diff options
author | Matthew Thode <prometheanfire@gentoo.org> | 2016-02-09 19:09:52 -0600 |
---|---|---|
committer | Matthew Thode <prometheanfire@gentoo.org> | 2016-02-09 19:09:52 -0600 |
commit | 71beb2a9050f7ef521d53d9cbb544a8f89192d44 (patch) | |
tree | 059afe97e1aa6d9341223f0670d7d92894d15cb6 /sys-cluster | |
parent | sys-cluster/nova: cleanup (diff) | |
download | gentoo-71beb2a9050f7ef521d53d9cbb544a8f89192d44.tar.gz gentoo-71beb2a9050f7ef521d53d9cbb544a8f89192d44.tar.bz2 gentoo-71beb2a9050f7ef521d53d9cbb544a8f89192d44.zip |
sys-cluster/neutron: cleanup
Package-Manager: portage-2.2.26
Diffstat (limited to 'sys-cluster')
-rw-r--r-- | sys-cluster/neutron/files/CVE-2015-5240_2015.1.1.patch | 155 | ||||
-rw-r--r-- | sys-cluster/neutron/neutron-2015.1.9999.ebuild | 252 |
2 files changed, 0 insertions, 407 deletions
diff --git a/sys-cluster/neutron/files/CVE-2015-5240_2015.1.1.patch b/sys-cluster/neutron/files/CVE-2015-5240_2015.1.1.patch deleted file mode 100644 index ccb2a66bce9b..000000000000 --- a/sys-cluster/neutron/files/CVE-2015-5240_2015.1.1.patch +++ /dev/null @@ -1,155 +0,0 @@ -From 8138e2fe38ad2cde5963685df47b1e4286776352 Mon Sep 17 00:00:00 2001 -From: Kevin Benton <blak111@gmail.com> -Date: Tue, 25 Aug 2015 22:03:27 -0700 -Subject: [PATCH] Stop device_owner from being set to 'network:*' - -This patch adjusts the FieldCheck class in the policy engine to -allow a regex rule. It then leverages that to prevent users from -setting the device_owner field to anything that starts with -'network:' on networks which they do not own. - -This policy adjustment is necessary because any ports with a -device_owner that starts with 'network:' will not have any security -group rules applied because it is assumed they are trusted network -devices (e.g. router ports, DHCP ports, etc). These security rules -include the anti-spoofing protection for DHCP, IPv6 ICMP messages, -and IP headers. - -Without this policy adjustment, tenants can abuse this trust when -connected to a shared network with other tenants by setting their -VM port's device_owner field to 'network:<anything>' and hijack other -tenants' traffic via DHCP spoofing or MAC/IP spoofing. - -Closes-Bug: #1489111 -Change-Id: Ia64cf16142e0e4be44b5b0ed72c8e00792d770f9 -(cherry picked from commit 959a2f28cbbfc309381ea9ffb55090da6fb9c78f) ---- - etc/policy.json | 3 +++ - neutron/api/v2/attributes.py | 2 +- - neutron/policy.py | 3 +++ - neutron/tests/etc/policy.json | 3 +++ - neutron/tests/unit/test_policy.py | 16 ++++++++++++++++ - 5 files changed, 26 insertions(+), 1 deletion(-) - -diff --git a/etc/policy.json b/etc/policy.json -index 8a5de9b..0f04eb2 100644 ---- a/etc/policy.json -+++ b/etc/policy.json -@@ -46,7 +46,9 @@ - "update_network:router:external": "rule:admin_only", - "delete_network": "rule:admin_or_owner", - -+ "network_device": "field:port:device_owner=~^network:", - "create_port": "", -+ "create_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc", - "create_port:mac_address": "rule:admin_or_network_owner or rule:context_is_advsvc", - "create_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc", - "create_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc", -@@ -61,6 +63,7 @@ - "get_port:binding:host_id": "rule:admin_only", - "get_port:binding:profile": "rule:admin_only", - "update_port": "rule:admin_or_owner or rule:context_is_advsvc", -+ "update_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc", - "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc", - "update_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc", - "update_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc", -diff --git a/neutron/api/v2/attributes.py b/neutron/api/v2/attributes.py -index b9c179a..9ceee78 100644 ---- a/neutron/api/v2/attributes.py -+++ b/neutron/api/v2/attributes.py -@@ -766,7 +766,7 @@ RESOURCE_ATTRIBUTE_MAP = { - 'is_visible': True}, - 'device_owner': {'allow_post': True, 'allow_put': True, - 'validate': {'type:string': DEVICE_OWNER_MAX_LEN}, -- 'default': '', -+ 'default': '', 'enforce_policy': True, - 'is_visible': True}, - 'tenant_id': {'allow_post': True, 'allow_put': False, - 'validate': {'type:string': TENANT_ID_MAX_LEN}, -diff --git a/neutron/policy.py b/neutron/policy.py -index 9e586dd..961ae21 100644 ---- a/neutron/policy.py -+++ b/neutron/policy.py -@@ -335,6 +335,7 @@ class FieldCheck(policy.Check): - - self.field = field - self.value = conv_func(value) -+ self.regex = re.compile(value[1:]) if value.startswith('~') else None - - def __call__(self, target_dict, cred_dict, enforcer): - target_value = target_dict.get(self.field) -@@ -344,6 +345,8 @@ class FieldCheck(policy.Check): - "%(target_dict)s", - {'field': self.field, 'target_dict': target_dict}) - return False -+ if self.regex: -+ return bool(self.regex.match(target_value)) - return target_value == self.value - - -diff --git a/neutron/tests/etc/policy.json b/neutron/tests/etc/policy.json -index 8a5de9b..0f04eb2 100644 ---- a/neutron/tests/etc/policy.json -+++ b/neutron/tests/etc/policy.json -@@ -46,7 +46,9 @@ - "update_network:router:external": "rule:admin_only", - "delete_network": "rule:admin_or_owner", - -+ "network_device": "field:port:device_owner=~^network:", - "create_port": "", -+ "create_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc", - "create_port:mac_address": "rule:admin_or_network_owner or rule:context_is_advsvc", - "create_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc", - "create_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc", -@@ -61,6 +63,7 @@ - "get_port:binding:host_id": "rule:admin_only", - "get_port:binding:profile": "rule:admin_only", - "update_port": "rule:admin_or_owner or rule:context_is_advsvc", -+ "update_port:device_owner": "not rule:network_device or rule:admin_or_network_owner or rule:context_is_advsvc", - "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc", - "update_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc", - "update_port:port_security_enabled": "rule:admin_or_network_owner or rule:context_is_advsvc", -diff --git a/neutron/tests/unit/test_policy.py b/neutron/tests/unit/test_policy.py -index 3888ce3..4be404f 100644 ---- a/neutron/tests/unit/test_policy.py -+++ b/neutron/tests/unit/test_policy.py -@@ -232,6 +232,7 @@ class NeutronPolicyTestCase(base.BaseTestCase): - "regular_user": "role:user", - "shared": "field:networks:shared=True", - "external": "field:networks:router:external=True", -+ "network_device": "field:port:device_owner=~^network:", - "default": '@', - - "create_network": "rule:admin_or_owner", -@@ -243,6 +244,7 @@ class NeutronPolicyTestCase(base.BaseTestCase): - "create_subnet": "rule:admin_or_network_owner", - "create_port:mac": "rule:admin_or_network_owner or " - "rule:context_is_advsvc", -+ "create_port:device_owner": "not rule:network_device", - "update_port": "rule:admin_or_owner or rule:context_is_advsvc", - "get_port": "rule:admin_or_owner or rule:context_is_advsvc", - "delete_port": "rule:admin_or_owner