diff --git a/etc/neutron/rootwrap.d/debug.filters b/etc/neutron/rootwrap.d/debug.filters index fc78f447dd7..cfc38706484 100644 --- a/etc/neutron/rootwrap.d/debug.filters +++ b/etc/neutron/rootwrap.d/debug.filters @@ -8,13 +8,6 @@ [Filters] -# This is needed because we should ping -# from inside a namespace which requires root -# _alt variants allow to match -c and -w in any order -# (used by NeutronDebugAgent.ping_all) -ping: CommandFilter, ping, root -ping6: CommandFilter, ping6, root - # "sleep" command, only for testing sleep: RegExpFilter, sleep, root, sleep, \d+ kill_sleep: KillFilter, root, sleep, -9 diff --git a/etc/neutron/rootwrap.d/iptables-firewall.filters b/etc/neutron/rootwrap.d/iptables-firewall.filters deleted file mode 100644 index bdb93fbdb96..00000000000 --- a/etc/neutron/rootwrap.d/iptables-firewall.filters +++ /dev/null @@ -1,15 +0,0 @@ -# neutron-rootwrap command filters for nodes on which neutron is -# expected to control network -# -# This file should be owned by (and only-writeable by) the root user - -# format seems to be -# cmd-name: filter-name, raw-command, user, args - -[Filters] - -# neutron/agent/linux/iptables_firewall.py -sysctl: CommandFilter, sysctl, root - -# neutron/agent/linux/ip_conntrack.py -conntrack: CommandFilter, conntrack, root diff --git a/etc/neutron/rootwrap.d/l3.filters b/etc/neutron/rootwrap.d/l3.filters index 9b7826d4e0a..c7eb2ab0f56 100644 --- a/etc/neutron/rootwrap.d/l3.filters +++ b/etc/neutron/rootwrap.d/l3.filters @@ -8,11 +8,7 @@ [Filters] -# arping -arping: CommandFilter, arping, root - # l3_agent -sysctl: CommandFilter, sysctl, root route: CommandFilter, route, root radvd: CommandFilter, radvd, root @@ -30,12 +26,6 @@ kill_radvd_script: CommandFilter, radvd-kill, root ip: IpFilter, ip, root ip_exec: IpNetnsExecFilter, ip, root -# l3_tc_lib -l3_tc_show_filters: RegExpFilter, tc, root, tc, -p, -s, -d, filter, show, dev, .+, parent, .+, prio, 1 -l3_tc_delete_filters: RegExpFilter, tc, root, tc, filter, del, dev, .+, parent, .+, prio, 1, handle, .+, u32 -l3_tc_add_filter_ingress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, dst, .+, police, rate, .+, burst, .+, mtu, 64kb, drop, flowid, :1 -l3_tc_add_filter_egress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, src, .+, police, rate, .+, burst, .+, mtu, 64kb, drop, flowid, :1 - # For ip monitor kill_ip_monitor: KillFilter, root, ip, -9 @@ -51,9 +41,6 @@ kill_keepalived: KillFilter, root, keepalived, -HUP, -15, -9 # keepalived kill script filter kill_keepalived_script: CommandFilter, keepalived-kill, root -# l3 agent to delete floatingip's conntrack state -conntrack: CommandFilter, conntrack, root - # keepalived state change monitor keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root # The following filters are used to kill the keepalived state change monitor. diff --git a/etc/neutron/rootwrap.d/linuxbridge-plugin.filters b/etc/neutron/rootwrap.d/linuxbridge-plugin.filters index 497d225d9a1..2ed1db28d78 100644 --- a/etc/neutron/rootwrap.d/linuxbridge-plugin.filters +++ b/etc/neutron/rootwrap.d/linuxbridge-plugin.filters @@ -8,13 +8,6 @@ [Filters] -# linuxbridge-agent -# unclear whether both variants are necessary, but I'm transliterating -# from the old mechanism -brctl: CommandFilter, brctl, root -bridge: CommandFilter, bridge, root -sysctl: CommandFilter, sysctl, root - # ip_lib ip: IpFilter, ip, root ip_exec: IpNetnsExecFilter, ip, root diff --git a/etc/neutron/rootwrap.d/openvswitch-plugin.filters b/etc/neutron/rootwrap.d/openvswitch-plugin.filters index 4a25f9618b7..85ae5282547 100644 --- a/etc/neutron/rootwrap.d/openvswitch-plugin.filters +++ b/etc/neutron/rootwrap.d/openvswitch-plugin.filters @@ -17,6 +17,3 @@ ovsdb-client: