From 88dc41d9dec31ce22cf7fa210519ed646002fe74 Mon Sep 17 00:00:00 2001 From: Angus Lees Date: Mon, 15 Feb 2016 10:50:31 +1100 Subject: [PATCH] Add os-brick rootwrap filter for privsep This change adds the command required to start the os-brick privsep privileged helper process. This should be the last "routine" merge to rootwrap filters from os-brick, since os-brick privileged operations will now go through the privsep mechanism. The now-obsolete os-brick rootwrap entries will be removed in a followup change that also bumps the os-brick minimum version appropriately. Change-Id: I3b2e337321875cf4abc0ab9b44fe17cf9327d88b --- etc/cinder/rootwrap.d/volume.filters | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/etc/cinder/rootwrap.d/volume.filters b/etc/cinder/rootwrap.d/volume.filters index ceee5c87a..279713972 100644 --- a/etc/cinder/rootwrap.d/volume.filters +++ b/etc/cinder/rootwrap.d/volume.filters @@ -23,9 +23,13 @@ lvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvs lvdisplay_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvdisplay # os-brick library commands -# TODO(smcginnis) This is a temporary fix. Need to pull in os-brick -# os-brick.filters file instead and clean out stale brick values from -# this file. +# os_brick.privileged.run_as_root oslo.privsep context +# This line ties the superuser privs with the config files, context name, +# and (implicitly) the actual python code invoked. +privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.* +# The following and any cinder/brick/* entries should all be obsoleted +# by privsep, and may be removed once the os-brick version requirement +# is updated appropriately. scsi_id: CommandFilter, /lib/udev/scsi_id, root drbdadm: CommandFilter, drbdadm, root