The cinder.openstack.common.rootwrap.filters Module

class ChainingFilter(exec_path, run_as, *args)

Bases: cinder.openstack.common.rootwrap.filters.CommandFilter

exec_args(userargs)
class CommandFilter(exec_path, run_as, *args)

Bases: object

Command filter only checking that the 1st argument matches exec_path.

get_command(userargs, exec_dirs=[])

Returns command to execute (with sudo -u if run_as != root).

get_environment(userargs)

Returns specific environment to set, None if none.

get_exec(exec_dirs=[])

Returns existing executable, or empty string if none found.

match(userargs)

Only check that the first argument (command) matches exec_path.

class EnvFilter(exec_path, run_as, *args)

Bases: cinder.openstack.common.rootwrap.filters.CommandFilter

Specific filter for the env utility.

Behaves like CommandFilter, except that it handles leading env A=B.. strings appropriately.

exec_args(userargs)
get_command(userargs, exec_dirs=[])
get_environment(userargs)
match(userargs)
class IpFilter(exec_path, run_as, *args)

Bases: cinder.openstack.common.rootwrap.filters.CommandFilter

Specific filter for the ip utility to that does not match exec.

match(userargs)
class IpNetnsExecFilter(exec_path, run_as, *args)

Bases: cinder.openstack.common.rootwrap.filters.ChainingFilter

Specific filter for the ip utility to that does match exec.

exec_args(userargs)
match(userargs)
class KillFilter(*args)

Bases: cinder.openstack.common.rootwrap.filters.CommandFilter

Specific filter for the kill calls.

1st argument is the user to run /bin/kill under 2nd argument is the location of the affected executable

if the argument is not absolute, it is checked against $PATH

Subsequent arguments list the accepted signals (if any)

This filter relies on /proc to accurately determine affected executable, so it will only work on procfs-capable systems (not OSX).

match(userargs)
class PathFilter(exec_path, run_as, *args)

Bases: cinder.openstack.common.rootwrap.filters.CommandFilter

Command filter checking that path arguments are within given dirs

One can specify the following constraints for command arguments:
  1. pass - pass an argument as is to the resulting command
  2. some_str - check if an argument is equal to the given string
  3. abs path - check if a path argument is within the given base dir
A typical rootwrapper filter entry looks like this:
# cmdname: filter name, raw command, user, arg_i_constraint [, ...] chown: PathFilter, /bin/chown, root, nova, /var/lib/images
get_command(userargs, exec_dirs=[])
match(userargs)
class ReadFileFilter(file_path, *args)

Bases: cinder.openstack.common.rootwrap.filters.CommandFilter

Specific filter for the utils.read_file_as_root call.

match(userargs)
class RegExpFilter(exec_path, run_as, *args)

Bases: cinder.openstack.common.rootwrap.filters.CommandFilter

Command filter doing regexp matching for every argument.

match(userargs)

Previous topic

The cinder.openstack.common.rootwrap.cmd Module

Next topic

The cinder.openstack.common.rootwrap.wrapper Module

This Page