Allows nova to read files as root

* Adds a rootwrap filter to limit readable files * Adds a utils method to read a file as root * adds tests to verify the additions work Change-Id: Ic1ffb6f72f9b73795d5f39fac719842e6bdf16dd
2012-02-03 15:29:00 -08:00
parent e05a04614c
commit 0da1f5da22
2 changed files with 26 additions and 0 deletions
--- a/nova/rootwrap/filters.py
+++ b/nova/rootwrap/filters.py
@@ -123,3 +123,20 @@ class KillFilter(CommandFilter):
            # Incorrect PID
            return False
        return True
+
+
+class ReadFileFilter(CommandFilter):
+    """Specific filter for the utils.read_file_as_root call"""
+
+    def __init__(self, file_path, *args):
+        self.file_path = file_path
+        super(ReadFileFilter, self).__init__("/bin/cat", "root", *args)
+
+    def match(self, userargs):
+        if userargs[0] != 'cat':
+            return False
+        if userargs[1] != self.file_path:
+            return False
+        if len(userargs) != 2:
+            return False
+        return True
--- a/nova/tests/test_nova_rootwrap.py
+++ b/nova/tests/test_nova_rootwrap.py
@@ -93,6 +93,15 @@ class RootwrapTestCase(test.TestCase):
        # Providing -9 signal should work
        self.assertTrue(f.match(usercmd))

+    def test_ReadFileFilter(self):
+        goodfn = '/good/file.name'
+        f = filters.ReadFileFilter(goodfn)
+        usercmd = ['cat', '/bad/file']
+        self.assertFalse(f.match(['cat', '/bad/file']))
+        usercmd = ['cat', goodfn]
+        self.assertEqual(f.get_command(usercmd), ['/bin/cat', goodfn])
+        self.assertTrue(f.match(usercmd))
+
    def test_skips(self):
        # Check that all filters are skipped and that the last matches
        usercmd = ["cat", "/"]