From f9a750fcaf82afc2f610ad4742c4778da660aac9 Mon Sep 17 00:00:00 2001
From: Adrian Chiris <adrianc@mellanox.com>
Date: Mon, 23 Sep 2019 13:36:40 +0300
Subject: [PATCH] Prevent providing privsep-helper paths outside /etc

This commit aligns privsep filters with other projects
e.g nova[1], cinder[2] to prevent a malicious user from
invoking privsep-helper with an arbitrary configuration file
in case it took control over an unprivileged neutron process.

[1]https://github.com/openstack/nova/blob/4f261f98e19d28fa29ff6a4d62a6a3a8a4114575/etc/nova/rootwrap.d/compute.filters#L23
[2]https://github.com/openstack/cinder/blob/f5feb87ab8ee88a368be41557ba702a0c7816e47/etc/cinder/rootwrap.d/volume.filters#L41

Change-Id: I0b4e8cdee0cbbc46547599e176efb4420ee1b318
---
 etc/neutron/rootwrap.d/privsep.filters | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/etc/neutron/rootwrap.d/privsep.filters b/etc/neutron/rootwrap.d/privsep.filters
index d9a322a5341..3e7d30b085d 100644
--- a/etc/neutron/rootwrap.d/privsep.filters
+++ b/etc/neutron/rootwrap.d/privsep.filters
@@ -22,7 +22,7 @@
 
 # oslo.privsep default neutron context
 privsep: PathFilter, privsep-helper, root,
- --config-file, /etc,
+ --config-file, /etc/(?!\.\.).*,
  --privsep_context, neutron.privileged.default,
  --privsep_sock_path, /