diff --git a/bin/nova-rootwrap b/bin/nova-rootwrap
index 80bb55ca88c0..0434aed3a59c 100755
--- a/bin/nova-rootwrap
+++ b/bin/nova-rootwrap
@@ -65,7 +65,8 @@ if __name__ == '__main__':
         obj = subprocess.Popen(filtermatch.get_command(userargs),
                                stdin=sys.stdin,
                                stdout=sys.stdout,
-                               stderr=sys.stderr)
+                               stderr=sys.stderr,
+                               env=filtermatch.get_environment(userargs))
         sys.exit(obj.returncode)
 
     print "Unauthorized command: %s" % ' '.join(userargs)
diff --git a/nova/rootwrap/filters.py b/nova/rootwrap/filters.py
index 2932c5e1a81f..ab43f8f2b74d 100755
--- a/nova/rootwrap/filters.py
+++ b/nova/rootwrap/filters.py
@@ -41,6 +41,10 @@ class CommandFilter(object):
             return ['sudo', '-u', self.run_as, self.exec_path] + userargs[1:]
         return [self.exec_path] + userargs[1:]
 
+    def get_environment(self, userargs):
+        """Returns specific environment to set, None if none"""
+        return None
+
 
 class RegExpFilter(CommandFilter):
     """Command filter doing regexp matching for every argument"""
@@ -77,4 +81,10 @@ class DnsmasqFilter(CommandFilter):
         return False
 
     def get_command(self, userargs):
-        return userargs[0:2] + [self.exec_path] + userargs[3:]
+        return [self.exec_path] + userargs[3:]
+
+    def get_environment(self, userargs):
+        env = os.environ.copy()
+        env['FLAGFILE'] = userargs[0].split('=')[-1]
+        env['NETWORK_ID'] = userargs[1].split('=')[-1]
+        return env
diff --git a/nova/tests/test_nova_rootwrap.py b/nova/tests/test_nova_rootwrap.py
index c9a6962baf0f..a38013016c5b 100644
--- a/nova/tests/test_nova_rootwrap.py
+++ b/nova/tests/test_nova_rootwrap.py
@@ -52,11 +52,13 @@ class RootwrapTestCase(test.TestCase):
         self.assertTrue(filtermatch is None)
 
     def test_DnsmasqFilter(self):
-        usercmd = ['FLAGFILE=A', 'NETWORK_ID="foo bar"', 'dnsmasq', 'foo']
+        usercmd = ['FLAGFILE=A', 'NETWORK_ID=foobar', 'dnsmasq', 'foo']
         f = filters.DnsmasqFilter("/usr/bin/dnsmasq", "root")
         self.assertTrue(f.match(usercmd))
-        self.assertEqual(f.get_command(usercmd),
-            ['FLAGFILE=A', 'NETWORK_ID="foo bar"', '/usr/bin/dnsmasq', 'foo'])
+        self.assertEqual(f.get_command(usercmd), ['/usr/bin/dnsmasq', 'foo'])
+        env = f.get_environment(usercmd)
+        self.assertEqual(env.get('FLAGFILE'), 'A')
+        self.assertEqual(env.get('NETWORK_ID'), 'foobar')
 
     def test_skips(self):
         # Check that all filters are skipped and that the last matches