CommandFilter, ovsdb-client, root # ip_lib ip: IpFilter, ip, root ip_exec: IpNetnsExecFilter, ip, root - -# needed for FDB extension -bridge: CommandFilter, bridge, root diff --git a/neutron/agent/linux/ip_conntrack.py b/neutron/agent/linux/ip_conntrack.py index c3594b0ff1f..d4c8dfff747 100644 --- a/neutron/agent/linux/ip_conntrack.py +++ b/neutron/agent/linux/ip_conntrack.py @@ -163,7 +163,7 @@ class IpConntrackManager(object): rule, remote_ip) for cmd in conntrack_cmds: try: - self.execute(list(cmd), run_as_root=True, + self.execute(list(cmd), run_as_root=True, privsep_exec=True, check_exit_code=True, extra_ok_codes=[1]) except RuntimeError: diff --git a/neutron/agent/linux/ip_lib.py b/neutron/agent/linux/ip_lib.py index 28c191fc8f7..e7544d18ade 100644 --- a/neutron/agent/linux/ip_lib.py +++ b/neutron/agent/linux/ip_lib.py @@ -135,7 +135,7 @@ class SubProcessBase(object): opt_list = ['-%s' % o for o in options] ip_cmd = add_namespace_to_cmd(['ip'], namespace) cmd = ip_cmd + opt_list + [command] + list(args) - return utils.execute(cmd, run_as_root=run_as_root, + return utils.execute(cmd, run_as_root=run_as_root, privsep_exec=True, log_fail_as_error=self.log_fail_as_error) def set_log_fail_as_error(self, fail_with_error): diff --git a/neutron/agent/linux/ipset_manager.py b/neutron/agent/linux/ipset_manager.py index 49b236f48dd..a2c9c91cb3f 100644 --- a/neutron/agent/linux/ipset_manager.py +++ b/neutron/agent/linux/ipset_manager.py @@ -148,7 +148,7 @@ class IpsetManager(object): cmd_ns.extend(['ip', 'netns', 'exec', self.namespace]) cmd_ns.extend(cmd) self.execute(cmd_ns, run_as_root=True, process_input=input, - check_exit_code=fail_on_errors) + check_exit_code=fail_on_errors, privsep_exec=True) def _get_new_set_ips(self, set_name, expected_ips): new_member_ips = (set(expected_ips) - diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py index bf6b9188359..97b1139ba24 100644 --- a/neutron/agent/linux/iptables_firewall.py +++ b/neutron/agent/linux/iptables_firewall.py @@ -102,7 +102,8 @@ class IptablesFirewallDriver(firewall.FirewallDriver): log_warning = False if not a_utils.execute( ['sysctl', '-N', 'net.bridge'], run_as_root=True, - log_fail_as_error=False, check_exit_code=False): + log_fail_as_error=False, check_exit_code=False, + privsep_exec=True): LOG.warning('Kernel module br_netfilter is not loaded.') log_warning = True if not log_warning: @@ -110,7 +111,8 @@ class IptablesFirewallDriver(firewall.FirewallDriver): key = 'net.bridge.bridge-nf-call-%stables' % proto enabled = a_utils.execute( ['sysctl', '-b', key], run_as_root=True, - log_fail_as_error=False, check_exit_code=False) + log_fail_as_error=False, check_exit_code=False, + privsep_exec=True) if enabled == '1': status = 'enabled' log_method = LOG.debug diff --git a/neutron/tests/common/net_helpers.py b/neutron/tests/common/net_helpers.py index 26b17addcb1..2ac810b1146 100644 --- a/neutron/tests/common/net_helpers.py +++ b/neutron/tests/common/net_helpers.py @@ -195,7 +195,8 @@ def _get_source_ports_from_ss_output(output): def get_unused_port(used, start=1024, end=None): if end is None: port_range = utils.execute( - ['sysctl', '-n', 'net.ipv4.ip_local_port_range'], run_as_root=True) + ['sysctl', '-n', 'net.ipv4.ip_local_port_range'], run_as_root=True, + privsep_exec=True) end = int(port_range.split()[0]) - 1 candidates = set(range(start, end + 1)) @@ -235,11 +236,12 @@ def get_free_namespace_port(protocol, namespace=None, start=1024, end=None): def set_local_port_range(start, end): utils.execute( ['sysctl', '-w', 'net.ipv4.ip_local_port_range=%d %d' % (start, end)], - run_as_root=True) - utils.execute(['sysctl', '-p'], run_as_root=True) + run_as_root=True, privsep_exec=True) + utils.execute(['sysctl', '-p'], run_as_root=True, privsep_exec=True) # verify