always allow privsep-helper as a command

To support the seamless transition from oslo.rootwrap to oslo.privsep
across multiple projects: nova, neutron, cinder, and libraries os-vif,
os-brick we need to be able to execute privsep-helper as root from
rootwrap.

Rootwrap's use of etc (by default) for rules makes the upgrade path
very manual for operators. Given that every project is going to add
the same privsep-helper rule at some point over the next few cycles,
instead of making every project have to have a manual update process,
we just whitelist privsep-helper. This will immediately make it
available for all, and upgrades become far more seamless.

Change-Id: If8b60f2d671b9d12c58226019d787917efaedd9c

oslo_rootwrap/tests/test_rootwrap.py

@@ -29,6 +29,22 @@ from oslo_rootwrap import subprocess
 from oslo_rootwrap import wrapper
 
 
+class RootwrapLoaderTestCase(testtools.TestCase):
+
+    def test_privsep_in_loader(self):
+        privsep = ["privsep-helper", "--context", "foo"]
+        filterlist = wrapper.load_filters([])
+
+        # mock out get_exec because
+        with mock.patch.object(filters.CommandFilter, 'get_exec') as ge:
+            ge.return_value = "/fake/privsep-helper"
+            filtermatch = wrapper.match_filter(filterlist, privsep)
+
+            self.assertIsNotNone(filtermatch)
+            self.assertEqual(filtermatch.get_command(privsep),
+                             ["/fake/privsep-helper", "--context", "foo"])
+
+
 class RootwrapTestCase(testtools.TestCase):
     if os.path.exists('/sbin/ip'):
         _ip = '/sbin/ip'

oslo_rootwrap/wrapper.py

@@ -125,6 +125,10 @@ def load_filters(filters_path):
                     continue
                 newfilter.name = name
                 filterlist.append(newfilter)
+    # And always include privsep-helper
+    privsep = build_filter("CommandFilter", "privsep-helper", "root")
+    privsep.name = "privsep-helper"
+    filterlist.append(privsep)
     return filterlist