Block localhost shell tasks in untrusted playbooks

Zuul was designed to block local code execution in untrusted environments to not only rely on bwrap to contain a job. This got broken since the creation of a command plugin that injects the zuul_job_id which is required for log streaming. However this plugin doesn't do a check if the task is a localhost task. Further it is required in trusted and untrusted environments due to log streaming. Thus we need to fork this plugin and restrict the variant that is used in untrusted environments. We do this by moving actiongeneral/command.py back to action/*. We further introduce a new catecory actiontrusted which gets the unrestricted version of this plugin. Change-Id: If81cc46bcae466f4c071badf09a8a88469ae6779 Story: 2007935 Task: 40391
author: Tobias Henkel <tobias.henkel@bmw.de> 2020-07-20 18:12:07 +0200
committer: Tobias Henkel <tobias.henkel@bmw.de> 2020-07-21 19:20:24 +0200
commit: 49fe527edb2c27f67c074be72e3fb6d665400de7 (patch)
tree: 2e851a40b29cbe15ca9a36b92f6cfe728d0eb3d8 /zuul/ansible/2.8/actiongeneral/command.pyi
parent: 6161ad75a83cd8e8c3bd347ea7f40b0e2d6b5c33 (diff)
download: zuul-49fe527edb2c27f67c074be72e3fb6d665400de7.tar.gz
1 files changed, 0 insertions, 1 deletions
diff --git a/zuul/ansible/2.8/actiongeneral/command.pyi b/zuul/ansible/2.8/actiongeneral/command.pyi
deleted file mode 120000
index 81305dd03..000000000
--- a/zuul/ansible/2.8/actiongeneral/command.pyi
+++ /dev/null
@@ -1 +0,0 @@
-../../base/actiongeneral/command.pyi
-\ No newline at end of file
author	Tobias Henkel <tobias.henkel@bmw.de>	2020-07-20 18:12:07 +0200
committer	Tobias Henkel <tobias.henkel@bmw.de>	2020-07-21 19:20:24 +0200
commit	49fe527edb2c27f67c074be72e3fb6d665400de7 (patch)
tree	2e851a40b29cbe15ca9a36b92f6cfe728d0eb3d8 /zuul/ansible/2.8/actiongeneral/command.pyi
parent	6161ad75a83cd8e8c3bd347ea7f40b0e2d6b5c33 (diff)
download	zuul-49fe527edb2c27f67c074be72e3fb6d665400de7.tar.gz