x/vmware-nsx
Code Issues Proposed changes

Fix rootwrap filter for dnsmasq when no namespace is used

Browse Source 
Fixes bug 1055384

Change-Id: I98381299f28da0e4c443efd4c22ba551022e0288
This commit is contained in:
Gary Kotton 2012-09-24 12:31:27 +00:00
parent 1a2467ba6d
commit 43f6bbb302
3 changed files with 38 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
etc/quantum/rootwrap.d/dhcp.filters
View File

@ -9,7 +9,7 @@
[Filters] [Filters]
# dhcp-agent # dhcp-agent
ip_exec_dnsmasq: DnsmasqFilter, /sbin/ip, root ip_exec_dnsmasq: DnsmasqNetnsFilter, /sbin/ip, root
dnsmasq: DnsmasqFilter, /sbin/dnsmasq, root dnsmasq: DnsmasqFilter, /sbin/dnsmasq, root
dnsmasq_usr: DnsmasqFilter, /usr/sbin/dnsmasq, root dnsmasq_usr: DnsmasqFilter, /usr/sbin/dnsmasq, root
# dhcp-agent uses kill as well, that's handled by the generic KillFilter # dhcp-agent uses kill as well, that's handled by the generic KillFilter

38
quantum/rootwrap/filters.py
View File

@ -81,23 +81,17 @@ class DnsmasqFilter(CommandFilter):
return True return True
return False return False
def is_ip_netns_cmd(self, argv): def is_dnsmasq_env_vars(self, argv):
if ((argv[0] == "ip") and if (argv[0].startswith("QUANTUM_RELAY_SOCKET_PATH=") and
(argv[1] == "netns") and argv[1].startswith("QUANTUM_NETWORK_ID=")):
(argv[2] == "exec")):
return True return True
return False return False
def match(self, userargs): def match(self, userargs):
"""This matches the combination of the leading env """This matches the combination of the leading env
vars, plus either "dnsmasq" (for the case where we're vars plus "dnsmasq" """
not using netns) or "ip" "netns" "exec" <foo> "dnsmasq" if (self.is_dnsmasq_env_vars(userargs) and
(for the case where we are)""" self.is_dnsmasq_cmd(userargs[2:])):
if ((userargs[0].startswith("QUANTUM_RELAY_SOCKET_PATH=") and
userargs[1].startswith("QUANTUM_NETWORK_ID=") and
(self.is_dnsmasq_cmd(userargs[2:]) or
(self.is_ip_netns_cmd(userargs[2:]) and
self.is_dnsmasq_cmd(userargs[6:]))))):
return True return True
return False return False
@ -111,6 +105,26 @@ class DnsmasqFilter(CommandFilter):
return env return env
class DnsmasqNetnsFilter(DnsmasqFilter):
"""Specific filter for the dnsmasq call (which includes env)"""
def is_ip_netns_cmd(self, argv):
if ((argv[0] == "ip") and
(argv[1] == "netns") and
(argv[2] == "exec")):
return True
return False
def match(self, userargs):
"""This matches the combination of the leading env
vars plus "ip" "netns" "exec" <foo> "dnsmasq" """
if (self.is_dnsmasq_env_vars(userargs) and
self.is_ip_netns_cmd(userargs[2:]) and
self.is_dnsmasq_cmd(userargs[6:])):
return True
return False
class KillFilter(CommandFilter): class KillFilter(CommandFilter):
"""Specific filter for the kill calls. """Specific filter for the kill calls.
1st argument is the user to run /bin/kill under 1st argument is the user to run /bin/kill under

11
quantum/tests/unit/test_rootwrap.py
View File

@ -65,6 +65,17 @@ class RootwrapTestCase(unittest.TestCase):
self.assertEqual(env.get('QUANTUM_RELAY_SOCKET_PATH'), 'A') self.assertEqual(env.get('QUANTUM_RELAY_SOCKET_PATH'), 'A')
self.assertEqual(env.get('QUANTUM_NETWORK_ID'), 'foobar') self.assertEqual(env.get('QUANTUM_NETWORK_ID'), 'foobar')
def test_DnsmasqNetnsFilter(self):
usercmd = ['QUANTUM_RELAY_SOCKET_PATH=A', 'QUANTUM_NETWORK_ID=foobar',
'ip', 'netns', 'exec', 'foo', 'dnsmasq', 'foo']
f = filters.DnsmasqNetnsFilter("/sbin/ip", "root")
self.assertTrue(f.match(usercmd))
self.assertEqual(f.get_command(usercmd), ['/sbin/ip', 'netns', 'exec',
'foo', 'dnsmasq', 'foo'])
env = f.get_environment(usercmd)
self.assertEqual(env.get('QUANTUM_RELAY_SOCKET_PATH'), 'A')
self.assertEqual(env.get('QUANTUM_NETWORK_ID'), 'foobar')
def test_KillFilter(self): def test_KillFilter(self):
p = utils.subprocess_popen(["/bin/sleep", "5"]) p = utils.subprocess_popen(["/bin/sleep", "5"])
f = filters.KillFilter("root", "/bin/sleep", "-9", "-HUP") f = filters.KillFilter("root", "/bin/sleep", "-9", "-HUP")