diff --git a/files/rootwrap.d/compute.filters b/files/rootwrap.d/compute.filters index 33e0360b..ae65a010 100644 --- a/files/rootwrap.d/compute.filters +++ b/files/rootwrap.d/compute.filters @@ -37,24 +37,6 @@ blkid: CommandFilter, blkid, root # nova/virt/disk/mount/nbd.py: 'blockdev', '--flushbufs', device blockdev: RegExpFilter, blockdev, root, blockdev, (--getsize64|--flushbufs), /dev/.* -# nova/virt/disk/vfs/localfs.py: 'tee', canonpath -# nova/virt/libvirt/guest.py: 'tee', -# nova/virt/libvirt/vif.py: utils.execute('tee', -tee: CommandFilter, tee, root - -# nova/virt/disk/vfs/localfs.py: 'mkdir', canonpath -mkdir: CommandFilter, mkdir, root - -# nova/virt/disk/vfs/localfs.py: 'chown' -# nova/virt/libvirt/utils.py: def chown(): execute('chown', owner, path, -# nova/virt/libvirt/driver.py: 'chown', os.getuid( console_log -# nova/virt/libvirt/driver.py: 'chown', os.getuid( console_log -# nova/virt/libvirt/driver.py: 'chown', 'root', basepath('disk') -chown: CommandFilter, chown, root - -# nova/virt/disk/vfs/localfs.py: 'chmod' -chmod: CommandFilter, chmod, root - # nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap' # nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up' # nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev @@ -103,9 +85,6 @@ mm-ctl: CommandFilter, mm-ctl, root # nova/network/linux_net.py: 'ovs-ofctl', .... ovs-ofctl: CommandFilter, ovs-ofctl, root -# nova/virt/libvirt/driver.py: 'dd', if=%s % virsh_output, ... -dd: CommandFilter, dd, root - # nova/virt/xenapi/volume_utils.py: 'iscsiadm', '-m', ... iscsiadm: CommandFilter, iscsiadm, root @@ -180,9 +159,6 @@ mkfs: CommandFilter, mkfs, root # nova/virt/libvirt/utils.py: 'qemu-img' qemu-img: CommandFilter, qemu-img, root -# nova/virt/disk/vfs/localfs.py: 'readlink', '-e' -readlink: CommandFilter, readlink, root - # nova/virt/disk/api.py: mkfs.ext3: CommandFilter, mkfs.ext3, root mkfs.ext4: CommandFilter, mkfs.ext4, root @@ -200,11 +176,6 @@ lvs: CommandFilter, lvs, root # nova/virt/libvirt/utils.py: vgs: CommandFilter, vgs, root -# nova/utils.py: read_file_as_root: 'cat', file_path -# (called from nova/virt/disk/vfs/localfs.py:VFSLocalFS.read_file) -read_passwd: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/passwd -read_shadow: RegExpFilter, cat, root, cat, (/var|/usr)?/tmp/openstack-vfs-localfs[^/]+/etc/shadow - # os-brick needed commands read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi multipath: CommandFilter, multipath, root @@ -222,7 +193,9 @@ scsi_id: CommandFilter, /lib/udev/scsi_id, root # os_brick.privileged.default oslo.privsep context # This line ties the superuser privs with the config files, context name, # and (implicitly) the actual python code invoked. -privsep-rootwrap: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.* +privsep-rootwrap-os_brick: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.* + +privsep-rootwrap-sys_admin: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, nova.privsep.sys_admin_pctxt, --privsep_sock_path, /tmp/.* # nova/virt/libvirt/storage/dmcrypt.py: cryptsetup: CommandFilter, cryptsetup, root @@ -242,18 +215,8 @@ cp: CommandFilter, cp, root # nova/virt/xenapi/vm_utils.py: sync: CommandFilter, sync, root -# nova/virt/libvirt/imagebackend.py: -ploop: RegExpFilter, ploop, root, ploop, restore-descriptor, .* -prl_disk_tool: RegExpFilter, prl_disk_tool, root, prl_disk_tool, resize, --size, .*M$, --resize_partition, --hdd, .* - -# nova/virt/libvirt/utils.py: -ploop: RegExpFilter, ploop, root, ploop, init, -s, .*, -f, .*, -t, .*, .* - # nova/virt/libvirt/utils.py: 'xend', 'status' xend: CommandFilter, xend, root -# nova/virt/libvirt/utils.py: -touch: CommandFilter, touch, root - # nova/virt/libvirt/volume/vzstorage.py pstorage-mount: CommandFilter, pstorage-mount, root diff --git a/files/rootwrap.d/lxd.filters b/files/rootwrap.d/lxd.filters index 7f030200..b2c32f75 100644 --- a/files/rootwrap.d/lxd.filters +++ b/files/rootwrap.d/lxd.filters @@ -1,6 +1,10 @@ -# nova-rootwrap filters for compute nodes running flex +# nova-rootwrap filters for compute nodes running nova-lxd # This file should be owned by (and only-writable by) the root user [Filters] zfs: CommandFilter, zfs, root +zpool: CommandFilter, zpool, root btrfs: CommandFilter, btrfs, root +chown: CommandFilter, chown, root +chmod: CommandFilter, chmod, root +