port_range = utils.execute( - ['sysctl', '-n', 'net.ipv4.ip_local_port_range'], run_as_root=True) + ['sysctl', '-n', 'net.ipv4.ip_local_port_range'], run_as_root=True, + privsep_exec=True) assert int(port_range.split()[0]) == start assert int(port_range.split()[1]) == end diff --git a/neutron/tests/functional/agent/linux/test_netlink_lib.py b/neutron/tests/functional/agent/linux/test_netlink_lib.py index 654884e6a8f..dd1963ea02f 100644 --- a/neutron/tests/functional/agent/linux/test_netlink_lib.py +++ b/neutron/tests/functional/agent/linux/test_netlink_lib.py @@ -45,10 +45,9 @@ class NetlinkLibTestCase(functional_base.BaseSudoTestCase): for cmd in conntrack_cmds: try: - linux_utils.execute(cmd, - run_as_root=True, - check_exit_code=True, - extra_ok_codes=[1]) + linux_utils.execute( + cmd, run_as_root=True, check_exit_code=True, + privsep_exec=True, extra_ok_codes=[1]) except RuntimeError: raise Exception('Error while creating entry') @@ -66,10 +65,9 @@ class NetlinkLibTestCase(functional_base.BaseSudoTestCase): while start <= end: cmd = ['conntrack', '-L', '-w', start] try: - current_entries = linux_utils.execute(cmd, - run_as_root=True, - check_exit_code=True, - extra_ok_codes=[1]) + current_entries = linux_utils.execute( + cmd, run_as_root=True, check_exit_code=True, + privsep_exec=True, extra_ok_codes=[1]) except RuntimeError: raise Exception('Error while listing entries') if not current_entries: diff --git a/neutron/tests/functional/agent/test_firewall.py b/neutron/tests/functional/agent/test_firewall.py index 27a90cd41a3..fa42a910241 100644 --- a/neutron/tests/functional/agent/test_firewall.py +++ b/neutron/tests/functional/agent/test_firewall.py @@ -621,7 +621,7 @@ class FirewallTestCase(BaseFirewallTestCase): # destination net unreachable self.tester._peer.execute([ 'sysctl', '-w', 'net.ipv4.conf.%s.forwarding=1' % - self.tester._peer.port.name]) + self.tester._peer.port.name], privsep_exec=True) self.tester.set_vm_default_gateway(self.tester.peer_ip_address) vm_sg_rules = [{'ethertype': 'IPv4', 'direction': 'egress', 'protocol': 'icmp'}] diff --git a/neutron/tests/unit/agent/linux/test_ip_lib.py b/neutron/tests/unit/agent/linux/test_ip_lib.py index 8f130fff000..8b8b9a9303a 100644 --- a/neutron/tests/unit/agent/linux/test_ip_lib.py +++ b/neutron/tests/unit/agent/linux/test_ip_lib.py @@ -112,6 +112,7 @@ class TestSubProcessBase(base.BaseTestCase): self.execute.assert_called_once_with(['ip', '-o', 'link', 'list'], run_as_root=True, + privsep_exec=True, log_fail_as_error=True) def test_execute_wrapper_int_options(self): @@ -120,6 +121,7 @@ class TestSubProcessBase(base.BaseTestCase): self.execute.assert_called_once_with(['ip', '-4', 'link', 'list'], run_as_root=False, + privsep_exec=True, log_fail_as_error=True) def test_execute_wrapper_no_options(self): @@ -128,6 +130,7 @@ class TestSubProcessBase(base.BaseTestCase): self.execute.assert_called_once_with(['ip', 'link', 'list'], run_as_root=False, + privsep_exec=True, log_fail_as_error=True) def test_run_no_namespace(self): @@ -135,6 +138,7 @@ class TestSubProcessBase(base.BaseTestCase): base._run([], 'link', ('list',)) self.execute.assert_called_once_with(['ip', 'link', 'list'], run_as_root=False, + privsep_exec=True, log_fail_as_error=True) def test_run_namespace(self): @@ -143,6 +147,7 @@ class TestSubProcessBase(base.BaseTestCase): self.execute.assert_called_once_with(['ip', 'netns', 'exec', 'ns', 'ip', 'link', 'list'], run_as_root=True, + privsep_exec=True, log_fail_as_error=True) def test_as_root_namespace(self): @@ -151,6 +156,7 @@ class TestSubProcessBase(base.BaseTestCase): self.execute.assert_called_once_with(['ip', 'netns', 'exec', 'ns', 'ip', 'link', 