From 27b0fff119f9008ad4610979f31a3f6e1f98e305 Mon Sep 17 00:00:00 2001 From: Ha Van Tu Date: Wed, 4 Jan 2017 16:23:28 +0700 Subject: [PATCH] Privsep configuration for neutron-fwaas This patch adds fwaas-privsep.filters to FWaaS repository to be easier to maintain. It also helps avoid making Neutron be inversely depended on FWaaS when perform privsep configuration as in https://review.openstack.org/#/c/392014/. Change-Id: I71308130fbcc861a167371339c89a47410b8d09a --- devstack/plugin.sh | 2 ++ etc/neutron/rootwrap.d/fwaas-privsep.filters | 7 +++++++ setup.cfg | 4 ++++ 3 files changed, 13 insertions(+) create mode 100644 etc/neutron/rootwrap.d/fwaas-privsep.filters diff --git a/devstack/plugin.sh b/devstack/plugin.sh index 84c2ef948..719884eda 100755 --- a/devstack/plugin.sh +++ b/devstack/plugin.sh @@ -55,6 +55,8 @@ function init_fwaas() { mkdir /etc/neutron/policy.d fi cp $DEST/neutron-fwaas/etc/neutron/policy.d/neutron-fwaas.json /etc/neutron/policy.d/neutron-fwaas.json + # Using sudo to gain the root privilege to be able to copy file to rootwrap.d + sudo cp $DEST/neutron-fwaas/etc/neutron/rootwrap.d/fwaas-privsep.filters /etc/neutron/rootwrap.d/fwaas-privsep.filters } function shutdown_fwaas() { diff --git a/etc/neutron/rootwrap.d/fwaas-privsep.filters b/etc/neutron/rootwrap.d/fwaas-privsep.filters new file mode 100644 index 000000000..6b631417d --- /dev/null +++ b/etc/neutron/rootwrap.d/fwaas-privsep.filters @@ -0,0 +1,7 @@ +# neutron-fwaas privsep filters + +# This file should be owned by (and only-writeable by) the root user + +[Filters] + +privsep-rootwrap: PathFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, neutron_fwaas.privileged.default diff --git a/setup.cfg b/setup.cfg index 24cfb9d21..5d97f6573 100644 --- a/setup.cfg +++ b/setup.cfg @@ -23,6 +23,10 @@ classifier = packages = neutron_fwaas +data_files = + etc/neutron/rootwrap.d = + etc/neutron/rootwrap.d/fwaas-privsep.filters + [global] setup-hooks = pbr.hooks.setup_hook