Add missing filters for new root commands

Add missing rootwrap filters for 'ovs-ofctl', 'cp' and 'mkfs'. Do not run 'rm' as root since it's unnecessary. Add documentation to try to prevent future misses. Fixes bug 943293. Change-Id: Ia680048a28a75f661a136d8447ff0aaf195649ba
2012-02-29 16:22:42 +01:00
parent 71dc7fa6a9
commit 0ecb9958a4
2 changed files with 12 additions and 0 deletions
--- a/nova/rootwrap/compute.py
+++ b/nova/rootwrap/compute.py
@@ -73,6 +73,9 @@ filterlist = [
    # nova/virt/disk/api.py: 'chmod', 755, netdir
    filters.CommandFilter("/bin/chmod", "root"),

+    # nova/virt/disk/api.py: 'cp', os.path.join(fs...
+    filters.CommandFilter("/bin/cp", "root"),
+
    # nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap'
    # nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up'
    # nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev
@@ -102,6 +105,9 @@ filterlist = [
    # nova/network/linux_net.py: 'ovs-vsctl', ....
    filters.CommandFilter("/usr/bin/ovs-vsctl", "root"),

+    # nova/network/linux_net.py: 'ovs-ofctl', ....
+    filters.CommandFilter("/usr/bin/ovs-ofctl", "root"),
+
    # nova/virt/libvirt/connection.py: 'dd', "if=%s" % virsh_output, ...
    filters.CommandFilter("/bin/dd", "root"),

@@ -169,6 +175,9 @@ filterlist = [
    # nova/virt/xenapi/vm_utils.py: 'mkswap'
    filters.CommandFilter("/sbin/mkswap", "root"),

+    # nova/virt/xenapi/vm_utils.py: 'mkfs'
+    filters.CommandFilter("/sbin/mkfs", "root"),
+
    # nova/virt/libvirt/connection.py:
    filters.ReadFileFilter("/etc/iscsi/initiatorname.iscsi"),
    ]
--- a/nova/rootwrap/network.py
+++ b/nova/rootwrap/network.py
@@ -83,4 +83,7 @@ filterlist = [

    # nova/network/linux_net.py: 'ovs-vsctl', ....
    filters.CommandFilter("/usr/bin/ovs-vsctl", "root"),
+
+    # nova/network/linux_net.py: 'ovs-ofctl', ....
+    filters.CommandFilter("/usr/bin/ovs-ofctl", "root"),
    ]