def test_start_acquires_lock(self):
context = priv_context.PrivContext('test', capabilities=[])
context.channel = "something not None"
context.start_lock = mock.Mock()
context.start_lock.__enter__ = mock.Mock()
context.start_lock.__exit__ = mock.Mock()
self.assertFalse(context.start_lock.__enter__.called)
context.start()
self.assertTrue(context.start_lock.__enter__.called)
def test_set_client_mode(self, mock_sys):
context = priv_context.PrivContext('test', capabilities=[])
self.assertTrue(context.client_mode)
context.set_client_mode(False)
self.assertFalse(context.client_mode)
# client_mode should remain to False on win32.
mock_sys.platform = 'win32'
self.assertRaises(RuntimeError, context.set_client_mode, True)
# Copyright 2019 Kaloom, Inc. All rights reserved.
# Copyright (C) 2016 Red Hat, Inc
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_privsep import capabilities as c
from oslo_privsep import priv_context
vif_plug = priv_context.PrivContext(
"vif_plug_kaloom_kvs",
cfg_section="vif_plug_kaloom_kvs_privileged",
pypath=__name__ + ".vif_plug",
capabilities=[c.CAP_NET_ADMIN, c.CAP_CHOWN],
)
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_privsep import capabilities as c
from oslo_privsep import priv_context
default = priv_context.PrivContext(
'zun.common',
cfg_section='privsep',
pypath=__name__ + '.default',
capabilities=[c.CAP_SYS_ADMIN],
)
cni = priv_context.PrivContext(
'zun.cni',
cfg_section='privsep',
pypath=__name__ + '.cni',
capabilities=[c.CAP_SYS_ADMIN, c.CAP_NET_ADMIN, c.CAP_SYS_PTRACE],
)
# Copyright 2016 Red Hat, Inc
# Copyright 2017 Rackspace Australia
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
"""Setup privsep decorator."""
from oslo_privsep import priv_context
# NOTE(tonyb): DAC == Discriminatory Access Control. Basically this context
# can bypass permissions checks in the file-system.
dac_admin_pctxt = priv_context.PrivContext(
'nova',
cfg_section='nova_privileged',
pypath=__name__ + '.dac_admin_pctxt',
# NOTE(tonyb): These map to CAP_CHOWN, CAP_DAC_OVERRIDE,
# CAP_DAC_READ_SEARCH and CAP_FOWNER. Some do not have
# symbolic names in oslo.privsep yet. See capabilites(7)
# for more information
capabilities=[0, 1, 2, 3],
)
# Derived from os-vif/vif_plug_ovs/privsep.py
#
# Copyright (c) 2017 Netronome Systems Pty. Ltd.
# Copyright (C) 2016 Red Hat, Inc
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_privsep import capabilities as c
from oslo_privsep import priv_context
vif_plug = priv_context.PrivContext(
"vif_plug_agilio_ovs",
cfg_section="vif_plug_agilio_ovs_privileged",
pypath=__name__ + ".vif_plug",
capabilities=[c.CAP_NET_ADMIN, c.CAP_SYS_ADMIN],
)
# Copyright 2017 Big Switch Networks, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_privsep import capabilities as c
from oslo_privsep import priv_context
vif_plug = priv_context.PrivContext(
"os_vif_bigswitch.vif_plug_ivs",
cfg_section="vif_plug_ivs_privileged",
pypath=__name__ + ".vif_plug",
capabilities=[c.CAP_NET_ADMIN],
)
# Copyright 2016 Semihalf.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_privsep import capabilities as c
from oslo_privsep import priv_context
vif_plug = priv_context.PrivContext(
"vif_plug_vrouter",
cfg_section="vif_plug_vrouter_privileged",
pypath=__name__ + ".vif_plug",
capabilities=[c.CAP_NET_ADMIN],
)
# Copyright(c) 2016 Nippon Telegraph and Telephone Corporation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from oslo_privsep import priv_context
monitors_priv = priv_context.PrivContext(
"masakarimonitors",
cfg_section="masakarimonitors_privileged",
pypath=__name__ + ".monitors_priv",
capabilities=[],
)
