def filter_command(command, rootwrap_config): # Load rootwrap configuration try: rawconfig = ConfigParser.RawConfigParser() rawconfig.read(rootwrap_config) rw_config = wrapper.RootwrapConfig(rawconfig) except ValueError as exc: LOG.error('Incorrect value in %(config)s: %(exc)s', { 'config': rootwrap_config, 'exc': exc }) sys.exit(errno.EINVAL) except ConfigParser.Error: LOG.error('Incorrect configuration file: %(config)s', {'config': rootwrap_config}) sys.exit(errno.EINVAL) # Check if command matches any of the loaded filters filters = wrapper.load_filters(rw_config.filters_path) try: wrapper.match_filter(filters, command, exec_dirs=rw_config.exec_dirs) except wrapper.FilterMatchNotExecutable as exc: LOG.error( 'Command %(command)s is not executable: ' '%(path)s (filter match = %(name)s)', { 'command': command, 'path': exc.match.exec_path, 'name': exc.match.name }) sys.exit(errno.EINVAL) except wrapper.NoFilterMatched: LOG.error('Unauthorized command: %(cmd)s (no filter matched)', {'cmd': command}) sys.exit(errno.EPERM)
def filter_command(command, rootwrap_config): # Load rootwrap configuration try: rawconfig = ConfigParser.RawConfigParser() rawconfig.read(rootwrap_config) rw_config = wrapper.RootwrapConfig(rawconfig) except ValueError as exc: LOG.error(_LE('Incorrect value in %(config)s: %(exc)s'), {'config': rootwrap_config, 'exc': exc.message}) sys.exit(errno.EINVAL) except ConfigParser.Error: LOG.error(_LE('Incorrect configuration file: %(config)s'), {'config': rootwrap_config}) sys.exit(errno.EINVAL) # Check if command matches any of the loaded filters filters = wrapper.load_filters(rw_config.filters_path) try: wrapper.match_filter(filters, command, exec_dirs=rw_config.exec_dirs) except wrapper.FilterMatchNotExecutable as exc: LOG.error(_LE('Command %(command)s is not executable: ' '%(path)s (filter match = %(name)s)'), {'command': command, 'path': exc.match.exec_path, 'name': exc.match.name}) sys.exit(errno.EINVAL) except wrapper.NoFilterMatched: LOG.error(_LE('Unauthorized command: %(cmd)s (no filter matched)'), {'cmd': command}) sys.exit(errno.EPERM)
def test_match_filter_recurses_exec_command_filter_matches(self): filter_list = [ filters.IpNetnsExecFilter(self._ip, 'root'), filters.IpFilter(self._ip, 'root') ] args = ['ip', 'netns', 'exec', 'foo', 'ip', 'link', 'list'] self.assertIsNotNone(wrapper.match_filter(filter_list, args))
def test_ChainingRegExpFilter_match(self): filter_list = [filters.ChainingRegExpFilter('nice', 'root', 'nice', '-?\d+'), filters.CommandFilter('cat', 'root')] args = ['nice', '5', 'cat', '/a'] dirs = ['/bin', '/usr/bin'] self.assertIsNotNone(wrapper.match_filter(filter_list, args, dirs))
def test_ChainingRegExpFilter_multiple(self): filter_list = [filters.ChainingRegExpFilter('ionice', 'root', 'ionice', '-c[0-3]'), filters.ChainingRegExpFilter('ionice', 'root', 'ionice', '-c[0-3]', '-n[0-7]'), filters.CommandFilter('cat', 'root')] # both filters match to ['ionice', '-c2'], but only the second accepts args = ['ionice', '-c2', '-n7', 'cat', '/a'] dirs = ['/bin', '/usr/bin'] self.assertIsNotNone(wrapper.match_filter(filter_list, args, dirs))
def test_privsep_in_loader(self): privsep = ["privsep-helper", "--context", "foo"] filterlist = wrapper.load_filters([]) # mock out get_exec because with mock.patch.object(filters.CommandFilter, 'get_exec') as ge: ge.return_value = "/fake/privsep-helper" filtermatch = wrapper.match_filter(filterlist, privsep) self.assertIsNotNone(filtermatch) self.assertEqual(["/fake/privsep-helper", "--context", "foo"], filtermatch.get_command(privsep))
def test_skips(self): # Check that all filters are skipped and that the last matches usercmd = ["cat", "/"] filtermatch = wrapper.match_filter(self.filters, usercmd) self.assertTrue(filtermatch is self.filters[-1])
def test_RegExpFilter_match(self): usercmd = ["ls", "/root"] filtermatch = wrapper.match_filter(self.filters, usercmd) self.assertFalse(filtermatch is None) self.assertEqual(["/bin/ls", "/root"], filtermatch.get_command(usercmd))
def test_RegExpFilter_match(self): usercmd = ["ls", "/root"] filtermatch = wrapper.match_filter(self.filters, usercmd) self.assertFalse(filtermatch is None) self.assertEqual(filtermatch.get_command(usercmd), ["/bin/ls", "/root"])
def test_match_filter_recurses_exec_command_filter_matches(self): filter_list = [filters.IpNetnsExecFilter(self._ip, 'root'), filters.IpFilter(self._ip, 'root')] args = ['ip', 'netns', 'exec', 'foo', 'ip', 'link', 'list'] self.assertIsNotNone(wrapper.match_filter(filter_list, args))