Privsep configuration for neutron-fwaas

This patch adds fwaas-privsep.filters to FWaaS repository to be
easier to maintain. It also helps avoid making Neutron be inversely
depended on FWaaS when perform privsep configuration as in
https://review.openstack.org/#/c/392014/.

Change-Id: I71308130fbcc861a167371339c89a47410b8d09a

devstack/plugin.sh

@@ -55,6 +55,8 @@ function init_fwaas() {
         mkdir /etc/neutron/policy.d
     fi
     cp $DEST/neutron-fwaas/etc/neutron/policy.d/neutron-fwaas.json /etc/neutron/policy.d/neutron-fwaas.json
+    # Using sudo to gain the root privilege to be able to copy file to rootwrap.d
+    sudo cp $DEST/neutron-fwaas/etc/neutron/rootwrap.d/fwaas-privsep.filters /etc/neutron/rootwrap.d/fwaas-privsep.filters
 }
 
 function shutdown_fwaas() {

etc/neutron/rootwrap.d/fwaas-privsep.filters

@@ -0,0 +1,7 @@
+# neutron-fwaas privsep filters
+
+# This file should be owned by (and only-writeable by) the root user
+
+[Filters]
+
+privsep-rootwrap: PathFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, neutron_fwaas.privileged.default

setup.cfg

@@ -23,6 +23,10 @@ classifier =
 packages =
     neutron_fwaas
 
+data_files =
+    etc/neutron/rootwrap.d =
+        etc/neutron/rootwrap.d/fwaas-privsep.filters
+
 [global]
 setup-hooks =
     pbr.hooks.setup_hook