Add patches to drop use of setuid and fchownat
Drop use of setuid and fchownat as they're not covered by any current plugs and the code isn't required because in strict mode everything runs as root. Change-Id: Ic4f0dd6029c869595e35adc343d55e35d50e0d33
This commit is contained in:
parent
753a8077f3
commit
e8173abb91
22
patches/drop-setuid-from-neutron.patch
Normal file
22
patches/drop-setuid-from-neutron.patch
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
Description: Drop code where neutron drops privileges from root.
|
||||||
|
This code isn't required because in strict mode we run everything
|
||||||
|
as root:root and setuid is not allowed by the current plugs.
|
||||||
|
Author: Corey Bryant <corey.bryant@canonical.com>
|
||||||
|
Forwarded: no
|
||||||
|
|
||||||
|
---
|
||||||
|
neutron/agent/linux/daemon.py | 1 -
|
||||||
|
1 file changed, 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/neutron/agent/linux/daemon.py b/neutron/agent/linux/daemon.py
|
||||||
|
index 6ad9ee3c8..23218eace 100644
|
||||||
|
--- a/neutron/agent/linux/daemon.py
|
||||||
|
+++ b/neutron/agent/linux/daemon.py
|
||||||
|
@@ -255,4 +255,3 @@ class Daemon(object):
|
||||||
|
"""
|
||||||
|
if not self.watch_log:
|
||||||
|
unwatch_log()
|
||||||
|
- drop_privileges(self.user, self.group)
|
||||||
|
--
|
||||||
|
2.11.0
|
||||||
|
|
25
patches/drop-use-of-fchownat.patch
Normal file
25
patches/drop-use-of-fchownat.patch
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
Description: Drop code that uses fchownat syscall as it's not covered
|
||||||
|
by any relevant plugs. This code isn't required because in strict
|
||||||
|
mode we run everything as root:root.
|
||||||
|
Author: Corey Bryant <corey.bryant@canonical.com>
|
||||||
|
Forwarded: no
|
||||||
|
|
||||||
|
---
|
||||||
|
nova/virt/libvirt/driver.py | 1 -
|
||||||
|
1 file changed, 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/nova/virt/libvirt/driver.py b/nova/virt/libvirt/driver.py
|
||||||
|
index 0e8fe070..dfcb64bc 100644
|
||||||
|
--- a/nova/virt/libvirt/driver.py
|
||||||
|
+++ b/nova/virt/libvirt/driver.py
|
||||||
|
@@ -2732,7 +2732,6 @@ class LibvirtDriver(driver.ComputeDriver):
|
||||||
|
i = 0 # in case there is a log rotation (like "virtlogd")
|
||||||
|
path = console_log
|
||||||
|
while bytes_to_read > 0 and os.path.exists(path):
|
||||||
|
- libvirt_utils.chown(path, os.getuid())
|
||||||
|
with libvirt_utils.file_open(path, 'rb') as fp:
|
||||||
|
read_log_data, remaining = utils.last_bytes(fp, bytes_to_read)
|
||||||
|
# We need the log file content in chronological order,
|
||||||
|
--
|
||||||
|
2.11.0
|
||||||
|
|
@ -231,6 +231,8 @@ parts:
|
|||||||
export SNAP_ROOT="../../../"
|
export SNAP_ROOT="../../../"
|
||||||
export SNAP_SITE_PACKAGES="$SNAPCRAFT_PART_INSTALL/lib/python2.7/site-packages"
|
export SNAP_SITE_PACKAGES="$SNAPCRAFT_PART_INSTALL/lib/python2.7/site-packages"
|
||||||
patch -d $SNAP_SITE_PACKAGES -p1 < $SNAP_ROOT/patches/oslo-config-dirs.patch
|
patch -d $SNAP_SITE_PACKAGES -p1 < $SNAP_ROOT/patches/oslo-config-dirs.patch
|
||||||
|
patch -d $SNAP_SITE_PACKAGES -p1 < $SNAP_ROOT/patches/drop-setuid-from-neutron.patch
|
||||||
|
patch -d $SNAP_SITE_PACKAGES -p1 < $SNAP_ROOT/patches/drop-use-of-fchownat.patch
|
||||||
templates:
|
templates:
|
||||||
after: [nova]
|
after: [nova]
|
||||||
plugin: dump
|
plugin: dump
|
||||||
|
Loading…
Reference in New Issue
Block a user