diff options
| author | Jenkins <jenkins@review.openstack.org> | 2013-04-03 00:01:28 +0000 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2013-04-03 00:01:28 +0000 |
| commit | fcf2fdff0a9a70b4cf21c500cf704667c649a04f (patch) | |
| tree | c2220af17c3eeeda616885574391517d86b248c2 /openstack | |
| parent | fc777f1f79418c7400acd3b2b6628f1d7d5f073d (diff) | |
| parent | ae0b2762e2f467d4d3389859a602650384a2c14e (diff) | |
| download | oslo-fcf2fdff0a9a70b4cf21c500cf704667c649a04f.tar.gz oslo-fcf2fdff0a9a70b4cf21c500cf704667c649a04f.tar.xz oslo-fcf2fdff0a9a70b4cf21c500cf704667c649a04f.zip | |
Merge "Add PathFilter to rootwrap."
Diffstat (limited to 'openstack')
| -rw-r--r-- | openstack/common/rootwrap/filters.py | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/openstack/common/rootwrap/filters.py b/openstack/common/rootwrap/filters.py index eadda25..d9618af 100644 --- a/openstack/common/rootwrap/filters.py +++ b/openstack/common/rootwrap/filters.py @@ -88,6 +88,52 @@ class RegExpFilter(CommandFilter): return False +class PathFilter(CommandFilter): + """Command filter checking that path arguments are within given dirs + + One can specify the following constraints for command arguments: + 1) pass - pass an argument as is to the resulting command + 2) some_str - check if an argument is equal to the given string + 3) abs path - check if a path argument is within the given base dir + + A typical rootwrapper filter entry looks like this: + # cmdname: filter name, raw command, user, arg_i_constraint [, ...] + chown: PathFilter, /bin/chown, root, nova, /var/lib/images + + """ + + def match(self, userargs): + command, arguments = userargs[0], userargs[1:] + + equal_args_num = len(self.args) == len(arguments) + exec_is_valid = super(PathFilter, self).match(userargs) + args_equal_or_pass = all( + arg == 'pass' or arg == value + for arg, value in zip(self.args, arguments) + if not os.path.isabs(arg) # arguments not specifying abs paths + ) + paths_are_within_base_dirs = all( + os.path.commonprefix([arg, os.path.realpath(value)]) == arg + for arg, value in zip(self.args, arguments) + if os.path.isabs(arg) # arguments specifying abs paths + ) + + return (equal_args_num and + exec_is_valid and + args_equal_or_pass and + paths_are_within_base_dirs) + + def get_command(self, userargs, exec_dirs=[]): + command, arguments = userargs[0], userargs[1:] + + # convert path values to canonical ones; copy other args as is + args = [os.path.realpath(value) if os.path.isabs(arg) else value + for arg, value in zip(self.args, arguments)] + + return super(PathFilter, self).get_command([command] + args, + exec_dirs) + + class DnsmasqFilter(CommandFilter): """Specific filter for the dnsmasq call (which includes env)""" |