Make chown rootwrap filter ipsec.secrets file specific

The LibreSwan ipsec driver needs to be able to change the ownership of
generated ipsec.secrets files to root. This modifies the existing
rootwrap filter to allow chown operations only to be performed on files
named ipsec.secrets that have the expected UID.

Change-Id: I1305f9e78eb5fe718f3065e6a9e690293f1fca1d
Related-bug: #1493492

etc/neutron/rootwrap.d/vpnaas.filters

@@ -14,4 +14,4 @@ ipsec: CommandFilter, ipsec, root
 strongswan: CommandFilter, strongswan, root
 neutron_netns_wrapper: CommandFilter, neutron-vpn-netns-wrapper, root
 neutron_netns_wrapper_local: CommandFilter, /usr/local/bin/neutron-vpn-netns-wrapper, root
-chown: CommandFilter, chown, root
+chown: RegExpFilter, chown, root, chown, --from=.*, root.root, .*/ipsec.secrets

neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py

@@ -17,8 +17,7 @@ import os.path
 
 import eventlet
 
-from neutron.i18n import _LE
-from neutron.i18n import _LW
+from neutron.i18n import _LE, _LW
 from oslo_config import cfg
 from oslo_log import log as logging
 
@@ -66,7 +65,8 @@ class LibreSwanProcess(ipsec.OpenSwanProcess):
         # running as root and the file has 0600 perms, we must set the
         # owner of the file to root.
         secrets_file = self._get_config_filename('ipsec.secrets')
-        self._execute(['chown', 'root:root', secrets_file])
+        self._execute(['chown', '--from=%s' % os.getuid(), 'root:root',
+                       secrets_file])
 
         # Load the ipsec kernel module if not loaded
         self._execute([self.binary, '_stackmanager', 'start'])

neutron_vpnaas/tests/unit/services/vpn/device_drivers/test_ipsec.py

@@ -16,6 +16,7 @@ import copy
 import difflib
 import io
 import mock
+import os
 import socket
 
 from neutron.agent.l3 import dvr_edge_router
@@ -993,7 +994,8 @@ class TestLibreSwanProcess(base.BaseTestCase):
         openswan_ipsec.OpenSwanProcess.ensure_configs = mock.Mock()
         with mock.patch.object(self.ipsec_process, '_execute') as fake_execute:
             self.ipsec_process.ensure_configs()
-            expected = [mock.call(['chown', 'root:root',
+            expected = [mock.call(['chown', '--from=%s' % os.getuid(),
+                                   'root:root',
                                    self.ipsec_process._get_config_filename(
                                        'ipsec.secrets')]),
                         mock.call(['ipsec', '_stackmanager', 'start']),
@@ -1005,7 +1007,8 @@ class TestLibreSwanProcess(base.BaseTestCase):
         with mock.patch.object(self.ipsec_process, '_execute') as fake_execute:
             fake_execute.side_effect = [None, None, RuntimeError, None]
             self.ipsec_process.ensure_configs()
-            expected = [mock.call(['chown', 'root:root',
+            expected = [mock.call(['chown', '--from=%s' % os.getuid(),
+                                   'root:root',
                                    self.ipsec_process._get_config_filename(
                                        'ipsec.secrets')]),
                         mock.call(['ipsec', '_stackmanager', 'start']),