Update paste, policy and rootwrap configurations 2017-10-14
This also updated the nova-lxd filters. Change-Id: I9674b3c159adf4a8caa39a98d9d6090a6e2ce754 Closes-Bug: #1716411
This commit is contained in:
Jean-Philippe Evrard
Jean-Philippe Evrard
parent
c60ebb7f5c
commit
b21acaf0c8
@ -37,24 +37,6 @@ blkid: CommandFilter, blkid, root
|
||||
# nova/virt/disk/mount/nbd.py: 'blockdev', '--flushbufs', device
|
||||
blockdev: RegExpFilter, blockdev, root, blockdev, (--getsize64|--flushbufs), /dev/.*
|
||||
|
||||
# nova/virt/disk/vfs/localfs.py: 'tee', canonpath
|
||||
# nova/virt/libvirt/guest.py: 'tee',
|
||||
# nova/virt/libvirt/vif.py: utils.execute('tee',
|
||||
tee: CommandFilter, tee, root
|
||||
|
||||
# nova/virt/disk/vfs/localfs.py: 'mkdir', canonpath
|
||||
mkdir: CommandFilter, mkdir, root
|
||||
|
||||
# nova/virt/disk/vfs/localfs.py: 'chown'
|
||||
# nova/virt/libvirt/utils.py: def chown(): execute('chown', owner, path,
|
||||
# nova/virt/libvirt/driver.py: 'chown', os.getuid( console_log
|
||||
# nova/virt/libvirt/driver.py: 'chown', os.getuid( console_log
|
||||
# nova/virt/libvirt/driver.py: 'chown', 'root', basepath('disk')
|
||||
chown: CommandFilter, chown, root
|
||||
|
||||
# nova/virt/disk/vfs/localfs.py: 'chmod'
|
||||
chmod: CommandFilter, chmod, root
|
||||
|
||||
# nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap'
|
||||
# nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up'
|
||||
# nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev
|
||||
@ -103,9 +85,6 @@ mm-ctl: CommandFilter, mm-ctl, root
|
||||
# nova/network/linux_net.py: 'ovs-ofctl', ....
|
||||
ovs-ofctl: CommandFilter, ovs-ofctl, root
|
||||
|
||||
# nova/virt/libvirt/driver.py: 'dd', if=%s % virsh_output, ...
|
||||
dd: CommandFilter, dd, root
|
||||
|
||||
# nova/virt/xenapi/volume_utils.py: 'iscsiadm', '-m', ...
|
||||
iscsiadm: CommandFilter, iscsiadm, root
|
||||
|
||||
@ -180,9 +159,6 @@ mkfs: CommandFilter, mkfs, root
|
||||
# nova/virt/libvirt/utils.py: 'qemu-img'
|
||||
qemu-img: CommandFilter, qemu-img, root
|
||||
|
||||
# nova/virt/disk/vfs/localfs.py: 'readlink', '-e'
|
||||
readlink: CommandFilter, readlink, root
|
||||
|
||||
# nova/virt/disk/api.py:
|
||||
mkfs.ext3: CommandFilter, mkfs.ext3, root
|
||||
mkfs.ext4: CommandFilter, mkfs.ext4, root
|
||||
@ -200,11 +176,6 @@ lvs: CommandFilter, lvs, root
|
||||
# nova/virt/libvirt/utils.py:
|
||||
vgs: CommandFilter, vgs, root
|
||||
|
||||
# nova/utils.py: read_file_as_root: 'cat', file_path
|
||||
# (called from nova/virt/disk/vfs/localfs.py:VFSLocalFS.read_file)
|
||||
read_passwd: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/passwd
|
||||
read_shadow: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/shadow
|
||||
|
||||
# os-brick needed commands
|
||||
read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi
|
||||
multipath: CommandFilter, multipath, root
|
||||
@ -222,7 +193,9 @@ scsi_id: CommandFilter, /lib/udev/scsi_id, root
|
||||
# os_brick.privileged.default oslo.privsep context
|
||||
# This line ties the superuser privs with the config files, context name,
|
||||
# and (implicitly) the actual python code invoked.
|
||||
privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*
|
||||
privsep-rootwrap-os_brick: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*
|
||||
|
||||
privsep-rootwrap-sys_admin: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, nova.privsep.sys_admin_pctxt, --privsep_sock_path, /tmp/.*
|
||||
|
||||
# nova/virt/libvirt/storage/dmcrypt.py:
|
||||
cryptsetup: CommandFilter, cryptsetup, root
|
||||
@ -242,18 +215,8 @@ cp: CommandFilter, cp, root
|
||||
# nova/virt/xenapi/vm_utils.py:
|
||||
sync: CommandFilter, sync, root
|
||||
|
||||
# nova/virt/libvirt/imagebackend.py:
|
||||
ploop: RegExpFilter, ploop, root, ploop, restore-descriptor, .*
|
||||
prl_disk_tool: RegExpFilter, prl_disk_tool, root, prl_disk_tool, resize, --size, .*M$, --resize_partition, --hdd, .*
|
||||
|
||||
# nova/virt/libvirt/utils.py:
|
||||
ploop: RegExpFilter, ploop, root, ploop, init, -s, .*, -f, .*, -t, .*, .*
|
||||
|
||||
# nova/virt/libvirt/utils.py: 'xend', 'status'
|
||||
xend: CommandFilter, xend, root
|
||||
|
||||
# nova/virt/libvirt/utils.py:
|
||||
touch: CommandFilter, touch, root
|
||||
|
||||
# nova/virt/libvirt/volume/vzstorage.py
|
||||
pstorage-mount: CommandFilter, pstorage-mount, root
|
||||
|
||||
@ -1,6 +1,10 @@
|
||||
# nova-rootwrap filters for compute nodes running flex
|
||||
# nova-rootwrap filters for compute nodes running nova-lxd
|
||||
# This file should be owned by (and only-writable by) the root user
|
||||
|
||||
[Filters]
|
||||
zfs: CommandFilter, zfs, root
|
||||
zpool: CommandFilter, zpool, root
|
||||
btrfs: CommandFilter, btrfs, root
|
||||
chown: CommandFilter, chown, root
|
||||
chmod: CommandFilter, chmod, root
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user