diff options
author | Michael Still <mikal@stillhq.com> | 2017-09-18 23:15:10 +1000 |
---|---|---|
committer | Michael Still <mikal@stillhq.com> | 2017-09-18 23:15:10 +1000 |
commit | e00d8eb7593edb443f18c779b3fedc5bb91d79f8 (patch) | |
tree | 26a01da37e96d8787768e39754484f515c246c43 /nova/privsep | |
parent | 8ea68a5ebebe9caddbb22ddbb2502a2d7d426e8e (diff) | |
download | nova-e00d8eb7593edb443f18c779b3fedc5bb91d79f8.tar.gz |
Squash dac_admin privsep context.
As discussed at the PTG, squash the dac_admin privsep context into
the sysadmin context.
Change-Id: I10142be4baa404835fabebd50f7f976ca6ec402e
blueprint: hurrah-for-privsep
Diffstat (limited to 'nova/privsep')
-rw-r--r-- | nova/privsep/__init__.py | 13 | ||||
-rw-r--r-- | nova/privsep/libvirt.py | 5 | ||||
-rw-r--r-- | nova/privsep/path.py | 18 |
3 files changed, 11 insertions, 25 deletions
diff --git a/nova/privsep/__init__.py b/nova/privsep/__init__.py index 03315131ca..c0e138a692 100644 --- a/nova/privsep/__init__.py +++ b/nova/privsep/__init__.py @@ -18,19 +18,6 @@ from oslo_privsep import capabilities from oslo_privsep import priv_context -# NOTE(tonyb): DAC == Discriminatory Access Control. Basically this context -# can bypass permissions checks in the file-system. -dac_admin_pctxt = priv_context.PrivContext( - 'nova', - cfg_section='nova_dac_admin', - pypath=__name__ + '.dac_admin_pctxt', - capabilities=[capabilities.CAP_CHOWN, - capabilities.CAP_DAC_OVERRIDE, - capabilities.CAP_DAC_READ_SEARCH, - capabilities.CAP_FOWNER], -) - - # NOTE(mikal): DAC + CAP_NET_ADMIN, required for network sysfs changes dacnet_admin_pctxt = priv_context.PrivContext( 'nova', diff --git a/nova/privsep/libvirt.py b/nova/privsep/libvirt.py index 6c2844f318..4f7f313c61 100644 --- a/nova/privsep/libvirt.py +++ b/nova/privsep/libvirt.py @@ -14,8 +14,7 @@ # under the License. """ -libvirt specific routines that use the dac_admin_pctxt to bypass file-system -checks. +libvirt specific routines. """ import errno @@ -24,7 +23,7 @@ import os import nova.privsep -@nova.privsep.dac_admin_pctxt.entrypoint +@nova.privsep.sys_admin_pctxt.entrypoint def last_bytes(path, num): # NOTE(mikal): this is implemented in this contrived manner because you # can't mock a decorator in python (they're loaded at file parse time, diff --git a/nova/privsep/path.py b/nova/privsep/path.py index e84070ccab..b82a5f580d 100644 --- a/nova/privsep/path.py +++ b/nova/privsep/path.py @@ -13,7 +13,7 @@ # License for the specific language governing permissions and limitations # under the License. -"""Routines that use the dac_admin_pctxt to bypass file-system checks""" +"""Routines that bypass file-system checks.""" import os @@ -23,7 +23,7 @@ from nova import exception import nova.privsep -@nova.privsep.dac_admin_pctxt.entrypoint +@nova.privsep.sys_admin_pctxt.entrypoint def readfile(path): if not os.path.exists(path): raise exception.FileNotFound(file_path=path) @@ -31,7 +31,7 @@ def readfile(path): return f.read() -@nova.privsep.dac_admin_pctxt.entrypoint +@nova.privsep.sys_admin_pctxt.entrypoint def writefile(path, mode, content): if not os.path.exists(path): raise exception.FileNotFound(file_path=path) @@ -39,33 +39,33 @@ def writefile(path, mode, content): f.write(content) -@nova.privsep.dac_admin_pctxt.entrypoint +@nova.privsep.sys_admin_pctxt.entrypoint def readlink(path): if not os.path.exists(path): raise exception.FileNotFound(file_path=path) return os.readlink(path) -@nova.privsep.dac_admin_pctxt.entrypoint +@nova.privsep.sys_admin_pctxt.entrypoint def chown(path, uid=-1, gid=-1): if not os.path.exists(path): raise exception.FileNotFound(file_path=path) return os.chown(path, uid, gid) -@nova.privsep.dac_admin_pctxt.entrypoint +@nova.privsep.sys_admin_pctxt.entrypoint def makedirs(path): fileutils.ensure_tree(path) -@nova.privsep.dac_admin_pctxt.entrypoint +@nova.privsep.sys_admin_pctxt.entrypoint def chmod(path, mode): if not os.path.exists(path): raise exception.FileNotFound(file_path=path) os.chmod(path, mode) -@nova.privsep.dac_admin_pctxt.entrypoint +@nova.privsep.sys_admin_pctxt.entrypoint def utime(path): if not os.path.exists(path): raise exception.FileNotFound(file_path=path) @@ -79,6 +79,6 @@ def utime(path): class path(object): @staticmethod - @nova.privsep.dac_admin_pctxt.entrypoint + @nova.privsep.sys_admin_pctxt.entrypoint def exists(path): return os.path.exists(path) |