diff options
author | Zuul <zuul@review.openstack.org> | 2018-05-12 12:46:30 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2018-05-12 12:46:30 +0000 |
commit | 9b632e29f145a4e56e12f0ef8f860b57c3231257 (patch) | |
tree | af395ec92421434f71825883b878e10a4fd37a7f | |
parent | 7fad1d99ef252cd20acc73a558945a639fc3b43e (diff) | |
parent | ed125c0c1cd6168cbf529c94ef81173dedce2726 (diff) | |
download | oslo-rootwrap-9b632e29f145a4e56e12f0ef8f860b57c3231257.tar.gz |
Merge "Make IpNetnsExecFilter more strict to detect aliases"5.14.1
-rw-r--r-- | oslo_rootwrap/filters.py | 11 | ||||
-rw-r--r-- | oslo_rootwrap/tests/test_rootwrap.py | 11 |
2 files changed, 19 insertions, 3 deletions
diff --git a/oslo_rootwrap/filters.py b/oslo_rootwrap/filters.py index 1950f02..c4c7abc 100644 --- a/oslo_rootwrap/filters.py +++ b/oslo_rootwrap/filters.py @@ -18,6 +18,10 @@ import re import shutil import sys +NETNS_VARS = ('net', 'netn', 'netns') +EXEC_VARS = ('e', 'ex', 'exe', 'exec') + + if sys.platform != 'win32': # NOTE(claudiub): pwd is a Linux-specific library, and currently there is # no Windows support for oslo.rootwrap. @@ -274,8 +278,8 @@ class IpFilter(CommandFilter): if userargs[0] == 'ip': # Avoid the 'netns exec' command here for a, b in zip(userargs[1:], userargs[2:]): - if a == 'netns': - return (b != 'exec') + if a in NETNS_VARS: + return b not in EXEC_VARS else: return True @@ -373,7 +377,8 @@ class IpNetnsExecFilter(ChainingFilter): if self.run_as != "root" or len(userargs) < 4: return False - return (userargs[:3] == ['ip', 'netns', 'exec']) + return (userargs[0] == 'ip' and userargs[1] in NETNS_VARS + and userargs[2] in EXEC_VARS) def exec_args(self, userargs): args = userargs[4:] diff --git a/oslo_rootwrap/tests/test_rootwrap.py b/oslo_rootwrap/tests/test_rootwrap.py index bca5cf9..ad923a5 100644 --- a/oslo_rootwrap/tests/test_rootwrap.py +++ b/oslo_rootwrap/tests/test_rootwrap.py @@ -328,6 +328,8 @@ class RootwrapTestCase(testtools.TestCase): self.assertFalse(f.match(['ip', 'netns', 'exec'])) self.assertFalse(f.match(['ip', '-s', 'netns', 'exec'])) self.assertFalse(f.match(['ip', '-l', '42', 'netns', 'exec'])) + self.assertFalse(f.match(['ip', 'net', 'exec', 'foo'])) + self.assertFalse(f.match(['ip', 'netns', 'e', 'foo'])) def _test_IpFilter_netns_helper(self, action): f = filters.IpFilter(self._ip, 'root') @@ -346,10 +348,19 @@ class RootwrapTestCase(testtools.TestCase): f = filters.IpNetnsExecFilter(self._ip, 'root') self.assertTrue( f.match(['ip', 'netns', 'exec', 'foo', 'ip', 'link', 'list'])) + self.assertTrue(f.match(['ip', 'net', 'exec', 'foo', 'bar'])) + self.assertTrue(f.match(['ip', 'netn', 'e', 'foo', 'bar'])) + self.assertTrue(f.match(['ip', 'net', 'e', 'foo', 'bar'])) + self.assertTrue(f.match(['ip', 'net', 'exe', 'foo', 'bar'])) def test_IpNetnsExecFilter_nomatch(self): f = filters.IpNetnsExecFilter(self._ip, 'root') self.assertFalse(f.match(['ip', 'link', 'list'])) + self.assertFalse(f.match(['ip', 'foo', 'bar', 'netns'])) + self.assertFalse(f.match(['ip', '-s', 'netns', 'exec'])) + self.assertFalse(f.match(['ip', '-l', '42', 'netns', 'exec'])) + self.assertFalse(f.match(['ip', 'netns exec', 'foo', 'bar', 'baz'])) + self.assertFalse(f.match([])) # verify that at least a NS is given self.assertFalse(f.match(['ip', 'netns', 'exec'])) |