From c8ca10e6a9c6fcb6e5ba54646f1daf38ac962fe0 Mon Sep 17 00:00:00 2001
From: git <keith.berger@suse.com>
Date: Fri, 8 May 2020 10:43:04 -0400
Subject: [PATCH] Lockdown /bin/ip permissions for the monasca-agent

This patch adds addtional arguments to the sudoers entry for
the /bin/ip command. It restricts access to only 'ip netns exec'.

Change-Id: Ie80c8fbdc851cbace8c82f8c47f490898f5c4d6e
---
 openstack/monasca-agent/openstack-monasca-agent.sudoers | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/openstack/monasca-agent/openstack-monasca-agent.sudoers b/openstack/monasca-agent/openstack-monasca-agent.sudoers
index 80e014004..643c59aee 100644
--- a/openstack/monasca-agent/openstack-monasca-agent.sudoers
+++ b/openstack/monasca-agent/openstack-monasca-agent.sudoers
@@ -1,4 +1,4 @@
 # Needed for monasca_agent.collector.checks_d.swift_diags
-monasca-agent ALL = (root) NOPASSWD:/usr/local/bin/diagnostics,/usr/local/bin/swift-checker,/bin/ip,/usr/bin/ovs-vsctl
+monasca-agent ALL = (root) NOPASSWD:/usr/local/bin/diagnostics,/usr/local/bin/swift-checker,/bin/ip netns exec qrouter-[! ][! ][! ][! ][! ][! ][! ][! ]-[! ][! ][! ][! ]-[! ][! ][! ][! ]-[! ][! ][! ][! ]-[! ][! ][! ][! ][! ][! ][! ][! ][! ][! ][! ][! ] /bin/ping *,/usr/bin/ovs-vsctl
 # Needed for monasca_agent.collector.checks_d.postfix
 monasca-agent ALL = (root) NOPASSWD:NOEXEC:/usr/bin/find