commit ebb0c5403b347ae1a841f578971ed1a3e3b6de53
Author: Kevin Benton <email address hidden>
Date: Tue Aug 25 22:03:27 2015 -0700
Stop device_owner from being set to 'network:*'
This patch adjusts the FieldCheck class in the policy engine to
allow a regex rule. It then leverages that to prevent users from
setting the device_owner field to anything that starts with
'network:' on networks which they do not own.
This policy adjustment is necessary because any ports with a
device_owner that starts with 'network:' will not have any security
group rules applied because it is assumed they are trusted network
devices (e.g. router ports, DHCP ports, etc). These security rules
include the anti-spoofing protection for DHCP, IPv6 ICMP messages,
and IP headers.
Without this policy adjustment, tenants can abuse this trust when
connected to a shared network with other tenants by setting their
VM port's device_owner field to 'network:<anything>' and hijack other
tenants' traffic via DHCP spoofing or MAC/IP spoofing.
Reviewed: https:/ /review. openstack. org/221345 /git.openstack. org/cgit/ openstack/ neutron/ commit/ ?id=ebb0c5403b3 47ae1a841f57897 1ed1a3e3b6de53
Committed: https:/
Submitter: Jenkins
Branch: stable/juno
commit ebb0c5403b347ae 1a841f578971ed1 a3e3b6de53
Author: Kevin Benton <email address hidden>
Date: Tue Aug 25 22:03:27 2015 -0700
Stop device_owner from being set to 'network:*'
This patch adjusts the FieldCheck class in the policy engine to
allow a regex rule. It then leverages that to prevent users from
setting the device_owner field to anything that starts with
'network:' on networks which they do not own.
This policy adjustment is necessary because any ports with a
device_owner that starts with 'network:' will not have any security
group rules applied because it is assumed they are trusted network
devices (e.g. router ports, DHCP ports, etc). These security rules
include the anti-spoofing protection for DHCP, IPv6 ICMP messages,
and IP headers.
Without this policy adjustment, tenants can abuse this trust when <anything> ' and hijack other
connected to a shared network with other tenants by setting their
VM port's device_owner field to 'network:
tenants' traffic via DHCP spoofing or MAC/IP spoofing.
Conflicts: policy. json api/v2/ attributes. py tests/etc/ policy. json tests/unit/ test_policy. py
etc/
neutron/
neutron/
neutron/
Closes-Bug: #1489111 be44b5b0ed72c8e 00792d770f9 9381ea9ffb55090 da6fb9c78f)
Change-Id: Ia64cf16142e0e4
(cherry picked from commit 959a2f28cbbfc30