def test_match_filter_recurses_exec_command_filter_matches(self): filter_list = [ filters.IpNetnsExecFilter(self._ip, 'root'), filters.IpFilter(self._ip, 'root') ] args = ['ip', 'netns', 'exec', 'foo', 'ip', 'link', 'list'] self.assertIsNotNone(wrapper.match_filter(filter_list, args))
def test_IpNetnsExecFilter_match(self): f = filters.IpNetnsExecFilter(self._ip, 'root') self.assertTrue( f.match(['ip', 'netns', 'exec', 'foo', 'ip', 'link', 'list'])) self.assertTrue(f.match(['ip', 'net', 'exec', 'foo', 'bar'])) self.assertTrue(f.match(['ip', 'netn', 'e', 'foo', 'bar'])) self.assertTrue(f.match(['ip', 'net', 'e', 'foo', 'bar'])) self.assertTrue(f.match(['ip', 'net', 'exe', 'foo', 'bar']))
def test_match_filter_recurses_exec_command_filter_does_not_match(self): filter_list = [filters.IpNetnsExecFilter(self._ip, 'root'), filters.IpFilter(self._ip, 'root')] args = ['ip', 'netns', 'exec', 'foo', 'ip', 'netns', 'exec', 'bar', 'ip', 'link', 'list'] self.assertRaises(wrapper.NoFilterMatched, wrapper.match_filter, filter_list, args)
def test_match_filter_recurses_exec_command_matches_user(self): filter_list = [filters.IpNetnsExecFilter(self._ip, 'root'), filters.IpFilter(self._ip, 'user')] args = ['ip', 'netns', 'exec', 'foo', 'ip', 'link', 'list'] # Currently ip netns exec requires root, so verify that # no non-root filter is matched, as that would escalate privileges self.assertRaises(wrapper.NoFilterMatched, wrapper.match_filter, filter_list, args)
def test_IpNetnsExecFilter_nomatch(self): f = filters.IpNetnsExecFilter(self._ip, 'root') self.assertFalse(f.match(['ip', 'link', 'list'])) self.assertFalse(f.match(['ip', 'foo', 'bar', 'netns'])) self.assertFalse(f.match(['ip', '-s', 'netns', 'exec'])) self.assertFalse(f.match(['ip', '-l', '42', 'netns', 'exec'])) self.assertFalse(f.match(['ip', 'netns exec', 'foo', 'bar', 'baz'])) self.assertFalse(f.match([])) # verify that at least a NS is given self.assertFalse(f.match(['ip', 'netns', 'exec']))
def test_IpNetnsExecFilter_nomatch_nonroot(self): f = filters.IpNetnsExecFilter(self._ip, 'user') self.assertFalse( f.match(['ip', 'netns', 'exec', 'foo', 'ip', 'link', 'list']))