openstack/oslo.privsep
Code Issues Proposed changes
282f8a01e2
oslo.privsep/oslo_privsep/tests/testctx.py
Angus Lees 5a00350935 Add support for Linux capabilities 
This change adds a new `capabilities` kwarg to PrivContext, which
specifies the Linux capabilities to retain on the privileged side of
this context.  This allows the privileged daemon to be run as root but
with restricted permissions, or as not-root but still with some limited
superpowers.

A new `capabilities` config option is added to the context config
section that overrides the default capabilities for that context.  It is
expected that this will rarely be used.

Note that there is intentionally no way to specify "I want all
capabilities".

Change-Id: I61169d1d27609deb04115f4119654fd3d0690357
2015-11-13 15:40:40 +11:00

45 lines
1.5 KiB
Python
Raw Blame History

# Copyright 2015 Rackspace Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import os
from oslotest import base
from oslo_privsep import priv_context
import oslo_privsep.tests
from oslo_privsep.tests import fixture
context = priv_context.PrivContext(
# This context allows entrypoints anywhere below oslo_privsep.tests.
oslo_privsep.tests.__name__,
pypath=__name__ + '.context',
# This is one of the rare cases where we actually want zero powers:
capabilities=[],
)
class TestContextTestCase(base.BaseTestCase):
def setUp(self):
super(TestContextTestCase, self).setUp()
privsep_fixture = self.useFixture(
fixture.UnprivilegedPrivsepFixture(context))
self.privsep_conf = privsep_fixture.conf
def assertNotMyPid(self, pid):
# Verify that `pid` is some positive integer, that isn't our pid
self.assertIsInstance(pid, int)
self.assertTrue(pid > 0)
self.assertNotEqual(os.getpid(), pid)
View Git Blame Copy Permalink