Make chown rootwrap filter ipsec.secrets file specific
The LibreSwan ipsec driver needs to be able to change the ownership of generated ipsec.secrets files to root. This modifies the existing rootwrap filter to allow chown operations only to be performed on files named ipsec.secrets that have the expected UID. Change-Id: I1305f9e78eb5fe718f3065e6a9e690293f1fca1d Related-bug: #1493492
This commit is contained in:
parent
760bca6831
commit
d04e5527d9
@ -14,4 +14,4 @@ ipsec: CommandFilter, ipsec, root
|
||||
strongswan: CommandFilter, strongswan, root
|
||||
neutron_netns_wrapper: CommandFilter, neutron-vpn-netns-wrapper, root
|
||||
neutron_netns_wrapper_local: CommandFilter, /usr/local/bin/neutron-vpn-netns-wrapper, root
|
||||
chown: CommandFilter, chown, root
|
||||
chown: RegExpFilter, chown, root, chown, --from=.*, root.root, .*/ipsec.secrets
|
||||
|
@ -17,8 +17,7 @@ import os.path
|
||||
|
||||
import eventlet
|
||||
|
||||
from neutron.i18n import _LE
|
||||
from neutron.i18n import _LW
|
||||
from neutron.i18n import _LE, _LW
|
||||
from oslo_config import cfg
|
||||
from oslo_log import log as logging
|
||||
|
||||
@ -66,7 +65,8 @@ class LibreSwanProcess(ipsec.OpenSwanProcess):
|
||||
# running as root and the file has 0600 perms, we must set the
|
||||
# owner of the file to root.
|
||||
secrets_file = self._get_config_filename('ipsec.secrets')
|
||||
self._execute(['chown', 'root:root', secrets_file])
|
||||
self._execute(['chown', '--from=%s' % os.getuid(), 'root:root',
|
||||
secrets_file])
|
||||
|
||||
# Load the ipsec kernel module if not loaded
|
||||
self._execute([self.binary, '_stackmanager', 'start'])
|
||||
|
@ -16,6 +16,7 @@ import copy
|
||||
import difflib
|
||||
import io
|
||||
import mock
|
||||
import os
|
||||
import socket
|
||||
|
||||
from neutron.agent.l3 import dvr_edge_router
|
||||
@ -993,7 +994,8 @@ class TestLibreSwanProcess(base.BaseTestCase):
|
||||
openswan_ipsec.OpenSwanProcess.ensure_configs = mock.Mock()
|
||||
with mock.patch.object(self.ipsec_process, '_execute') as fake_execute:
|
||||
self.ipsec_process.ensure_configs()
|
||||
expected = [mock.call(['chown', 'root:root',
|
||||
expected = [mock.call(['chown', '--from=%s' % os.getuid(),
|
||||
'root:root',
|
||||
self.ipsec_process._get_config_filename(
|
||||
'ipsec.secrets')]),
|
||||
mock.call(['ipsec', '_stackmanager', 'start']),
|
||||
@ -1005,7 +1007,8 @@ class TestLibreSwanProcess(base.BaseTestCase):
|
||||
with mock.patch.object(self.ipsec_process, '_execute') as fake_execute:
|
||||
fake_execute.side_effect = [None, None, RuntimeError, None]
|
||||
self.ipsec_process.ensure_configs()
|
||||
expected = [mock.call(['chown', 'root:root',
|
||||
expected = [mock.call(['chown', '--from=%s' % os.getuid(),
|
||||
'root:root',
|
||||
self.ipsec_process._get_config_filename(
|
||||
'ipsec.secrets')]),
|
||||
mock.call(['ipsec', '_stackmanager', 'start']),
|
||||
|
Loading…
x
Reference in New Issue
Block a user