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import os
from oslotest import base
from oslo_privsep import priv_context
import oslo_privsep.tests
from oslo_privsep.tests import fixture
context = priv_context.PrivContext(
# This context allows entrypoints anywhere below oslo_privsep.tests.
oslo_privsep.tests.__name__,
pypath=__name__ + '.context',
# This is one of the rare cases where we actually want zero powers:
capabilities=[],
)
class TestContextTestCase(base.BaseTestCase):
def setUp(self):
super(TestContextTestCase, self).setUp()
privsep_fixture = self.useFixture(
fixture.UnprivilegedPrivsepFixture(context))
self.privsep_conf = privsep_fixture.conf
def assertNotMyPid(self, pid):
# Verify that `pid` is some positive integer, that isn't our pid
self.assertIsInstance(pid, int)
# License for the specific language governing permissions and limitations
# under the License.
import logging
import os
import time
import unittest
from oslo_config import fixture as config_fixture
from oslotest import base
from oslo_privsep import priv_context
test_context = priv_context.PrivContext(
__name__,
cfg_section='privsep',
pypath=__name__ + '.test_context',
capabilities=[],
)
@test_context.entrypoint
def sleep():
# We don't want the daemon to be able to handle these calls too fast.
time.sleep(.001)
@test_context.entrypoint
def one():
return 1
def test_init_windows(self, mock_sys):
mock_sys.platform = 'win32'
context = priv_context.PrivContext('test', capabilities=[])
self.assertFalse(context.client_mode)
# Copyright 2018 Michael Still and Aptira
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
"""Setup privsep decorator."""
from oslo_privsep import capabilities
from oslo_privsep import priv_context
sys_admin_pctxt = priv_context.PrivContext(
'cinder',
cfg_section='cinder_sys_admin',
pypath=__name__ + '.sys_admin_pctxt',
capabilities=[capabilities.CAP_CHOWN,
capabilities.CAP_DAC_OVERRIDE,
capabilities.CAP_DAC_READ_SEARCH,
capabilities.CAP_FOWNER,
capabilities.CAP_NET_ADMIN,
capabilities.CAP_SYS_ADMIN],
)
# Copyright (C) 2016 Red Hat, Inc
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_privsep import capabilities as c
from oslo_privsep import priv_context
vif_plug = priv_context.PrivContext(
"midonet",
cfg_section="vif_plug_midonet",
pypath=__name__ + ".vif_plug",
capabilities=[c.CAP_NET_ADMIN],
)
mm_ctl = priv_context.PrivContext(
"midonet",
cfg_section="vif_plug_midonet_mm_ctl",
pypath=__name__ + ".mm_ctl",
capabilities=[c.CAP_NET_ADMIN],
)
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_privsep import capabilities as c
from oslo_privsep import priv_context
# It is expected that most (if not all) solum operations can be
# executed with these privileges.
default = priv_context.PrivContext(
__name__,
cfg_section='privsep_solum',
pypath=__name__ + '.default',
capabilities=[c.CAP_SYS_ADMIN],
)
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import os
from oslo_privsep import capabilities as c
from oslo_privsep import priv_context
capabilities = [c.CAP_SYS_ADMIN]
# On virtual environments libraries are not owned by the Daemon user (root), so
# the Daemon needs the capability to bypass file read permission checks in
# order to dynamically load the code to run.
if os.environ.get('VIRTUAL_ENV'):
capabilities.append(c.CAP_DAC_READ_SEARCH)
# It is expected that most (if not all) os-brick operations can be
# executed with these privileges.
default = priv_context.PrivContext(
__name__,
cfg_section='privsep_osbrick',
pypath=__name__ + '.default',
capabilities=capabilities,
)
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_privsep import capabilities as caps
