def test_match_filter_recurses_exec_command_filter_matches(self): filter_list = [ filters.IpNetnsExecFilter('/sbin/ip', 'root'), filters.IpFilter('/sbin/ip', 'root') ] args = ['ip', 'netns', 'exec', 'foo', 'ip', 'link', 'list'] self.assertIsNotNone(wrapper.match_filter(filter_list, args))
def test_match_filter_recurses_exec_command_matches_user(self): filter_list = [ filters.IpNetnsExecFilter('/sbin/ip', 'root'), filters.IpFilter('/sbin/ip', 'user') ] args = ['ip', 'netns', 'exec', 'foo', 'ip', 'link', 'list'] # Currently ip netns exec requires root, so verify that # no non-root filter is matched, as that would escalate privileges self.assertRaises(wrapper.NoFilterMatched, wrapper.match_filter, filter_list, args)
def test_match_filter_recurses_exec_command_filter_does_not_match(self): filter_list = [ filters.IpNetnsExecFilter('/sbin/ip', 'root'), filters.IpFilter('/sbin/ip', 'root') ] args = [ 'ip', 'netns', 'exec', 'foo', 'ip', 'netns', 'exec', 'bar', 'ip', 'link', 'list' ] self.assertRaises(wrapper.NoFilterMatched, wrapper.match_filter, filter_list, args)
def _test_IpFilter_netns_helper(self, action): f = filters.IpFilter('/sbin/ip', 'root') self.assertTrue(f.match(['ip', 'link', action]))
def test_IpFilter_non_netns(self): f = filters.IpFilter('/sbin/ip', 'root') self.assertTrue(f.match(['ip', 'link', 'list']))