diff options
| author | Sean Dague <sean@dague.net> | 2016-07-19 13:33:44 -0700 |
|---|---|---|
| committer | Sean Dague <sean@dague.net> | 2016-07-20 15:56:31 -0700 |
| commit | 37c2a041d33f0fdce7ce2832398c1f60f3ee8703 (patch) | |
| tree | cc07f66ae6d93e919b1aba92461caf5ccb6d2b57 /oslo_rootwrap | |
| parent | 5e5ed2e1338da7eae86f6e661e97c26da5135a13 (diff) | |
| download | oslo-rootwrap-37c2a041d33f0fdce7ce2832398c1f60f3ee8703.tar.gz | |
always allow privsep-helper as a command5.0.0
To support the seamless transition from oslo.rootwrap to oslo.privsep
across multiple projects: nova, neutron, cinder, and libraries os-vif,
os-brick we need to be able to execute privsep-helper as root from
rootwrap.
Rootwrap's use of etc (by default) for rules makes the upgrade path
very manual for operators. Given that every project is going to add
the same privsep-helper rule at some point over the next few cycles,
instead of making every project have to have a manual update process,
we just whitelist privsep-helper. This will immediately make it
available for all, and upgrades become far more seamless.
Change-Id: If8b60f2d671b9d12c58226019d787917efaedd9c
Diffstat (limited to 'oslo_rootwrap')
| -rw-r--r-- | oslo_rootwrap/tests/test_rootwrap.py | 16 | ||||
| -rw-r--r-- | oslo_rootwrap/wrapper.py | 4 |
2 files changed, 20 insertions, 0 deletions
diff --git a/oslo_rootwrap/tests/test_rootwrap.py b/oslo_rootwrap/tests/test_rootwrap.py index 3bd2a76..52dfaf9 100644 --- a/oslo_rootwrap/tests/test_rootwrap.py +++ b/oslo_rootwrap/tests/test_rootwrap.py @@ -29,6 +29,22 @@ from oslo_rootwrap import subprocess from oslo_rootwrap import wrapper +class RootwrapLoaderTestCase(testtools.TestCase): + + def test_privsep_in_loader(self): + privsep = ["privsep-helper", "--context", "foo"] + filterlist = wrapper.load_filters([]) + + # mock out get_exec because + with mock.patch.object(filters.CommandFilter, 'get_exec') as ge: + ge.return_value = "/fake/privsep-helper" + filtermatch = wrapper.match_filter(filterlist, privsep) + + self.assertIsNotNone(filtermatch) + self.assertEqual(filtermatch.get_command(privsep), + ["/fake/privsep-helper", "--context", "foo"]) + + class RootwrapTestCase(testtools.TestCase): if os.path.exists('/sbin/ip'): _ip = '/sbin/ip' diff --git a/oslo_rootwrap/wrapper.py b/oslo_rootwrap/wrapper.py index 2846011..cd7a253 100644 --- a/oslo_rootwrap/wrapper.py +++ b/oslo_rootwrap/wrapper.py @@ -125,6 +125,10 @@ def load_filters(filters_path): continue newfilter.name = name filterlist.append(newfilter) + # And always include privsep-helper + privsep = build_filter("CommandFilter", "privsep-helper", "root") + privsep.name = "privsep-helper" + filterlist.append(privsep) return filterlist |