openstack
/
neutron
Code Issues Proposed changes

Remove rootwrap execution (3) 

Replace rootwrap execution with privsep context execution.
This series of patches will progressively replace any
rootwrap call.

This patch migrates the execution of "ebtables" command to
privsep.

Story: #2007686
Task: #41558

Change-Id: I05deec2f021e1b146fa3f6f7f9b37084df06d59d
This commit is contained in:
Rodolfo Alonso Hernandez 2021-02-04 17:32:51 +00:00
parent 7928b0d755
commit a7bedd7428
3 changed files with 21 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
etc/neutron/rootwrap.d/ebtables.filters
View File

@ -1,11 +0,0 @@
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
ebtables: CommandFilter, ebtables, root

2
neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py
View File

@ -233,4 +233,4 @@ NAMESPACE = None
def ebtables(comm, table='nat'):
execute = ip_lib.IPWrapper(NAMESPACE).netns.execute
return execute(['ebtables', '-t', table, '--concurrent'] + comm,
run_as_root=True)
run_as_root=True, privsep_exec=True)

40
neutron/tests/unit/plugins/ml2/drivers/linuxbridge/agent/test_arp_protect.py
View File

@ -67,39 +67,39 @@ class TestLinuxBridgeARPSpoofing(base.BaseTestCase):
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-L'],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
mock.ANY,
mock.ANY,
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-N',
'neutronMAC-%s' % vif, '-P', 'DROP'],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
mock.ANY,
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-A',
'PREROUTING', '-i', vif, '-j', mac_chain],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-A',
mac_chain, '-i', vif,
'--among-src', '%s' % ','.join(sorted(mac_addresses)),
'-j', 'RETURN'],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
mock.ANY,
mock.ANY,
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-N',
spoof_chain, '-P', 'DROP'],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-F',
spoof_chain],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
]
for addr in sorted(ip_addresses):
expected.extend([
@ -108,7 +108,7 @@ class TestLinuxBridgeARPSpoofing(base.BaseTestCase):
'--arp-ip-src', addr, '-j', 'ACCEPT'],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
])
expected.extend([
mock.ANY,
@ -117,7 +117,7 @@ class TestLinuxBridgeARPSpoofing(base.BaseTestCase):
spoof_chain, '-p', 'ARP'],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
])
arp_protect.setup_arp_spoofing_protection(vif, port)
@ -138,67 +138,67 @@ class TestLinuxBridgeARPSpoofing(base.BaseTestCase):
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-L'],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
mock.ANY,
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-D',
'PREROUTING', '-i', VIF, '-j', spoof_chain,
'-p', 'ARP'],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-F',
spoof_chain],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-X',
spoof_chain],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
mock.ANY,
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-F',
mac_chain],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-X',
mac_chain],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
mock.call(['ebtables', '-t', 'filter', '--concurrent', '-L'],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
mock.ANY,
mock.call(['ebtables', '-t', 'filter', '--concurrent', '-D',
'FORWARD', '-i', VIF, '-j', spoof_chain,
'-p', 'ARP'],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
mock.call(['ebtables', '-t', 'filter', '--concurrent', '-F',
spoof_chain],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
mock.call(['ebtables', '-t', 'filter', '--concurrent', '-X',
spoof_chain],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
mock.ANY,
mock.call(['ebtables', '-t', 'filter', '--concurrent', '-F',
mac_chain],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
mock.call(['ebtables', '-t', 'filter', '--concurrent', '-X',
mac_chain],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
]
arp_protect.delete_arp_spoofing_protection([VIF])