Kevin Benton bbca973986 Stop device_owner from being set to 'network:*' ...

This patch adjusts the FieldCheck class in the policy engine to
allow a regex rule. It then leverages that to prevent users from
setting the device_owner field to anything that starts with
'network:' on networks which they do not own.

This policy adjustment is necessary because any ports with a
device_owner that starts with 'network:' will not have any security
group rules applied because it is assumed they are trusted network
devices (e.g. router ports, DHCP ports, etc). These security rules
include the anti-spoofing protection for DHCP, IPv6 ICMP messages,
and IP headers.

Without this policy adjustment, tenants can abuse this trust when
connected to a shared network with other tenants by setting their
VM port's device_owner field to 'network:<anything>' and hijack other
tenants' traffic via DHCP spoofing or MAC/IP spoofing.

Closes-Bug: #1489111
Change-Id: Ia64cf16142e0e4be44b5b0ed72c8e00792d770f9

2015-09-08 15:00:13 +00:00

..

init.d

Rename to Neutron in sample init.d script

2013-07-13 16:55:55 -04:00

neutron

Merge "Adds support to provide the csum option for the OVS tunnels"

2015-09-06 22:14:46 +00:00

api-paste.ini

Drop use of 'oslo' namespace package

2015-04-28 22:08:39 +00:00

dhcp_agent.ini

Add dns_label processing for Ports

2015-08-24 17:26:35 -05:00

l3_agent.ini

Deprecate external_network_bridge option in L3 agent

2015-09-01 20:41:54 -07:00

metadata_agent.ini

Fix a property comment in metadata_agent files

2015-07-23 11:20:01 +02:00

metering_agent.ini

Deprecate use_namespaces option

2015-03-24 10:46:03 -04:00

neutron.conf

Merge "Add support for PluginWorker and Process creation notification"

2015-09-04 05:02:52 +00:00

policy.json

Stop device_owner from being set to 'network:*'

2015-09-08 15:00:13 +00:00

rootwrap.conf

Update rootwrap.conf to add /usr/local/sbin

2015-08-21 19:23:18 +01:00