Implement conntrack command privsep context

This context has only "CAP_NET_ADMIN" capability. Story: #2007686 Task: #42240 Change-Id: I8522c9c1e2243ea471d51fa50d04db476655e6d0
2021-04-09 15:25:07 +00:00 · 2021-04-09 15:25:07 +00:00 · f616f84e95
parent 3cee5f7201
commit f616f84e95
2 changed files with 10 additions and 2 deletions
--- a/neutron/privileged/init.py
+++ b/neutron/privileged/init.py
@ -54,3 +54,11 @@ namespace_cmd = priv_context.PrivContext(
    pypath=__name__ + '.namespace_cmd',
    capabilities=[caps.CAP_SYS_ADMIN]
 )
+
+
+conntrack_cmd = priv_context.PrivContext(
+    __name__,
+    cfg_section='privsep_conntrack',
+    pypath=__name__ + '.conntrack_cmd',
+    capabilities=[caps.CAP_NET_ADMIN]
+)
--- a/neutron/privileged/agent/linux/netlink_lib.py
+++ b/neutron/privileged/agent/linux/netlink_lib.py
@ -263,7 +263,7 @@ def _parse_entry(entry, ipversion, zone):
    return tuple(parsed_entry)


-@privileged.default.entrypoint
+@privileged.conntrack_cmd.entrypoint
 def list_entries(zone):
    """List and parse all conntrack entries in zone

@ -289,7 +289,7 @@ def list_entries(zone):
    return sorted(parsed_entries, key=lambda x: x[3])


-@privileged.default.entrypoint
+@privileged.conntrack_cmd.entrypoint
 def delete_entries(entries):
    """Delete selected entries