From 71f8d0f3df3728c68bb71e97172bc32ddd8debc7 Mon Sep 17 00:00:00 2001
From: "Chaozhe.Chen" <chaozhe.chen@easystack.cn>
Date: Wed, 24 Feb 2016 01:35:04 +0800
Subject: [PATCH] Add /usr/local/{sbin,bin} to rootwrap exec_dirs

Nova [1], Neutron [2,3] and Cinder's [4] rootwrap exec dirs include
/usr/local/{sbin,bin} which are a standardised locations for admins to
install non-distro executables, and these executables are no less
"trustworthy" than /usr/bin and friends.  See Neutron and Cinder's
rootwrap.conf (and probably others), and typical distro default values
for sudoers/secure_path for extremely similar precedents that all
include /usr/local/*bin.
Brief discussion of doing this via devstack available at [5].

Also, remove absolute paths from existing filters
to make this fix useful.

[1] I6a0a4b7f952193ce0f4ed2594613188854d36bf1
[2] Ib3646933744ca6b20ecd5ad0cedcedb4f1fa5f12
[3] Id7aebb50e60b1cc64c113be63c599387be5f1765
[4] I577e10df25181c7d4ca8189b10640a8e6e39b047
[5] I710cf142b834381c00e651cfc062299ae755c33f

Change-Id: Ie7177778a247a687ced846bb11030cb72344c93f
Closes-Bug: #1551956
---
 etc/manila/rootwrap.conf            |  2 +-
 etc/manila/rootwrap.d/share.filters | 34 ++++++++++++++---------------
 2 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/etc/manila/rootwrap.conf b/etc/manila/rootwrap.conf
index c2d5dc495c..38e5bd6b9f 100644
--- a/etc/manila/rootwrap.conf
+++ b/etc/manila/rootwrap.conf
@@ -10,7 +10,7 @@ filters_path=/etc/manila/rootwrap.d,/usr/share/manila/rootwrap
 # explicitely specify a full path (separated by ',')
 # If not specified, defaults to system PATH environment variable.
 # These directories MUST all be only writeable by root !
-exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/lpp/mmfs/bin
+exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/sbin,/usr/local/bin,/usr/lpp/mmfs/bin
 
 # Enable logging to syslog
 # Default value is False
diff --git a/etc/manila/rootwrap.d/share.filters b/etc/manila/rootwrap.d/share.filters
index 3b08331750..d9ca03cb1e 100644
--- a/etc/manila/rootwrap.d/share.filters
+++ b/etc/manila/rootwrap.d/share.filters
@@ -8,17 +8,17 @@ chown: CommandFilter, chown, root
 cat: CommandFilter, cat, root
 
 # manila/share/drivers/lvm.py: 'mkfs.ext4', '/dev/mapper/%s'
-mkfs.ext4: CommandFilter, /sbin/mkfs.ext4, root
+mkfs.ext4: CommandFilter, mkfs.ext4, root
 
 # manila/share/drivers/lvm.py: 'mkfs.ext3', '/dev/mapper/%s'
-mkfs.ext3: CommandFilter, /sbin/mkfs.ext3, root
+mkfs.ext3: CommandFilter, mkfs.ext3, root
 
 # manila/share/drivers/lvm.py: 'smbd', '-s', '%s', '-D'
-smbd: CommandFilter, /usr/sbin/smbd, root
-smb: CommandFilter, /usr/sbin/smb, root
+smbd: CommandFilter, smbd, root
+smb: CommandFilter, smb, root
 
 # manila/share/drivers/lvm.py: 'rmdir', '%s'
-rmdir: CommandFilter, /bin/rmdir, root
+rmdir: CommandFilter, rmdir, root
 
 # manila/share/drivers/lvm.py: 'dd' 'count=0', 'if=%s' % srcstr, 'of=%s'
 dd: CommandFilter, dd, root
@@ -30,13 +30,13 @@ fsck: CommandFilter, fsck, root
 resize2fs: CommandFilter, resize2fs, root
 
 # manila/share/drivers/helpers.py: 'smbcontrol', 'all', 'close-share', '%s'
-smbcontrol: CommandFilter, /usr/bin/smbcontrol, root
+smbcontrol: CommandFilter, smbcontrol, root
 
