openstack/neutron
Code Issues Proposed changes

Remove rootwrap execution (3)

Browse Source 
Replace rootwrap execution with privsep context execution.
This series of patches will progressively replace any
rootwrap call.

This patch migrates the execution of "ebtables" command to
privsep.

Story: #2007686
Task: #41558

Change-Id: I05deec2f021e1b146fa3f6f7f9b37084df06d59d
This commit is contained in:
Rodolfo Alonso Hernandez 2021-02-04 17:32:51 +00:00
parent 7928b0d755
commit a7bedd7428
3 changed files with 21 additions and 32 deletions
etc/neutron/rootwrap.d
ebtables.filters
neutron
plugins/ml2/drivers/linuxbridge/agent
arp_protect.py
tests/unit/plugins/ml2/drivers/linuxbridge/agent
test_arp_protect.py

11
etc/neutron/rootwrap.d/ebtables.filters

@ -1,11 +0,0 @@
# neutron-rootwrap command filters for nodes on which neutron is
# expected to control network
#
# This file should be owned by (and only-writeable by) the root user
# format seems to be
# cmd-name: filter-name, raw-command, user, args
[Filters]
ebtables: CommandFilter, ebtables, root

2
neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py

@ -233,4 +233,4 @@ NAMESPACE = None
def ebtables(comm, table='nat'):
execute = ip_lib.IPWrapper(NAMESPACE).netns.execute
return execute(['ebtables', '-t', table, '--concurrent'] + comm,
run_as_root=True)
run_as_root=True, privsep_exec=True)

40
neutron/tests/unit/plugins/ml2/drivers/linuxbridge/agent/test_arp_protect.py

@ -67,39 +67,39 @@ class TestLinuxBridgeARPSpoofing(base.BaseTestCase):
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-L'],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
mock.ANY,
mock.ANY,
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-N',
'neutronMAC-%s' % vif, '-P', 'DROP'],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
mock.ANY,
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-A',
'PREROUTING', '-i', vif, '-j', mac_chain],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-A',
mac_chain, '-i', vif,
'--among-src', '%s' % ','.join(sorted(mac_addresses)),
'-j', 'RETURN'],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
mock.ANY,
mock.ANY,
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-N',
spoof_chain, '-P', 'DROP'],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-F',
spoof_chain],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
]
for addr in sorted(ip_addresses):
expected.extend([
@ -108,7 +108,7 @@ class TestLinuxBridgeARPSpoofing(base.BaseTestCase):
'--arp-ip-src', addr, '-j', 'ACCEPT'],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
])
expected.extend([
mock.ANY,
@ -117,7 +117,7 @@ class TestLinuxBridgeARPSpoofing(base.BaseTestCase):
spoof_chain, '-p', 'ARP'],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
])
arp_protect.setup_arp_spoofing_protection(vif, port)
@ -138,67 +138,67 @@ class TestLinuxBridgeARPSpoofing(base.BaseTestCase):
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-L'],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
mock.ANY,
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-D',
'PREROUTING', '-i', VIF, '-j', spoof_chain,
'-p', 'ARP'],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-F',
spoof_chain],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-X',
spoof_chain],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
mock.ANY,
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-F',
mac_chain],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
mock.call(['ebtables', '-t', 'nat', '--concurrent', '-X',
mac_chain],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
mock.call(['ebtables', '-t', 'filter', '--concurrent', '-L'],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
mock.ANY,
mock.call(['ebtables', '-t', 'filter', '--concurrent', '-D',
'FORWARD', '-i', VIF, '-j', spoof_chain,
'-p', 'ARP'],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
mock.call(['ebtables', '-t', 'filter', '--concurrent', '-F',
spoof_chain],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
mock.call(['ebtables', '-t', 'filter', '--concurrent', '-X',
spoof_chain],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
mock.ANY,
mock.call(['ebtables', '-t', 'filter', '--concurrent', '-F',
mac_chain],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
mock.call(['ebtables', '-t', 'filter', '--concurrent', '-X',
mac_chain],
check_exit_code=True, extra_ok_codes=None,
log_fail_as_error=True, run_as_root=True,
privsep_exec=False),
privsep_exec=True),
]
arp_protect.delete_arp_spoofing_protection([VIF])