Make chown rootwrap filter ipsec.secrets file specific
The LibreSwan ipsec driver needs to be able to change the ownership of generated ipsec.secrets files to root. This modifies the existing rootwrap filter to allow chown operations only to be performed on files named ipsec.secrets that have the expected UID. Change-Id: I1305f9e78eb5fe718f3065e6a9e690293f1fca1d Related-bug: #1493492
This commit is contained in:
parent
760bca6831
commit
d04e5527d9
@ -14,4 +14,4 @@ ipsec: CommandFilter, ipsec, root
|
|||||||
strongswan: CommandFilter, strongswan, root
|
strongswan: CommandFilter, strongswan, root
|
||||||
neutron_netns_wrapper: CommandFilter, neutron-vpn-netns-wrapper, root
|
neutron_netns_wrapper: CommandFilter, neutron-vpn-netns-wrapper, root
|
||||||
neutron_netns_wrapper_local: CommandFilter, /usr/local/bin/neutron-vpn-netns-wrapper, root
|
neutron_netns_wrapper_local: CommandFilter, /usr/local/bin/neutron-vpn-netns-wrapper, root
|
||||||
chown: CommandFilter, chown, root
|
chown: RegExpFilter, chown, root, chown, --from=.*, root.root, .*/ipsec.secrets
|
||||||
|
@ -17,8 +17,7 @@ import os.path
|
|||||||
|
|
||||||
import eventlet
|
import eventlet
|
||||||
|
|
||||||
from neutron.i18n import _LE
|
from neutron.i18n import _LE, _LW
|
||||||
from neutron.i18n import _LW
|
|
||||||
from oslo_config import cfg
|
from oslo_config import cfg
|
||||||
from oslo_log import log as logging
|
from oslo_log import log as logging
|
||||||
|
|
||||||
@ -66,7 +65,8 @@ class LibreSwanProcess(ipsec.OpenSwanProcess):
|
|||||||
# running as root and the file has 0600 perms, we must set the
|
# running as root and the file has 0600 perms, we must set the
|
||||||
# owner of the file to root.
|
# owner of the file to root.
|
||||||
secrets_file = self._get_config_filename('ipsec.secrets')
|
secrets_file = self._get_config_filename('ipsec.secrets')
|
||||||
self._execute(['chown', 'root:root', secrets_file])
|
self._execute(['chown', '--from=%s' % os.getuid(), 'root:root',
|
||||||
|
secrets_file])
|
||||||
|
|
||||||
# Load the ipsec kernel module if not loaded
|
# Load the ipsec kernel module if not loaded
|
||||||
self._execute([self.binary, '_stackmanager', 'start'])
|
self._execute([self.binary, '_stackmanager', 'start'])
|
||||||
|
@ -16,6 +16,7 @@ import copy
|
|||||||
import difflib
|
import difflib
|
||||||
import io
|
import io
|
||||||
import mock
|
import mock
|
||||||
|
import os
|
||||||
import socket
|
import socket
|
||||||
|
|
||||||
from neutron.agent.l3 import dvr_edge_router
|
from neutron.agent.l3 import dvr_edge_router
|
||||||
@ -993,7 +994,8 @@ class TestLibreSwanProcess(base.BaseTestCase):
|
|||||||
openswan_ipsec.OpenSwanProcess.ensure_configs = mock.Mock()
|
openswan_ipsec.OpenSwanProcess.ensure_configs = mock.Mock()
|
||||||
with mock.patch.object(self.ipsec_process, '_execute') as fake_execute:
|
with mock.patch.object(self.ipsec_process, '_execute') as fake_execute:
|
||||||
self.ipsec_process.ensure_configs()
|
self.ipsec_process.ensure_configs()
|
||||||
expected = [mock.call(['chown', 'root:root',
|
expected = [mock.call(['chown', '--from=%s' % os.getuid(),
|
||||||
|
'root:root',
|
||||||
self.ipsec_process._get_config_filename(
|
self.ipsec_process._get_config_filename(
|
||||||
'ipsec.secrets')]),
|
'ipsec.secrets')]),
|
||||||
mock.call(['ipsec', '_stackmanager', 'start']),
|
mock.call(['ipsec', '_stackmanager', 'start']),
|
||||||
@ -1005,7 +1007,8 @@ class TestLibreSwanProcess(base.BaseTestCase):
|
|||||||
with mock.patch.object(self.ipsec_process, '_execute') as fake_execute:
|
with mock.patch.object(self.ipsec_process, '_execute') as fake_execute:
|
||||||
fake_execute.side_effect = [None, None, RuntimeError, None]
|
fake_execute.side_effect = [None, None, RuntimeError, None]
|
||||||
self.ipsec_process.ensure_configs()
|
self.ipsec_process.ensure_configs()
|
||||||
expected = [mock.call(['chown', 'root:root',
|
expected = [mock.call(['chown', '--from=%s' % os.getuid(),
|
||||||
|
'root:root',
|
||||||
self.ipsec_process._get_config_filename(
|
self.ipsec_process._get_config_filename(
|
||||||
'ipsec.secrets')]),
|
'ipsec.secrets')]),
|
||||||
mock.call(['ipsec', '_stackmanager', 'start']),
|
mock.call(['ipsec', '_stackmanager', 'start']),
|
||||||
|
Loading…
Reference in New Issue
Block a user