or rule:context_is_advsvc", -@@ -312,6 +314,20 @@ class NeutronPolicyTestCase(base.BaseTestCase): - self._test_nonadmin_action_on_attr('create', 'shared', True, - common_policy.PolicyNotAuthorized) - -+ def test_create_port_device_owner_regex(self): -+ blocked_values = ('network:', 'network:abdef', 'network:dhcp', -+ 'network:router_interface') -+ for val in blocked_values: -+ self._test_advsvc_action_on_attr( -+ 'create', 'port', 'device_owner', val, -+ common_policy.PolicyNotAuthorized -+ ) -+ ok_values = ('network', 'networks', 'my_network:test', 'my_network:') -+ for val in ok_values: -+ self._test_advsvc_action_on_attr( -+ 'create', 'port', 'device_owner', val -+ ) -+ - def test_advsvc_get_network_works(self): - self._test_advsvc_action_on_attr('get', 'network', 'shared', False) - --- -1.9.1 - diff --git a/sys-cluster/neutron/neutron-2015.1.9999.ebuild b/sys-cluster/neutron/neutron-2015.1.9999.ebuild deleted file mode 100644 index 84d68fc84f24..000000000000 --- a/sys-cluster/neutron/neutron-2015.1.9999.ebuild +++ /dev/null @@ -1,252 +0,0 @@ -# Copyright 1999-2015 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Id$ - -EAPI=5 -PYTHON_COMPAT=( python2_7 ) - -inherit distutils-r1 git-2 linux-info user - -DESCRIPTION="A virtual network service for Openstack" -HOMEPAGE="https://launchpad.net/neutron" -EGIT_REPO_URI="https://github.com/openstack/neutron.git" -EGIT_BRANCH="stable/kilo" - -LICENSE="Apache-2.0" -SLOT="0" -KEYWORDS="" -IUSE="compute-only dhcp doc ipv6 l3 metadata openvswitch linuxbridge server test sqlite mysql postgres" -REQUIRED_USE="!compute-only? ( || ( mysql postgres sqlite ) ) - compute-only? ( !mysql !postgres !sqlite !dhcp !l3 !metadata !server - || ( openvswitch linuxbridge ) )" - -DEPEND=" - dev-python/setuptools[${PYTHON_USEDEP}] - >=dev-python/pbr-0.8[${PYTHON_USEDEP}] - <dev-python/pbr-1.0[${PYTHON_USEDEP}] - app-admin/sudo - test? ( - ${RDEPEND} - >=dev-python/cliff-1.10.0[${PYTHON_USEDEP}] - <dev-python/cliff-1.11.0[${PYTHON_USEDEP}] - >=dev-python/coverage-3.6[${PYTHON_USEDEP}] - >=dev-python/fixtures-0.3.14[${PYTHON_USEDEP}] - <dev-python/fixtures-1.3.0[${PYTHON_USEDEP}] - >=dev-python/mock-1.0[${PYTHON_USEDEP}] - <dev-python/mock-1.1.0[${PYTHON_USEDEP}] - >=dev-python/subunit-0.0.18[${PYTHON_USEDEP}] - >=dev-python/requests-mock-0.6.0[${PYTHON_USEDEP}] - >=dev-python/sphinx-1.1.2[${PYTHON_USEDEP}] - !~dev-python/sphinx-1.2.0[${PYTHON_USEDEP}] - <dev-python/sphinx-1.3[${PYTHON_USEDEP}] - >=dev-python/oslo-sphinx-2.5.0[${PYTHON_USEDEP}] - <dev-python/oslo-sphinx-2.6.0[${PYTHON_USEDEP}] - >=dev-python/testrepository-0.0.18[${PYTHON_USEDEP}] - >=dev-python/testtools-0.9.36[${PYTHON_USEDEP}] - !~dev-python/testtools-1.2.0[${PYTHON_USEDEP}] - >=dev-python/testscenarios-0.4[${PYTHON_USEDEP}] - >=dev-python/webtest-2.0[${PYTHON_USEDEP}] - >=dev-python/oslotest-1.5.1[${PYTHON_USEDEP}] - <dev-python/oslotest-1.6.0[${PYTHON_USEDEP}] - >=dev-python/tempest-lib-0.4.0[${PYTHON_USEDEP}] - <dev-python/tempest-lib-0.5.0[${PYTHON_USEDEP}] - )" - -RDEPEND=" - dev-python/paste[${PYTHON_USEDEP}] - >=dev-python/pastedeploy-1.5.0-r1[${PYTHON_USEDEP}] - >=dev-python/routes-1.12.3[${PYTHON_USEDEP}] - !~dev-python/routes-2.0[${PYTHON_USEDEP}] - >=dev-python/eventlet-0.16.1[${PYTHON_USEDEP}] - !~dev-python/eventlet-0.17.0[${PYTHON_USEDEP}] - >=dev-python/greenlet-0.3.2[${PYTHON_USEDEP}] - >=dev-python/httplib2-0.7.5[${PYTHON_USEDEP}] - >=dev-python/requests-2.2.0[${PYTHON_USEDEP}] - !