64 lines
2.2 KiB
XML
64 lines
2.2 KiB
XML
# Command filters to allow privsep daemon to be started via rootwrap.
|
|
#
|
|
# This file should be owned by (and only-writeable by) the root user
|
|
|
|
[Filters]
|
|
|
|
# By installing the following, the local admin is asserting that:
|
|
#
|
|
# 1. The python module load path used by privsep-helper
|
|
# command as root (as started by sudo/rootwrap) is trusted.
|
|
# 2. Any oslo.config files matching the --config-file
|
|
# arguments below are trusted.
|
|
# 3. Users allowed to run sudo/rootwrap with this configuration(*) are
|
|
# also allowed to invoke python "entrypoint" functions from
|
|
# --privsep_context with the additional (possibly root) privileges
|
|
# configured for that context.
|
|
#
|
|
# (*) ie: the user is allowed by /etc/sudoers to run rootwrap as root
|
|
#
|
|
# In particular, the oslo.config and python module path must not
|
|
# be writeable by the unprivileged user.
|
|
|
|
# PRIVSEP
|
|
# oslo.privsep default neutron context
|
|
privsep: PathFilter, privsep-helper, root,
|
|
--config-file, /etc/(?!\.\.).*,
|
|
--privsep_context, neutron.privileged.default,
|
|
--privsep_sock_path, /
|
|
|
|
# NOTE: A second `--config-file` arg can also be added above. Since
|
|
# many neutron components are installed like that (eg: by devstack).
|
|
# Adjust to suit local requirements.
|
|
|
|
# DEBUG
|
|
sleep: RegExpFilter, sleep, root, sleep, \d+
|
|
|
|
# EXECUTE COMMANDS IN A NAMESPACE
|
|
ip: IpFilter, ip, root
|
|
ip_exec: IpNetnsExecFilter, ip, root
|
|
|
|
# METADATA PROXY
|
|
haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
|
|
haproxy_env: EnvFilter, env, root, PROCESS_TAG=, haproxy, -f, .*
|
|
|
|
# DHCP
|
|
dnsmasq: CommandFilter, dnsmasq, root
|
|
dnsmasq_env: EnvFilter, env, root, PROCESS_TAG=, dnsmasq
|
|
|
|
# DIBBLER
|
|
dibbler-client: CommandFilter, dibbler-client, root
|
|
dibbler-client_env: EnvFilter, env, root, PROCESS_TAG=, dibbler-client
|
|
|
|
# L3
|
|
radvd: CommandFilter, radvd, root
|
|
radvd_env: EnvFilter, env, root, PROCESS_TAG=, radvd
|
|
keepalived: CommandFilter, keepalived, root
|
|
keepalived_env: EnvFilter, env, root, PROCESS_TAG=, keepalived
|
|
keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
|
|
keepalived_state_change_env: EnvFilter, env, root, PROCESS_TAG=, neutron-keepalived-state-change
|
|
|
|
# OPEN VSWITCH
|
|
ovs-ofctl: CommandFilter, ovs-ofctl, root
|
|
ovsdb-client: CommandFilter, ovsdb-client, root
|