DHCP sandboxing failing on noexec mounted /var/tmp (#521)

* DHCP sandboxing failing on noexec mounted /var/tmp

If /var/tmp is mounted with noexec option the DHCP sandboxing will fail
with Permission Denied. This patch simply avoids this error by checking
the exec permission updating the dhcp path in negative case.

rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1857309

Signed-off-by: Eduardo Otubo <otubo@redhat.com>

* Replacing with os.* calls

* Adding test and removing isfile() useless call.

Co-authored-by: Rick Harding <rharding@mitechie.com>

1 files changed, 6 insertions, 0 deletions

diff --git a/cloudinit/net/dhcp.py b/cloudinit/net/dhcp.py
index d1d1255e..9230cf7a 100644
--- a/cloudinit/net/dhcp.py
+++ b/cloudinit/net/dhcp.py
@@ -220,6 +220,12 @@ def dhcp_discovery(dhclient_cmd_path, interface, cleandir, dhcp_log_func=None):
     pid_file = os.path.join(cleandir, 'dhclient.pid')
     lease_file = os.path.join(cleandir, 'dhcp.leases')
 
+    # In some cases files in /var/tmp may not be executable, launching dhclient
+    # from there will certainly raise 'Permission denied' error. Try launching
+    # the original dhclient instead.
+    if not os.access(sandbox_dhclient_cmd, os.X_OK):
+        sandbox_dhclient_cmd = dhclient_cmd_path
+
     # ISC dhclient needs the interface up to send initial discovery packets.
     # Generally dhclient relies on dhclient-script PREINIT action to bring the
     # link up before attempting discovery. Since we are using -sf /bin/true,