diff options
| author | Dirk Mueller <dirk@dmllr.de> | 2013-06-19 00:08:57 +0200 |
|---|---|---|
| committer | Dirk Mueller <dirk@dmllr.de> | 2013-06-20 14:36:43 +0200 |
| commit | 3e74c0017e0b1ab209bc066cc0cec6c151b69b83 (patch) | |
| tree | 22481be81a272bd94a9bc28a9a4baeff0c333852 /openstack/common/rootwrap/wrapper.py | |
| parent | fb13686a00e933c17bca163b51fb3d7119d34e5a (diff) | |
| download | oslo-3e74c0017e0b1ab209bc066cc0cec6c151b69b83.tar.gz oslo-3e74c0017e0b1ab209bc066cc0cec6c151b69b83.tar.xz oslo-3e74c0017e0b1ab209bc066cc0cec6c151b69b83.zip | |
Add IpFilter, IPNetnsExecFilter and EnvFilter
These filters have been implemented in Quantum before:
- IpFilter provides support for filtering ip commands
- IpNetnsExecFilter is a chaining command filter that
verifies that the command to be executed by ip netns exec
is covered by other established filters.
IpNetnsExecFilter has been restricted to ensure that the
filter chains have all matching filters run as the same
user.
EnvFilter is a new filter derived from CommandFilter
that allows a Command to be optionally prefixed by "env"
and a specific list of environment variables.
This is intended to replace the specific DnsmasqFilter
and DnsmasqNetnsFilter in the future when all consumers
have been updated.
Implements bp rootwrap-quantum-features
Change-Id: I0cf39967126e99a8dc53d21bee824a0fe2f63aa0
Diffstat (limited to 'openstack/common/rootwrap/wrapper.py')
| -rw-r--r-- | openstack/common/rootwrap/wrapper.py | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/openstack/common/rootwrap/wrapper.py b/openstack/common/rootwrap/wrapper.py index 5390c1b..df1a9f4 100644 --- a/openstack/common/rootwrap/wrapper.py +++ b/openstack/common/rootwrap/wrapper.py @@ -131,6 +131,20 @@ def match_filter(filter_list, userargs, exec_dirs=[]): for f in filter_list: if f.match(userargs): + if isinstance(f, filters.ChainingFilter): + # This command calls exec verify that remaining args + # matches another filter. + def non_chain_filter(fltr): + return (fltr.run_as == f.run_as + and not isinstance(fltr, filters.ChainingFilter)) + + leaf_filters = [fltr for fltr in filter_list + if non_chain_filter(fltr)] + args = f.exec_args(userargs) + if (not args or not match_filter(leaf_filters, + args, exec_dirs=exec_dirs)): + continue + # Try other filters if executable is absent if not f.get_exec(exec_dirs=exec_dirs): if not first_not_executable_filter: |