~dev-python/requests-2.4.0[${PYTHON_USEDEP}] - dev-python/jsonrpclib[${PYTHON_USEDEP}] - >=dev-python/jinja-2.6[${PYTHON_USEDEP}] - >=dev-python/keystonemiddleware-1.5.0[${PYTHON_USEDEP}] - <dev-python/keystonemiddleware-1.6.0[${PYTHON_USEDEP}] - >=dev-python/netaddr-0.7.12[${PYTHON_USEDEP}] - >=dev-python/python-neutronclient-2.4.0[${PYTHON_USEDEP}] - <dev-python/python-neutronclient-2.5.0[${PYTHON_USEDEP}] - >=dev-python/retrying-1.2.3[${PYTHON_USEDEP}] - !~dev-python/retrying-1.3.0[${PYTHON_USEDEP}] - compute-only? ( - >=dev-python/sqlalchemy-0.9.7[${PYTHON_USEDEP}] - <=dev-python/sqlalchemy-0.9.99[${PYTHON_USEDEP}] - ) - sqlite? ( - >=dev-python/sqlalchemy-0.9.7[sqlite,${PYTHON_USEDEP}] - <=dev-python/sqlalchemy-0.9.99[sqlite,${PYTHON_USEDEP}] - ) - mysql? ( - dev-python/mysql-python - >=dev-python/sqlalchemy-0.9.7[${PYTHON_USEDEP}] - <=dev-python/sqlalchemy-0.9.99[${PYTHON_USEDEP}] - ) - postgres? ( - dev-python/psycopg:2 - >=dev-python/sqlalchemy-0.9.7[${PYTHON_USEDEP}] - <=dev-python/sqlalchemy-0.9.99[${PYTHON_USEDEP}] - ) - >=dev-python/webob-1.2.3[${PYTHON_USEDEP}] - >=dev-python/python-keystoneclient-1.2.0[${PYTHON_USEDEP}] - <dev-python/python-keystoneclient-1.4.0[${PYTHON_USEDEP}] - >=dev-python/alembic-0.7.2[${PYTHON_USEDEP}] - <dev-python/alembic-0.8.1[${PYTHON_USEDEP}] - >=dev-python/six-1.9.0[${PYTHON_USEDEP}] - >=dev-python/stevedore-1.3.0[${PYTHON_USEDEP}] - <dev-python/stevedore-1.4.0[${PYTHON_USEDEP}] - >=dev-python/oslo-concurrency-1.8.2[${PYTHON_USEDEP}] - <dev-python/oslo-concurrency-1.9.0[${PYTHON_USEDEP}] - >=dev-python/oslo-config-1.9.3[${PYTHON_USEDEP}] - <dev-python/oslo-config-1.10.0[${PYTHON_USEDEP}] - >=dev-python/oslo-context-0.2.0[${PYTHON_USEDEP}] - <dev-python/oslo-context-0.3.0[${PYTHON_USEDEP}] - >=dev-python/oslo-db-1.7.0[${PYTHON_USEDEP}] - <dev-python/oslo-db-1.8.0[${PYTHON_USEDEP}] - >=dev-python/oslo-i18n-1.5.0[${PYTHON_USEDEP}] - <dev-python/oslo-i18n-1.6.0[${PYTHON_USEDEP}] - >=dev-python/oslo-log-1.0.0[${PYTHON_USEDEP}] - <dev-python/oslo-log-1.1.0[${PYTHON_USEDEP}] - >=dev-python/oslo-messaging-1.8.0[${PYTHON_USEDEP}] - <dev-python/oslo-messaging-1.9.0[${PYTHON_USEDEP}] - >=dev-python/oslo-middleware-1.0.0[${PYTHON_USEDEP}] - <dev-python/oslo-middleware-1.1.0[${PYTHON_USEDEP}] - >=dev-python/oslo-rootwrap-1.6.0[${PYTHON_USEDEP}] - <dev-python/oslo-rootwrap-1.7.0[${PYTHON_USEDEP}] - >=dev-python/oslo-serialization-1.4.0[${PYTHON_USEDEP}] - <dev-python/oslo-serialization-1.5.0[${PYTHON_USEDEP}] - >=dev-python/oslo-utils-1.4.0[${PYTHON_USEDEP}] - !~dev-python/oslo-utils-1.4.1[${PYTHON_USEDEP}] - <dev-python/oslo-utils-1.5.0[${PYTHON_USEDEP}] - >=dev-python/python-novaclient-2.22.0[${PYTHON_USEDEP}] - <dev-python/python-novaclient-2.24.0[${PYTHON_USEDEP}] - dev-python/pyudev[${PYTHON_USEDEP}] - sys-apps/iproute2 - net-misc/bridge-utils - net-firewall/ipset - net-firewall/iptables - net-firewall/ebtables - openvswitch? ( net-misc/openvswitch ) - ipv6? ( net-misc/radvd ) - dhcp? ( net-dns/dnsmasq[dhcp-tools] )" - -PATCHES=( -) - -pkg_setup() { - linux-info_pkg_setup - CONFIG_CHECK_MODULES="VLAN_8021Q IP6_NF_FILTER IP6_NF_IPTABLES IP_NF_TARGET_REJECT \ - IP_NF_MANGLE IP_NF_TARGET_MASQUERADE NF_NAT_IPV4 NF_CONNTRACK_IPV4 NF_DEFRAG_IPV4 \ - NF_NAT_IPV4 NF_NAT NF_CONNTRACK IP_NF_FILTER IP_NF_IPTABLES NETFILTER_XTABLES" - if linux_config_exists; then - for module in ${CONFIG_CHECK_MODULES}; do - linux_chkconfig_present ${module} || ewarn "${module} needs to be enabled in