From 18129874cdc745b05b35d61b1c1979566453ca13 Mon Sep 17 00:00:00 2001
From: Angus Lees <gus@inodes.org>
Date: Tue, 9 Feb 2016 13:49:03 +1100
Subject: [PATCH] Add os-brick rootwrap filter for privsep

This change adds the command required to start the os-brick privsep
privileged helper process.

This should be the last "routine" merge to rootwrap filters from
os-brick, since os-brick privileged operations will now go through the
privsep mechanism.  The now-obsolete os-brick rootwrap entries will be
removed in a followup change that also bumps the os-brick minimum
version appropriately.

Change-Id: I4e333e73ddfd45c045b9d32dac1506fc25858c4d
---
 etc/nova/rootwrap.d/compute.filters | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/etc/nova/rootwrap.d/compute.filters b/etc/nova/rootwrap.d/compute.filters
index c846b89ecda9..1428c950cb2e 100644
--- a/etc/nova/rootwrap.d/compute.filters
+++ b/etc/nova/rootwrap.d/compute.filters
@@ -214,6 +214,10 @@ drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio
 # Need to pull in os-brick os-brick.filters file instead and clean
 # out stale brick values from this file.
 scsi_id: CommandFilter, /lib/udev/scsi_id, root
+# os_brick.privileged.default oslo.privsep context
+# This line ties the superuser privs with the config files, context name,
+# and (implicitly) the actual python code invoked.
+privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*
 
 # nova/storage/linuxscsi.py: sg_scan device
 sg_scan: CommandFilter, sg_scan, root