From 663d6486a3ebff863ef9f8567867cc46f3fb99c0 Mon Sep 17 00:00:00 2001
From: Oleg Bondarev <obondarev@mirantis.com>
Date: Fri, 26 Oct 2018 18:02:27 +0400
Subject: [PATCH] Add capabilities for privsep

CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH were added
(like in nova) to fix agents on kernel 4.15.
Please see bug for details

Change-Id: Ieed6f5f6906036cdeaf2c3d96350eeae9559c0c7
Closes-Bug: #1800157
(cherry picked from commit 32cc8b63d7bbe5cfc83b82a058d1c5832980f290)
---
 neutron/privileged/__init__.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/neutron/privileged/__init__.py b/neutron/privileged/__init__.py
index 537edef1735..1577879f109 100644
--- a/neutron/privileged/__init__.py
+++ b/neutron/privileged/__init__.py
@@ -22,5 +22,8 @@ default = priv_context.PrivContext(
     # TODO(gus): CAP_SYS_ADMIN is required (only?) for manipulating
     # network namespaces.  SYS_ADMIN is a lot of scary powers, so
     # consider breaking this out into a separate minimal context.
-    capabilities=[caps.CAP_SYS_ADMIN, caps.CAP_NET_ADMIN],
+    capabilities=[caps.CAP_SYS_ADMIN,
+                  caps.CAP_NET_ADMIN,
+                  caps.CAP_DAC_OVERRIDE,
+                  2],  # CAP_DAC_READ_SEARCH
 )