 # manila/share/drivers/helpers.py: 'net', 'conf', 'addshare', '%s', '%s', 'writeable=y', 'guest_ok=y
 # manila/share/drivers/helpers.py: 'net', 'conf', 'delshare', '%s'
 # manila/share/drivers/helpers.py: 'net', 'conf', 'setparm', '%s', '%s', '%s'
 # manila/share/drivers/helpers.py: 'net', 'conf', 'getparm', '%s', 'hosts allow'
-net: CommandFilter, /usr/bin/net, root
+net: CommandFilter, net, root
 
 # manila/share/drivers/lvm.py: 'lvremove', '-f', "%s/%s
 lvremove: CommandFilter, lvremove, root
@@ -81,23 +81,23 @@ umount: CommandFilter, umount, root
 
 # GPFS commands
 # manila/share/drivers/ibm/gpfs.py: 'mmgetstate', '-Y'
-mmgetstate: CommandFilter, /usr/lpp/mmfs/bin/mmgetstate, root
+mmgetstate: CommandFilter, mmgetstate, root
 # manila/share/drivers/ibm/gpfs.py: 'mmlsattr', '%s'
-mmlsattr: CommandFilter, /usr/lpp/mmfs/bin/mmlsattr, root
+mmlsattr: CommandFilter, mmlsattr, root
 # manila/share/drivers/ibm/gpfs.py: 'mmcrfileset', '%s', '%s', '--inode-space', 'new'
-mmcrfileset: CommandFilter, /usr/lpp/mmfs/bin/mmcrfileset, root
+mmcrfileset: CommandFilter, mmcrfileset, root
 # manila/share/drivers/ibm/gpfs.py: 'mmlinkfileset', '%s', '%s', '-J', '%s'
-mmlinkfileset: CommandFilter, /usr/lpp/mmfs/bin/mmlinkfileset, root
+mmlinkfileset: CommandFilter, mmlinkfileset, root
 # manila/share/drivers/ibm/gpfs.py: 'mmsetquota', '-j', '%s', '-h', '%s', '%s'
-mmsetquota: CommandFilter, /usr/lpp/mmfs/bin/mmsetquota, root
+mmsetquota: CommandFilter, mmsetquota, root
 # manila/share/drivers/ibm/gpfs.py: 'mmunlinkfileset', '%s', '%s', '-f'
-mmunlinkfileset: CommandFilter, /usr/lpp/mmfs/bin/mmunlinkfileset, root
+mmunlinkfileset: CommandFilter, mmunlinkfileset, root
 # manila/share/drivers/ibm/gpfs.py: 'mmdelfileset', '%s', '%s', '-f'
-mmdelfileset: CommandFilter, /usr/lpp/mmfs/bin/mmdelfileset, root
+mmdelfileset: CommandFilter, mmdelfileset, root
 # manila/share/drivers/ibm/gpfs.py: 'mmcrsnapshot', '%s', '%s', '-j', '%s'
-mmcrsnapshot: CommandFilter, /usr/lpp/mmfs/bin/mmcrsnapshot, root
+mmcrsnapshot: CommandFilter, mmcrsnapshot, root
 # manila/share/drivers/ibm/gpfs.py: 'mmdelsnapshot', '%s', '%s', '-j', '%s'
-mmdelsnapshot: CommandFilter, /usr/lpp/mmfs/bin/mmdelsnapshot, root
+mmdelsnapshot: CommandFilter, mmdelsnapshot, root
 # manila/share/drivers/ibm/gpfs.py: 'rsync', '-rp', '%s', '%s'
 rsync: CommandFilter, rsync, root
 # manila/share/drivers/ibm/gpfs.py: 'exportfs'
@@ -147,7 +147,7 @@ zpool: CommandFilter, zpool, root
 zfs: CommandFilter, zfs, root
 
 # manila/share/drivers/zfsonlinux/driver.py
-nsenter: CommandFilter, /usr/local/bin/nsenter, root
+nsenter: CommandFilter, nsenter, root
 
 # LXD driver commands
 # manila/share/drivers/lxd.py