From d04e5527d97433794a634510fd2f04ee6b579667 Mon Sep 17 00:00:00 2001 From: Brent Eagles Date: Wed, 16 Sep 2015 11:38:19 -0230 Subject: [PATCH] Make chown rootwrap filter ipsec.secrets file specific The LibreSwan ipsec driver needs to be able to change the ownership of generated ipsec.secrets files to root. This modifies the existing rootwrap filter to allow chown operations only to be performed on files named ipsec.secrets that have the expected UID. Change-Id: I1305f9e78eb5fe718f3065e6a9e690293f1fca1d Related-bug: #1493492 --- etc/neutron/rootwrap.d/vpnaas.filters | 2 +- .../services/vpn/device_drivers/libreswan_ipsec.py | 6 +++--- .../tests/unit/services/vpn/device_drivers/test_ipsec.py | 7 +++++-- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/etc/neutron/rootwrap.d/vpnaas.filters b/etc/neutron/rootwrap.d/vpnaas.filters index cfefdcf17..d834404a3 100644 --- a/etc/neutron/rootwrap.d/vpnaas.filters +++ b/etc/neutron/rootwrap.d/vpnaas.filters @@ -14,4 +14,4 @@ ipsec: CommandFilter, ipsec, root strongswan: CommandFilter, strongswan, root neutron_netns_wrapper: CommandFilter, neutron-vpn-netns-wrapper, root neutron_netns_wrapper_local: CommandFilter, /usr/local/bin/neutron-vpn-netns-wrapper, root -chown: CommandFilter, chown, root +chown: RegExpFilter, chown, root, chown, --from=.*, root.root, .*/ipsec.secrets diff --git a/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py b/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py index 30336ec85..7680c3ea3 100644 --- a/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py +++ b/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py @@ -17,8 +17,7 @@ import os.path import eventlet -from neutron.i18n import _LE -from neutron.i18n import _LW +from neutron.i18n import _LE, _LW from oslo_config import cfg from oslo_log import log as logging @@ -66,7 +65,8 @@ class LibreSwanProcess(ipsec.OpenSwanProcess): # running as root and the file has 0600 perms, we must set the # owner of the file to root. secrets_file = self._get_config_filename('ipsec.secrets') - self._execute(['chown', 'root:root', secrets_file]) + self._execute(['chown', '--from=%s' % os.getuid(), 'root:root', + secrets_file]) # Load the ipsec kernel module if not loaded self._execute([self.binary, '_stackmanager', 'start']) diff --git a/neutron_vpnaas/tests/unit/services/vpn/device_drivers/test_ipsec.py b/neutron_vpnaas/tests/unit/services/vpn/device_drivers/test_ipsec.py index dd1da7df9..f71232ddb 100644 --- a/neutron_vpnaas/tests/unit/services/vpn/device_drivers/test_ipsec.py +++ b/neutron_vpnaas/tests/unit/services/vpn/device_drivers/test_ipsec.py @@ -16,6 +16,7 @@ import copy import difflib import io import mock +import os import socket from neutron.agent.l3 import dvr_edge_router @@ -993,7 +994,8 @@ class TestLibreSwanProcess(base.BaseTestCase): openswan_ipsec.OpenSwanProcess.ensure_configs = mock.Mock() with mock.patch.object(self.ipsec_process, '_execute') as fake_execute: self.ipsec_process.ensure_configs() - expected = [mock.call(['chown', 'root:root', + expected = [mock.call(['chown', '--from=%s' % os.getuid(), + 'root:root', self.ipsec_process._get_config_filename( 'ipsec.secrets')]), mock.call(['ipsec', '_stackmanager', 'start']), @@ -1005,7 +1007,8 @@ class TestLibreSwanProcess(base.BaseTestCase): with mock.patch.object(self.ipsec_process, '_execute') as fake_execute: fake_execute.side_effect = [None, None, RuntimeError, None] self.ipsec_process.ensure_configs() - expected = [mock.call(['chown', 'root:root', + expected = [mock.call(['chown', '--from=%s' % os.getuid(), + 'root:root', self.ipsec_process._get_config_filename( 'ipsec.secrets')]), mock.call(['ipsec', '_stackmanager', 'start']),