85a4c86455
- ci-Don-t-change-permissions-of-netrules-target-2076.patch [bz#2182947] - ci-Make-user-vendor-data-sensitive-and-remove-log-permi.patch [bz#2190081] - Resolves: bz#2182947 (Request to backport "Don't change permissions of netrules target (#2076)") - Resolves: bz#2190081 (CVE-2023-1786 cloud-init: sensitive data could be exposed in logs [rhel-8])
121 lines
4.7 KiB
Diff
121 lines
4.7 KiB
Diff
From 285d8d8005db06ea86afc042bc2eec07bf3c6fab Mon Sep 17 00:00:00 2001
|
|
From: James Falcon <james.falcon@canonical.com>
|
|
Date: Thu, 23 Mar 2023 10:21:56 -0500
|
|
Subject: [PATCH 1/2] Don't change permissions of netrules target (#2076)
|
|
|
|
RH-Author: Ani Sinha <None>
|
|
RH-MergeRequest: 98: Don't change permissions of netrules target (#2076)
|
|
RH-Bugzilla: 2182947
|
|
RH-Acked-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
|
RH-Acked-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
|
RH-Commit: [1/1] 37fa74519da67b383de87b41108561b09d7b9210 (anisinha/rhel-cloud-init)
|
|
|
|
Set permissions if file doesn't exist. Leave them if it does.
|
|
|
|
LP: #2011783
|
|
|
|
Co-authored-by: Chad Smith <chad.smith@canonical.com>
|
|
(cherry picked from commit 56c88cafd1b3606e814069a79f4ec265fc427c87)
|
|
Signed-off-by: Ani Sinha <anisinha@redhat.com>
|
|
---
|
|
cloudinit/net/eni.py | 4 +++-
|
|
cloudinit/net/sysconfig.py | 7 ++++++-
|
|
tests/unittests/distros/test_netconfig.py | 20 ++++++++++++++++++--
|
|
3 files changed, 27 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/cloudinit/net/eni.py b/cloudinit/net/eni.py
|
|
index 53bd35ca..1de3bec2 100644
|
|
--- a/cloudinit/net/eni.py
|
|
+++ b/cloudinit/net/eni.py
|
|
@@ -576,7 +576,9 @@ class Renderer(renderer.Renderer):
|
|
netrules = subp.target_path(target, self.netrules_path)
|
|
util.ensure_dir(os.path.dirname(netrules))
|
|
util.write_file(
|
|
- netrules, self._render_persistent_net(network_state)
|
|
+ netrules,
|
|
+ content=self._render_persistent_net(network_state),
|
|
+ preserve_mode=True,
|
|
)
|
|
|
|
|
|
diff --git a/cloudinit/net/sysconfig.py b/cloudinit/net/sysconfig.py
|
|
index db084e07..da6d11b3 100644
|
|
--- a/cloudinit/net/sysconfig.py
|
|
+++ b/cloudinit/net/sysconfig.py
|
|
@@ -1033,7 +1033,12 @@ class Renderer(renderer.Renderer):
|
|
if self.netrules_path:
|
|
netrules_content = self._render_persistent_net(network_state)
|
|
netrules_path = subp.target_path(target, self.netrules_path)
|
|
- util.write_file(netrules_path, netrules_content, file_mode)
|
|
+ util.write_file(
|
|
+ netrules_path,
|
|
+ content=netrules_content,
|
|
+ mode=file_mode,
|
|
+ preserve_mode=True,
|
|
+ )
|
|
if available_nm(target=target):
|
|
enable_ifcfg_rh(subp.target_path(target, path=NM_CFG_FILE))
|
|
|
|
diff --git a/tests/unittests/distros/test_netconfig.py b/tests/unittests/distros/test_netconfig.py
|
|
index e9fb0591..b1c89ce3 100644
|
|
--- a/tests/unittests/distros/test_netconfig.py
|
|
+++ b/tests/unittests/distros/test_netconfig.py
|
|
@@ -458,8 +458,16 @@ class TestNetCfgDistroUbuntuEni(TestNetCfgDistroBase):
|
|
def eni_path(self):
|
|
return "/etc/network/interfaces.d/50-cloud-init.cfg"
|
|
|
|
+ def rules_path(self):
|
|
+ return "/etc/udev/rules.d/70-persistent-net.rules"
|
|
+
|
|
def _apply_and_verify_eni(
|
|
- self, apply_fn, config, expected_cfgs=None, bringup=False
|
|
+ self,
|
|
+ apply_fn,
|
|
+ config,
|
|
+ expected_cfgs=None,
|
|
+ bringup=False,
|
|
+ previous_files=(),
|
|
):
|
|
if not expected_cfgs:
|
|
raise ValueError("expected_cfg must not be None")
|
|
@@ -467,7 +475,11 @@ class TestNetCfgDistroUbuntuEni(TestNetCfgDistroBase):
|
|
tmpd = None
|
|
with mock.patch("cloudinit.net.eni.available") as m_avail:
|
|
m_avail.return_value = True
|
|
+ path_modes = {}
|
|
with self.reRooted(tmpd) as tmpd:
|
|
+ for previous_path, content, mode in previous_files:
|
|
+ util.write_file(previous_path, content, mode=mode)
|
|
+ path_modes[previous_path] = mode
|
|
apply_fn(config, bringup)
|
|
|
|
results = dir2dict(tmpd)
|
|
@@ -478,7 +490,9 @@ class TestNetCfgDistroUbuntuEni(TestNetCfgDistroBase):
|
|
print(results[cfgpath])
|
|
print("----------")
|
|
self.assertEqual(expected, results[cfgpath])
|
|
- self.assertEqual(0o644, get_mode(cfgpath, tmpd))
|
|
+ self.assertEqual(
|
|
+ path_modes.get(cfgpath, 0o644), get_mode(cfgpath, tmpd)
|
|
+ )
|
|
|
|
def test_apply_network_config_and_bringup_filters_priority_eni_ub(self):
|
|
"""Network activator search priority can be overridden from config."""
|
|
@@ -527,11 +541,13 @@ class TestNetCfgDistroUbuntuEni(TestNetCfgDistroBase):
|
|
def test_apply_network_config_eni_ub(self):
|
|
expected_cfgs = {
|
|
self.eni_path(): V1_NET_CFG_OUTPUT,
|
|
+ self.rules_path(): "",
|
|
}
|
|
self._apply_and_verify_eni(
|
|
self.distro.apply_network_config,
|
|
V1_NET_CFG,
|
|
expected_cfgs=expected_cfgs.copy(),
|
|
+ previous_files=((self.rules_path(), "something", 0o660),),
|
|
)
|
|
|
|
def test_apply_network_config_ipv6_ub(self):
|
|
--
|
|
2.37.3
|
|
|