Use symbolic names for capabilities, expand sys_admin context.

Use the new symnbolic names for the DAC capabilities as promised
by Tony's todo. As discussed yesterday, add more capabilities
to the sys_admin context as a precursor step to moving everything
to one big sudo like context.

Change-Id: I57bda14c0842974691b4da19e223aefc45275d71
blueprint: hurrah-for-privsep

nova/privsep/__init__.py

@@ -24,11 +24,10 @@ dac_admin_pctxt = priv_context.PrivContext(
     'nova',
     cfg_section='nova_dac_admin',
     pypath=__name__ + '.dac_admin_pctxt',
-    # NOTE(tonyb): These map to CAP_CHOWN, CAP_DAC_OVERRIDE,
-    #              CAP_DAC_READ_SEARCH  and CAP_FOWNER.  Some do not have
-    #              symbolic names in oslo.privsep yet.  See capabilites(7)
-    #              for more information
-    capabilities=[0, 1, 2, 3],
+    capabilities=[capabilities.CAP_CHOWN,
+                  capabilities.CAP_DAC_OVERRIDE,
+                  capabilities.CAP_DAC_READ_SEARCH,
+                  capabilities.CAP_FOWNER],
 )
 
 
@@ -37,5 +36,21 @@ dacnet_admin_pctxt = priv_context.PrivContext(
     'nova',
     cfg_section='nova_dacnet_admin',
     pypath=__name__ + '.dacnet_admin_pctxt',
-    capabilities=[0, 1, 2, 3, capabilities.CAP_NET_ADMIN],
+    capabilities=[capabilities.CAP_CHOWN,
+                  capabilities.CAP_DAC_OVERRIDE,
+                  capabilities.CAP_DAC_READ_SEARCH,
+                  capabilities.CAP_FOWNER,
+                  capabilities.CAP_NET_ADMIN],
+)
+
+sys_admin_pctxt = priv_context.PrivContext(
+    'nova',
+    cfg_section='nova_sys_admin',
+    pypath=__name__ + '.sys_admin_pctxt',
+    capabilities=[capabilities.CAP_CHOWN,
+                  capabilities.CAP_DAC_OVERRIDE,
+                  capabilities.CAP_DAC_READ_SEARCH,
+                  capabilities.CAP_FOWNER,
+                  capabilities.CAP_NET_ADMIN,
+                  capabilities.CAP_SYS_ADMIN],
 )