From d84cd550195d30684924b78300bcf3a875d6aa57 Mon Sep 17 00:00:00 2001
From: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
Date: Sun, 3 Apr 2016 12:00:48 +0100
Subject: [PATCH] Update paste, policy and rootwrap configurations 2016-04-03

Change-Id: Ib04b0a0d62b5c012db2eab1e64497f2dbfbf2691
---
 files/rootwrap.d/compute.filters | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/files/rootwrap.d/compute.filters b/files/rootwrap.d/compute.filters
index c846b89e..1428c950 100644
--- a/files/rootwrap.d/compute.filters
+++ b/files/rootwrap.d/compute.filters
@@ -214,6 +214,10 @@ drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio
 # Need to pull in os-brick os-brick.filters file instead and clean
 # out stale brick values from this file.
 scsi_id: CommandFilter, /lib/udev/scsi_id, root
+# os_brick.privileged.default oslo.privsep context
+# This line ties the superuser privs with the config files, context name,
+# and (implicitly) the actual python code invoked.
+privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*
 
 # nova/storage/linuxscsi.py: sg_scan device
 sg_scan: CommandFilter, sg_scan, root