Cinder

oslo-rootwrap gives up matching if first chaining filter fails

Bug #1340792 reported by Tomoki Sekiyama on 2014-07-11

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Cinder	Fix Released	Undecided	Unassigned
	oslo-incubator	Fix Released	Undecided	Unassigned	oslo-incubator juno-3 "j3"

Bug Description

When there are multiple chaining filters that may match on the specified arguments, oslo-rootwrap gives up matching if first chaining filter reject the arguments, even though latter filters can accept them.

For example, /etc/cinder/rootwrap.d/volume.filters has :

dd: CommandFilter, dd, root
ionice_1: ChainingRegExpFilter, ionice, root, ionice, -c[0-3]
ionice_2: ChainingRegExpFilter, ionice, root, ionice, -c[0-3], -n[0-7]

and then

% sudo cinder-rootwrap /etc/cinder/rootwrap.conf ionice -c2 -n7 dd if=/dev/zero of=/dev/sda1
/usr/bin/cinder-rootwrap: Unauthorized command: ionice -c2 -n7 dd if=/dev/zero of=/dev/sda1 (no filter matched)

However, if /etc/cinder/rootwrap.d/volume.filters has :

dd: CommandFilter, dd, root
ionice_2: ChainingRegExpFilter, ionice, root, ionice, -c[0-3], -n[0-7]
ionice_1: ChainingRegExpFilter, ionice, root, ionice, -c[0-3]

it accepts the command.

This is because, in the former case, the first filter "ionice_1" hits to "ionice -c2" part but "-n7 dd ..." is denied by leaf filters, then oslo-rootwrap gives up further matching.

Tags:

Doug Hellmann (doug-hellmann) on 2014-07-14

tags:

added: rootwrap

Thierry Carrez (ttx) on 2014-07-15

Changed in oslo:
status:	New → In Progress

Revision history for this message

Tomoki Sekiyama (tsekiyama) wrote on 2014-08-21:

Fix for this bug is already merged: https://review.openstack.org/#/c/106071/

Changed in oslo:
status:	In Progress → Fix Committed

Revision history for this message

Ben Nemec (bnemec) wrote on 2014-08-21:

Have we done a release since the fix merged? Tomoki mentioned in #openstack-oslo that it wasn't available in CI yet.

Revision history for this message

Thierry Carrez (ttx) wrote on 2014-08-22:

@Ben: not yet, that fix went in just after 1.3.0.0a1. i'll look into doing a new release ASAP, but some pretty significant changes landed and we need to check a few things first.

Thierry Carrez (ttx) on 2014-09-05

Changed in oslo-incubator:
milestone:	none → juno-3
status:	Fix Committed → Fix Released

Tomoki Sekiyama (tsekiyama) on 2015-05-27

Changed in cinder:
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.