ebb0c5403b
This patch adjusts the FieldCheck class in the policy engine to allow a regex rule. It then leverages that to prevent users from setting the device_owner field to anything that starts with 'network:' on networks which they do not own. This policy adjustment is necessary because any ports with a device_owner that starts with 'network:' will not have any security group rules applied because it is assumed they are trusted network devices (e.g. router ports, DHCP ports, etc). These security rules include the anti-spoofing protection for DHCP, IPv6 ICMP messages, and IP headers. Without this policy adjustment, tenants can abuse this trust when connected to a shared network with other tenants by setting their VM port's device_owner field to 'network:<anything>' and hijack other tenants' traffic via DHCP spoofing or MAC/IP spoofing. Conflicts: etc/policy.json neutron/api/v2/attributes.py neutron/tests/etc/policy.json neutron/tests/unit/test_policy.py Closes-Bug: #1489111 Change-Id: Ia64cf16142e0e4be44b5b0ed72c8e00792d770f9 (cherry picked from commit 959a2f28cbbfc309381ea9ffb55090da6fb9c78f) |
||
|---|---|---|
| .. | ||
| init.d | ||
| neutron | ||
| api-paste.ini | ||
| dhcp_agent.ini | ||
| fwaas_driver.ini | ||
| l3_agent.ini | ||
| lbaas_agent.ini | ||
| metadata_agent.ini | ||
| metering_agent.ini | ||
| neutron.conf | ||
| policy.json | ||
| rootwrap.conf | ||
| services.conf | ||
| vpn_agent.ini | ||