CommandFilter should allow exec from full path6.3.1

The current logic prevents from using a full path as argument.
We can't just compare basename to basename as it would allow passing
bogus paths. We need to make sure that passing a full path will compare
to the config's full path.

Closes-Bug: #1956606

Change-Id: I76094065de5b37f59a2500fbce7f500ada9915da

2 files changed, 13 insertions, 1 deletions

diff --git a/oslo_rootwrap/filters.py b/oslo_rootwrap/filters.py
index bcb03ac..8d7bf0e 100644
--- a/oslo_rootwrap/filters.py
+++ b/oslo_rootwrap/filters.py
@@ -74,7 +74,11 @@ class CommandFilter(object):
 
     def match(self, userargs):
         """Only check that the first argument (command) matches exec_path."""
-        return userargs and os.path.basename(self.exec_path) == userargs[0]
+        if userargs:
+            base_path_matches = os.path.basename(self.exec_path) == userargs[0]
+            exact_path_matches = self.exec_path == userargs[0]
+            return exact_path_matches or base_path_matches
+        return False
 
     def preexec(self):
         """Setuid in subprocess right before command is invoked."""
diff --git a/oslo_rootwrap/tests/test_functional.py b/oslo_rootwrap/tests/test_functional.py
index 42c33c4..941e069 100644
--- a/oslo_rootwrap/tests/test_functional.py
+++ b/oslo_rootwrap/tests/test_functional.py
@@ -89,6 +89,14 @@ later_install_cmd: CommandFilter, %s, root
         self.assertEqual(expect_out, out)
         self.assertEqual(expect_err, err)
 
+    def test_run_with_path(self):
+        code, out, err = self.execute(['/bin/echo', 'teststr'])
+        self.assertEqual(0, code)
+
+    def test_run_with_bogus_path(self):
+        code, out, err = self.execute(['/home/bob/bin/echo', 'teststr'])
+        self.assertEqual(cmd.RC_UNAUTHORIZED, code)
+
     def test_run_command_not_found(self):
         code, out, err = self.execute(['unknown_cmd'])
         self.assertEqual(cmd.RC_NOEXECFOUND, code)