Merge "Add os-brick rootwrap filter for privsep"

2016-03-01 12:41:27 +00:00 · 2016-03-01 12:41:27 +00:00 · 17d3667b76
commit 17d3667b76
parent 34d3cbc210 88dc41d9de
1 changed files with 7 additions and 3 deletions
--- a/etc/cinder/rootwrap.d/volume.filters
+++ b/etc/cinder/rootwrap.d/volume.filters
@ -23,9 +23,13 @@ lvs_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvs
 lvdisplay_lvmconf: EnvFilter, env, root, LVM_SYSTEM_DIR=, LC_ALL=C, lvdisplay

 # os-brick library commands
-# TODO(smcginnis) This is a temporary fix. Need to pull in os-brick
-# os-brick.filters file instead and clean out stale brick values from
-# this file.
+# os_brick.privileged.run_as_root oslo.privsep context
+# This line ties the superuser privs with the config files, context name,
+# and (implicitly) the actual python code invoked.
+privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*
+# The following and any cinder/brick/* entries should all be obsoleted
+# by privsep, and may be removed once the os-brick version requirement
+# is updated appropriately.
 scsi_id: CommandFilter, /lib/udev/scsi_id, root
 drbdadm: CommandFilter, drbdadm, root