'list'], run_as_root=True, + privsep_exec=True, log_fail_as_error=True) diff --git a/neutron/tests/unit/agent/linux/test_ipset_manager.py b/neutron/tests/unit/agent/linux/test_ipset_manager.py index 58200b68eb2..88ad0337259 100644 --- a/neutron/tests/unit/agent/linux/test_ipset_manager.py +++ b/neutron/tests/unit/agent/linux/test_ipset_manager.py @@ -70,49 +70,42 @@ class BaseIpsetManagerTest(base.BaseTestCase): input = '\n'.join(temp_input) self.expected_calls.extend([ mock.call(['ipset', 'restore', '-exist'], - process_input=input, - run_as_root=True, - check_exit_code=True), + process_input=input, run_as_root=True, + check_exit_code=True, privsep_exec=True), mock.call(['ipset', 'swap', TEST_SET_NAME_NEW, TEST_SET_NAME], - process_input=None, - run_as_root=True, - check_exit_code=True), + process_input=None, run_as_root=True, + check_exit_code=True, privsep_exec=True), mock.call(['ipset', 'destroy', TEST_SET_NAME_NEW], - process_input=None, - run_as_root=True, - check_exit_code=False)]) + process_input=None, run_as_root=True, + check_exit_code=False, privsep_exec=True)]) def expect_add(self, addresses): self.expected_calls.extend( mock.call(['ipset', 'add', '-exist', TEST_SET_NAME, ip], - process_input=None, - run_as_root=True, - check_exit_code=True) + process_input=None, run_as_root=True, + check_exit_code=True, privsep_exec=True) for ip in self.ipset._sanitize_addresses(addresses)) def expect_del(self, addresses): self.expected_calls.extend( mock.call(['ipset', 'del', TEST_SET_NAME, ip], - process_input=None, - run_as_root=True, - check_exit_code=False) + process_input=None, run_as_root=True, + check_exit_code=False, privsep_exec=True) for ip in self.ipset._sanitize_addresses(addresses)) def expect_create(self): self.expected_calls.append( mock.call(['ipset', 'create', '-exist', TEST_SET_NAME, 'hash:net', 'family', 'inet'], - process_input=None, - run_as_root=True, - check_exit_code=True)) + process_input=None, run_as_root=True, + check_exit_code=True, privsep_exec=True)) def expect_destroy(self): self.expected_calls.append( mock.call(['ipset', 'destroy', TEST_SET_NAME], - process_input=None, - run_as_root=True, - check_exit_code=False)) + process_input=None, run_as_root=True, + check_exit_code=False, privsep_exec=True)) def add_first_ip(self): self.expect_set([FAKE_IPS[0]]) diff --git a/neutron/tests/unit/agent/linux/test_iptables_firewall.py b/neutron/tests/unit/agent/linux/test_iptables_firewall.py index 725b2bed083..91106238d34 100644 --- a/neutron/tests/unit/agent/linux/test_iptables_firewall.py +++ b/neutron/tests/unit/agent/linux/test_iptables_firewall.py @@ -1418,8 +1418,8 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): cmd.extend(['-w', ct_zone]) calls = [ - mock.call(cmd, run_as_root=True, check_exit_code=True, - extra_ok_codes=[1])] + mock.call(cmd, run_as_root=True, privsep_exec=True, + check_exit_code=True, extra_ok_codes=[1])] self.utils_exec.assert_has_calls(calls) def test_remove_conntrack_entries_for_delete_rule_ipv4(self): @@ -1472,8 +1472,8 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): if ct_zone: cmd.extend(['-w', ct_zone]) expected_calls.append( - mock.call(cmd, run_as_root=True, check_exit_code=True, - extra_ok_codes=[1])) + mock.call(cmd, run_as_root=True, privsep_exec=True, + check_exit_code=True, extra_ok_codes=[1])) return expected_calls def _test_remove_conntrack_entries_for_port_sec_group_change(self, @@ -1578,7 +1578,8 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): conntrack_cmd.extend([remote_ip_direction, ips[ethertype][1]]) calls.append(mock.call(conntrack_cmd, - run_as_root=True, check_exit_code=True, + run_as_root=True, privsep_exec=True, + check_exit_code=True, extra_ok_codes=[1])) self.utils_exec.assert_has_calls(calls)