from oslo_privsep import priv_context
# It is expected that most (if not all) neutron operations can be
# executed with these privileges.
default = priv_context.PrivContext(
__name__,
cfg_section='privsep',
pypath=__name__ + '.default',
# TODO(gus): CAP_SYS_ADMIN is required (only?) for manipulating
# network namespaces. SYS_ADMIN is a lot of scary powers, so
# consider breaking this out into a separate minimal context.
capabilities=[
caps.CAP_SYS_ADMIN, caps.CAP_NET_ADMIN, caps.CAP_DAC_OVERRIDE,
caps.CAP_DAC_READ_SEARCH, caps.CAP_SYS_PTRACE
],
)
dhcp_release_cmd = priv_context.PrivContext(
__name__,
cfg_section='privsep_dhcp_release',
pypath=__name__ + '.dhcp_release_cmd',
capabilities=[caps.CAP_SYS_ADMIN, caps.CAP_NET_ADMIN])
ovs_vsctl_cmd = priv_context.PrivContext(
__name__,
cfg_section='privsep_ovs_vsctl',
# Copyright 2019 ZTE Corporation
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
"""Setup privsep decorator."""
from oslo_privsep import capabilities
from oslo_privsep import priv_context
sys_admin_pctxt = priv_context.PrivContext(
'cyborg',
cfg_section='cyborg_sys_admin',
pypath=__name__ + '.sys_admin_pctxt',
# TODO(yumeng):
# CAP_SYS_ADMIN has a lot of scary powers, so
# consider breaking this out into a separate minimal context.
capabilities=[
capabilities.CAP_CHOWN, capabilities.CAP_DAC_OVERRIDE,
capabilities.CAP_DAC_READ_SEARCH, capabilities.CAP_FOWNER,
capabilities.CAP_SYS_ADMIN
],
)
# Copyright (c) 2018 Intel Corporation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from oslo_privsep import capabilities as c
from oslo_privsep import priv_context
yardstick_root = priv_context.PrivContext("yardstick",
cfg_section="yardstick_privileged",
pypath=__name__ + ".yardstick_root",
capabilities=[c.CAP_SYS_ADMIN])
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_privsep import capabilities as c
from oslo_privsep import priv_context
os_vif_pctxt = priv_context.PrivContext(
'os_vif',
cfg_section='os_vif_privileged',
pypath=__name__ + '.os_vif_pctxt',
capabilities=[c.CAP_NET_ADMIN],
)
#
# Copyright (C) 2016 Red Hat, Inc
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_privsep import capabilities as c
from oslo_privsep import priv_context
vif_plug = priv_context.PrivContext(
"vif_plug_linux_bridge",
cfg_section="vif_plug_linux_bridge_privileged",
pypath=__name__ + ".vif_plug",
capabilities=[c.CAP_NET_ADMIN],
)
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_privsep import capabilities as caps
from oslo_privsep import priv_context
# It is expected that most (if not all) neutron operations can be
# executed with these privileges.
default = priv_context.PrivContext(
__name__,
cfg_section='privsep',
pypath=__name__ + '.default',
# TODO(gus): CAP_SYS_ADMIN is required (only?) for manipulating
# network namespaces. SYS_ADMIN is a lot of scary powers, so
# consider breaking this out into a separate minimal context.
capabilities=[caps.CAP_SYS_ADMIN,
caps.CAP_NET_ADMIN,
caps.CAP_DAC_OVERRIDE,
caps.CAP_DAC_READ_SEARCH],
)
# -*- coding: utf-8 -*-
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Setup privsep decorator."""
from oslo_privsep import capabilities as c
from oslo_privsep import priv_context
mdev_context = priv_context.PrivContext(
"networking_vhost_vfio",
cfg_section="networking_vhost_vfio_mdev",
pypath=__name__ + ".mdev_context",
capabilities=[c.CAP_DAC_OVERRIDE, c.CAP_FOWNER],
)
