From 899953de6b40e5dfc5c58d6bb45e48eed634a30c Mon Sep 17 00:00:00 2001 From: Rodolfo Alonso Hernandez Date: Tue, 13 Jul 2021 16:37:15 +0000 Subject: [PATCH] Add a privsep context only for link commands This new context will have only two capabilities: CAP_NET_ADMIN and CAP_SYS_ADMIN (for operations inside namespaces). Change-Id: If9273db1a7ccdce3a81f68fce78408830e9c3d42 --- neutron/privileged/__init__.py | 9 +++++++++ neutron/privileged/agent/linux/ip_lib.py | 16 ++++++++-------- .../functional/cmd/test_linuxbridge_cleanup.py | 5 ++++- .../unit/privileged/agent/linux/test_ip_lib.py | 4 ++-- 4 files changed, 23 insertions(+), 11 deletions(-) diff --git a/neutron/privileged/__init__.py b/neutron/privileged/__init__.py index 76eb7080271..dadbe5ab97b 100644 --- a/neutron/privileged/__init__.py +++ b/neutron/privileged/__init__.py @@ -62,3 +62,12 @@ conntrack_cmd = priv_context.PrivContext( pypath=__name__ + '.conntrack_cmd', capabilities=[caps.CAP_NET_ADMIN] ) + + +link_cmd = priv_context.PrivContext( + __name__, + cfg_section='privsep_link', + pypath=__name__ + '.link_cmd', + capabilities=[caps.CAP_NET_ADMIN, + caps.CAP_SYS_ADMIN] +) diff --git a/neutron/privileged/agent/linux/ip_lib.py b/neutron/privileged/agent/linux/ip_lib.py index eb49bb1e024..685603e0c62 100644 --- a/neutron/privileged/agent/linux/ip_lib.py +++ b/neutron/privileged/agent/linux/ip_lib.py @@ -340,43 +340,43 @@ def interface_exists(ifname, namespace): raise -@privileged.default.entrypoint +@privileged.link_cmd.entrypoint def set_link_flags(device, namespace, flags): link = _run_iproute_link("get", device, namespace)[0] new_flags = flags | link['flags'] return _run_iproute_link("set", device, namespace, flags=new_flags) -@privileged.default.entrypoint +@privileged.link_cmd.entrypoint def set_link_attribute(device, namespace, **attributes): return _run_iproute_link("set", device, namespace, **attributes) -@privileged.default.entrypoint +@privileged.link_cmd.entrypoint def set_link_vf_feature(device, namespace, vf_config): return _run_iproute_link("set", device, namespace=namespace, vf=vf_config) -@privileged.default.entrypoint +@privileged.link_cmd.entrypoint def set_link_bridge_forward_delay(device, forward_delay, namespace=None): return _run_iproute_link('set', device, namespace=namespace, kind='bridge', br_forward_delay=forward_delay) -@privileged.default.entrypoint +@privileged.link_cmd.entrypoint def set_link_bridge_stp(device, stp, namespace=None): return _run_iproute_link('set', device, namespace=namespace, kind='bridge', br_stp_state=stp) -@privileged.default.entrypoint +@privileged.link_cmd.entrypoint def set_link_bridge_master(device, bridge, namespace=None): bridge_idx = get_link_id(bridge, namespace) if bridge else 0 return _run_iproute_link('set', device, namespace=namespace, master=bridge_idx) -@privileged.default.entrypoint +@privileged.link_cmd.entrypoint def get_link_attributes(device, namespace): link = _run_iproute_link("get", device, namespace)[0] return { @@ -392,7 +392,7 @@ def get_link_attributes(device, namespace): } -@privileged.default.entrypoint +@privileged.link_cmd.entrypoint def get_link_vfs(device, namespace): link = _run_iproute_link('get', device, namespace=namespace, ext_mask=1)[0] num_vfs = link.get_attr('IFLA_NUM_VF') diff --git a/neutron/tests/functional/cmd/test_linuxbridge_cleanup.py b/neutron/tests/functional/cmd/test_linuxbridge_cleanup.py index 63b97268d19..e890e6986bf 100644 --- a/neutron/tests/functional/cmd/test_linuxbridge_cleanup.py +++ b/neutron/tests/functional/cmd/test_linuxbridge_cleanup.py @@ -50,7 +50,10 @@ class LinuxbridgeCleanupTest(base.BaseSudoTestCase): }, 'privsep': { 'helper_command': ' '.join(['sudo', '-E', privsep_helper]), - } + }, + 'privsep_link': { + 'helper_command': ' '.join(['sudo', '-E', privsep_helper]), + }, }) config.update({'VXLAN': {'enable_vxlan': 'False'}}) diff --git a/neutron/tests/unit/privileged/agent/linux/test_ip_lib.py b/neutron/tests/unit/privileged/agent/linux/test_ip_lib.py index 51c2bd67508..f019f343f9e 100644 --- a/neutron/tests/unit/privileged/agent/linux/test_ip_lib.py +++ b/neutron/tests/unit/privileged/agent/linux/test_ip_lib.py @@ -227,7 +227,7 @@ class IpLibTestCase(base.BaseTestCase): self.assertEqual(errno.EINVAL, e.errno) def _clean(self, client_mode): - priv_lib.privileged.default.client_mode = client_mode + priv_lib.privileged.link_cmd.client_mode = client_mode def test_get_link_vfs(self): # NOTE(ralonsoh): there should be a functional test checking this @@ -249,7 +249,7 @@ class IpLibTestCase(base.BaseTestCase): value.setvalue({'attrs': [('IFLA_NUM_VF', 3), ('IFLA_VFINFO_LIST', vfinfo_list)]}) client_mode = priv_lib.privileged.default.client_mode - priv_lib.privileged.default.client_mode = False + priv_lib.privileged.link_cmd.client_mode = False self.addCleanup(self._clean, client_mode) with mock.patch.object(priv_lib, '_run_iproute_link') as mock_iplink: mock_iplink.return_value = [value]