def test_match_filter_recurses_exec_command_filter_matches(self):
filter_list = [
filters.IpNetnsExecFilter(self._ip, 'root'),
filters.IpFilter(self._ip, 'root')
]
args = ['ip', 'netns', 'exec', 'foo', 'ip', 'link', 'list']
self.assertIsNotNone(wrapper.match_filter(filter_list, args))
def test_match_filter_recurses_exec_command_matches_user(self):
filter_list = [
filters.IpNetnsExecFilter(self._ip, 'root'),
filters.IpFilter(self._ip, 'user')
]
args = ['ip', 'netns', 'exec', 'foo', 'ip', 'link', 'list']
# Currently ip netns exec requires root, so verify that
# no non-root filter is matched, as that would escalate privileges
self.assertRaises(wrapper.NoFilterMatched, wrapper.match_filter,
filter_list, args)
def test_match_filter_recurses_exec_command_filter_does_not_match(self):
filter_list = [
filters.IpNetnsExecFilter(self._ip, 'root'),
filters.IpFilter(self._ip, 'root')
]
args = [
'ip', 'netns', 'exec', 'foo', 'ip', 'netns', 'exec', 'bar', 'ip',
'link', 'list'
]
self.assertRaises(wrapper.NoFilterMatched, wrapper.match_filter,
filter_list, args)
def test_IpNetnsExecFilter_nomatch_nonroot(self):
f = filters.IpNetnsExecFilter(self._ip, 'user')
self.assertFalse(
f.match(['ip', 'netns', 'exec', 'foo', 'ip', 'link', 'list']))
def test_IpNetnsExecFilter_nomatch(self):
f = filters.IpNetnsExecFilter(self._ip, 'root')
self.assertFalse(f.match(['ip', 'link', 'list']))
# verify that at least a NS is given
self.assertFalse(f.match(['ip', 'netns', 'exec']))
def test_IpNetnsExecFilter_match(self):
f = filters.IpNetnsExecFilter(self._ip, 'root')
self.assertTrue(
f.match(['ip', 'netns', 'exec', 'foo', 'ip', 'link', 'list']))