def filter_command(command, rootwrap_config):
# Load rootwrap configuration
try:
rawconfig = ConfigParser.RawConfigParser()
rawconfig.read(rootwrap_config)
rw_config = wrapper.RootwrapConfig(rawconfig)
except ValueError as exc:
LOG.error('Incorrect value in %(config)s: %(exc)s', {
'config': rootwrap_config,
'exc': exc
})
sys.exit(errno.EINVAL)
except ConfigParser.Error:
LOG.error('Incorrect configuration file: %(config)s',
{'config': rootwrap_config})
sys.exit(errno.EINVAL)
# Check if command matches any of the loaded filters
filters = wrapper.load_filters(rw_config.filters_path)
try:
wrapper.match_filter(filters, command, exec_dirs=rw_config.exec_dirs)
except wrapper.FilterMatchNotExecutable as exc:
LOG.error(
'Command %(command)s is not executable: '
'%(path)s (filter match = %(name)s)', {
'command': command,
'path': exc.match.exec_path,
'name': exc.match.name
})
sys.exit(errno.EINVAL)
except wrapper.NoFilterMatched:
LOG.error('Unauthorized command: %(cmd)s (no filter matched)',
{'cmd': command})
sys.exit(errno.EPERM)
def filter_command(command, rootwrap_config):
# Load rootwrap configuration
try:
rawconfig = ConfigParser.RawConfigParser()
rawconfig.read(rootwrap_config)
rw_config = wrapper.RootwrapConfig(rawconfig)
except ValueError as exc:
LOG.error(_LE('Incorrect value in %(config)s: %(exc)s'),
{'config': rootwrap_config, 'exc': exc.message})
sys.exit(errno.EINVAL)
except ConfigParser.Error:
LOG.error(_LE('Incorrect configuration file: %(config)s'),
{'config': rootwrap_config})
sys.exit(errno.EINVAL)
# Check if command matches any of the loaded filters
filters = wrapper.load_filters(rw_config.filters_path)
try:
wrapper.match_filter(filters, command, exec_dirs=rw_config.exec_dirs)
except wrapper.FilterMatchNotExecutable as exc:
LOG.error(_LE('Command %(command)s is not executable: '
'%(path)s (filter match = %(name)s)'),
{'command': command,
'path': exc.match.exec_path,
'name': exc.match.name})
sys.exit(errno.EINVAL)
except wrapper.NoFilterMatched:
LOG.error(_LE('Unauthorized command: %(cmd)s (no filter matched)'),
{'cmd': command})
sys.exit(errno.EPERM)
def test_match_filter_recurses_exec_command_filter_matches(self):
filter_list = [
filters.IpNetnsExecFilter(self._ip, 'root'),
filters.IpFilter(self._ip, 'root')
]
args = ['ip', 'netns', 'exec', 'foo', 'ip', 'link', 'list']
self.assertIsNotNone(wrapper.match_filter(filter_list, args))
def test_ChainingRegExpFilter_match(self):
filter_list = [filters.ChainingRegExpFilter('nice', 'root',
'nice', '-?\d+'),
filters.CommandFilter('cat', 'root')]
args = ['nice', '5', 'cat', '/a']
dirs = ['/bin', '/usr/bin']
self.assertIsNotNone(wrapper.match_filter(filter_list, args, dirs))
def test_ChainingRegExpFilter_multiple(self):
filter_list = [filters.ChainingRegExpFilter('ionice', 'root', 'ionice',
'-c[0-3]'),
filters.ChainingRegExpFilter('ionice', 'root', 'ionice',
'-c[0-3]', '-n[0-7]'),
filters.CommandFilter('cat', 'root')]
# both filters match to ['ionice', '-c2'], but only the second accepts
args = ['ionice', '-c2', '-n7', 'cat', '/a']
dirs = ['/bin', '/usr/bin']
self.assertIsNotNone(wrapper.match_filter(filter_list, args, dirs))
def test_privsep_in_loader(self):
privsep = ["privsep-helper", "--context", "foo"]
filterlist = wrapper.load_filters([])
# mock out get_exec because
with mock.patch.object(filters.CommandFilter, 'get_exec') as ge:
ge.return_value = "/fake/privsep-helper"
filtermatch = wrapper.match_filter(filterlist, privsep)
self.assertIsNotNone(filtermatch)
self.assertEqual(["/fake/privsep-helper", "--context", "foo"],
filtermatch.get_command(privsep))
def test_skips(self):
# Check that all filters are skipped and that the last matches
usercmd = ["cat", "/"]
filtermatch = wrapper.match_filter(self.filters, usercmd)
self.assertTrue(filtermatch is self.filters[-1])
def test_RegExpFilter_match(self):
usercmd = ["ls", "/root"]
filtermatch = wrapper.match_filter(self.filters, usercmd)
self.assertFalse(filtermatch is None)
self.assertEqual(["/bin/ls", "/root"],
filtermatch.get_command(usercmd))
def test_RegExpFilter_match(self):
usercmd = ["ls", "/root"]
filtermatch = wrapper.match_filter(self.filters, usercmd)
self.assertFalse(filtermatch is None)
self.assertEqual(filtermatch.get_command(usercmd),
["/bin/ls", "/root"])
def test_skips(self):
# Check that all filters are skipped and that the last matches
usercmd = ["cat", "/"]
filtermatch = wrapper.match_filter(self.filters, usercmd)
self.assertTrue(filtermatch is self.filters[-1])
def test_match_filter_recurses_exec_command_filter_matches(self):
filter_list = [filters.IpNetnsExecFilter(self._ip, 'root'),
filters.IpFilter(self._ip, 'root')]
args = ['ip', 'netns', 'exec', 'foo', 'ip', 'link', 'list']
self.assertIsNotNone(wrapper.match_filter(filter_list, args))
