 @@
|
|||
"get_port:binding:host_id": "rule:admin_only",
|
||||
"get_port:binding:profile": "rule:admin_only",
|
||||
"update_port": "rule:admin_or_owner or rule:context_is_advsvc",
|
||||
"update_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc",
|
||||
"update_port:mac_address": "rule:admin_only or rule:context_is_advsvc",
|
||||
"update_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
||||
"update_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc",
|
||||
|
|
Loading…
Reference in New Issue