kernel" - done - fi - enewgroup neutron - enewuser neutron -1 -1 /var/lib/neutron neutron -} - -pkg_config() { - fperms 0700 /var/log/neutron - fowners neutron:neutron /var/log neutron -} - -src_prepare() { - sed -i '/^hacking/d' test-requirements.txt || die - # it's /bin/ip not /sbin/ip - sed -i 's/sbin\/ip\,/bin\/ip\,/g' etc/neutron/rootwrap.d/* || die - distutils-r1_python_prepare_all -} - -python_compile_all() { - use doc && make -C doc html -} - -python_test() { - # https://bugs.launchpad.net/neutron/+bug/1234857 - # https://bugs.launchpad.net/swift/+bug/1249727 - # https://bugs.launchpad.net/neutron/+bug/1251657 - # Move tests out that attempt net connection, have failures - mv $(find . -name test_ovs_tunnel.py) . || die - sed -e 's:test_app_using_ipv6_and_ssl:_&:' \ - -e 's:test_start_random_port_with_ipv6:_&:' \ - -i neutron/tests/unit/test_wsgi.py || die - testr init - testr run --parallel || die "failed testsuite under python2.7" -} - -python_install() { - distutils-r1_python_install - if use server; then - newinitd "${FILESDIR}/neutron.initd" "neutron-server" - newconfd "${FILESDIR}/neutron-server.confd" "neutron-server" - dosym /etc/neutron/plugin.ini /etc/neutron/plugins/ml2/ml2_conf.ini - fi - if use dhcp; then - newinitd "${FILESDIR}/neutron.initd" "neutron-dhcp-agent" - newconfd "${FILESDIR}/neutron-dhcp-agent.confd" "neutron-dhcp-agent" - fi - if use l3; then - newinitd "${FILESDIR}/neutron.initd" "neutron-l3-agent" - newconfd "${FILESDIR}/neutron-l3-agent.confd" "neutron-l3-agent" - fi - if use metadata; then - newinitd "${FILESDIR}/neutron.initd" "neutron-metadata-agent" - newconfd "${FILESDIR}/neutron-metadata-agent.confd" "neutron-metadata-agent" - fi - if use openvswitch; then - newinitd "${FILESDIR}/neutron.initd" "neutron-openvswitch-agent" - newconfd "${FILESDIR}/neutron-openvswitch-agent.confd" "neutron-openvswitch-agent" - newinitd "${FILESDIR}/neutron.initd" "neutron-ovs-cleanup" - newconfd "${FILESDIR}/neutron-openvswitch-agent.confd" "neutron-ovs-cleanup" - fi - if use linuxbridge; then - newinitd "${FILESDIR}/neutron.initd" "neutron-linuxbridge-agent" - newconfd "${FILESDIR}/neutron-linuxbridge-agent.confd" "neutron-linuxbridge-agent" - fi - diropts -m 755 -o neutron -g neutron - dodir /var/log/neutron /var/lib/neutron - keepdir /etc/neutron - insinto /etc/neutron - insopts -m 0640 -o neutron -g neutron - - doins etc/* - # stupid renames - rm "${D}etc/neutron/quantum" - insinto /etc/neutron - doins -r "etc/neutron/plugins" - insopts -m 0640 -o root -g root - doins "etc/rootwrap.conf" - doins -r "etc/neutron/rootwrap.d" - - insopts -m 0644 - insinto "/usr/lib64/python2.7/site-packages/neutron/db/migration/alembic_migrations/" - doins -r "neutron/db/migration/alembic_migrations/versions" - - #add sudoers definitions for user neutron - insinto /etc/sudoers.d/ - insopts -m 0440 -o root -g root - newins "${FILESDIR}/neutron.sudoersd" neutron - - #remove superfluous stuff - rm -R "${D}/usr/etc/" -} - -python_install_all() { - use doc && local HTML_DOCS=( doc/build/html/. ) - distutils-r1_python_install_all -} - -pkg_postinst() { - elog - elog "neutron-server's conf.d file may need updating to include additional ini files" - elog "We currently assume the ml2 plugin will be used but do not make assumptions" - elog "on if you will use openvswitch or linuxbridge (or something else)" - elog - elog "Other conf.d files may need updating too, but should be good for the default use case" - elog -} |