Set owner to root for ipsec.secrets for LibreSwan

LibreSwan runs as root and needs access to ipsec.secrets. Currently, ipsec.secrets is not owned by root and has 0600 permissions. This patch adds a rootwrap filter for the chown operation and sets the ipsec.secrets ownership to root. Change-Id: I414b5d9285d7a3ba9d3132bce9d7d5e3af43c37f Closes-Bug: #1493492
2015-09-10 10:45:47 -02:30 · 2015-09-10 10:45:47 -02:30 · fed1a9b927
commit fed1a9b927
parent 2baf733818
3 changed files with 20 additions and 5 deletions
--- a/etc/neutron/rootwrap.d/vpnaas.filters
+++ b/etc/neutron/rootwrap.d/vpnaas.filters
@ -14,3 +14,4 @@ ipsec: CommandFilter, ipsec, root
 strongswan: CommandFilter, strongswan, root
 neutron_netns_wrapper: CommandFilter, neutron-vpn-netns-wrapper, root
 neutron_netns_wrapper_local: CommandFilter, /usr/local/bin/neutron-vpn-netns-wrapper, root
+chown: CommandFilter, chown, root
--- a/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py
+++ b/neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py
@ -60,6 +60,14 @@ class LibreSwanProcess(ipsec.OpenSwanProcess):
        Initialise the nssdb, otherwise pluto daemon will fail to run.
        """
        super(LibreSwanProcess, self).ensure_configs()
+
+        # LibreSwan uses the capabilities library to restrict access to
+        # ipsec.secrets to users that have explicit access. Since pluto is
+        # running as root and the file has 0600 perms, we must set the
+        # owner of the file to root.
+        secrets_file = self._get_config_filename('ipsec.secrets')
+        self._execute(['chown', 'root:root', secrets_file])
+
        # Load the ipsec kernel module if not loaded
        self._execute([self.binary, '_stackmanager', 'start'])
        # checknss creates nssdb only if it is missing
--- a/neutron_vpnaas/tests/unit/services/vpn/device_drivers/test_ipsec.py
+++ b/neutron_vpnaas/tests/unit/services/vpn/device_drivers/test_ipsec.py
@ -992,22 +992,28 @@ class TestLibreSwanProcess(base.BaseTestCase):
        openswan_ipsec.OpenSwanProcess.ensure_configs = mock.Mock()
        with mock.patch.object(self.ipsec_process, '_execute') as fake_execute:
            self.ipsec_process.ensure_configs()
-            expected = [mock.call(['ipsec', '_stackmanager', 'start']),
+            expected = [mock.call(['chown', 'root:root',
+                                   self.ipsec_process._get_config_filename(
+                                       'ipsec.secrets')]),
+                        mock.call(['ipsec', '_stackmanager', 'start']),
                        mock.call(['ipsec', 'checknss',
                                   self.ipsec_process.etc_dir])]
            fake_execute.assert_has_calls(expected)
-            self.assertEqual(2, fake_execute.call_count)
+            self.assertEqual(3, fake_execute.call_count)

        with mock.patch.object(self.ipsec_process, '_execute') as fake_execute:
-            fake_execute.side_effect = [None, RuntimeError, None]
+            fake_execute.side_effect = [None, None, RuntimeError, None]
            self.ipsec_process.ensure_configs()
-            expected = [mock.call(['ipsec', '_stackmanager', 'start']),
+            expected = [mock.call(['chown', 'root:root',
+                                   self.ipsec_process._get_config_filename(
+                                       'ipsec.secrets')]),
+                        mock.call(['ipsec', '_stackmanager', 'start']),
                        mock.call(['ipsec', 'checknss',
                                   self.ipsec_process.etc_dir]),
                        mock.call(['ipsec', 'initnss',
                                   self.ipsec_process.etc_dir])]
            fake_execute.assert_has_calls(expected)
-            self.assertEqual(3, fake_execute.call_count)
+            self.assertEqual(4, fake_execute.call_count)


 class IPsecStrongswanDeviceDriverLegacy(IPSecDeviceLegacy):