From e8173abb913a5fdd594803ed85ae2597b67fc349 Mon Sep 17 00:00:00 2001
From: Corey Bryant <corey.bryant@canonical.com>
Date: Fri, 30 Jun 2017 18:37:54 +0000
Subject: [PATCH] Add patches to drop use of setuid and fchownat

Drop use of setuid and fchownat as they're not covered by any current
plugs and the code isn't required because in strict mode everything runs
as root.

Change-Id: Ic4f0dd6029c869595e35adc343d55e35d50e0d33
---
 patches/drop-setuid-from-neutron.patch | 22 ++++++++++++++++++++++
 patches/drop-use-of-fchownat.patch     | 25 +++++++++++++++++++++++++
 snapcraft.yaml                         |  2 ++
 3 files changed, 49 insertions(+)
 create mode 100644 patches/drop-setuid-from-neutron.patch
 create mode 100644 patches/drop-use-of-fchownat.patch

diff --git a/patches/drop-setuid-from-neutron.patch b/patches/drop-setuid-from-neutron.patch
new file mode 100644
index 0000000..36a6014
--- /dev/null
+++ b/patches/drop-setuid-from-neutron.patch
@@ -0,0 +1,22 @@
+Description: Drop code where neutron drops privileges from root.
+  This code isn't required because in strict mode we run everything
+  as root:root and setuid is not allowed by the current plugs.
+Author: Corey Bryant <corey.bryant@canonical.com>
+Forwarded: no
+
+---
+ neutron/agent/linux/daemon.py | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/neutron/agent/linux/daemon.py b/neutron/agent/linux/daemon.py
+index 6ad9ee3c8..23218eace 100644
+--- a/neutron/agent/linux/daemon.py
++++ b/neutron/agent/linux/daemon.py
+@@ -255,4 +255,3 @@ class Daemon(object):
+         """
+         if not self.watch_log:
+             unwatch_log()
+-        drop_privileges(self.user, self.group)
+-- 
+2.11.0
+
diff --git a/patches/drop-use-of-fchownat.patch b/patches/drop-use-of-fchownat.patch
new file mode 100644
index 0000000..5b6cbfe
--- /dev/null
+++ b/patches/drop-use-of-fchownat.patch
@@ -0,0 +1,25 @@
+Description: Drop code that uses fchownat syscall as it's not covered
+  by any relevant plugs. This code isn't required because in strict
+  mode we run everything as root:root.
+Author: Corey Bryant <corey.bryant@canonical.com>
+Forwarded: no
+
+---
+ nova/virt/libvirt/driver.py | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/nova/virt/libvirt/driver.py b/nova/virt/libvirt/driver.py
+index 0e8fe070..dfcb64bc 100644
+--- a/nova/virt/libvirt/driver.py
++++ b/nova/virt/libvirt/driver.py
+@@ -2732,7 +2732,6 @@ class LibvirtDriver(driver.ComputeDriver):
+         i = 0  # in case there is a log rotation (like "virtlogd")
+         path = console_log
+         while bytes_to_read > 0 and os.path.exists(path):
+-            libvirt_utils.chown(path, os.getuid())
+             with libvirt_utils.file_open(path, 'rb') as fp:
+                 read_log_data, remaining = utils.last_bytes(fp, bytes_to_read)
+                 # We need the log file content in chronological order,
+-- 
+2.11.0
+
diff --git a/snapcraft.yaml b/snapcraft.yaml
index f3a81be..9218f8c 100644
--- a/snapcraft.yaml
+++ b/snapcraft.yaml
@@ -231,6 +231,8 @@ parts:
       export SNAP_ROOT="../../../"
       export SNAP_SITE_PACKAGES="$SNAPCRAFT_PART_INSTALL/lib/python2.7/site-packages"
       patch -d $SNAP_SITE_PACKAGES -p1 < $SNAP_ROOT/patches/oslo-config-dirs.patch
+      patch -d $SNAP_SITE_PACKAGES -p1 < $SNAP_ROOT/patches/drop-setuid-from-neutron.patch
+      patch -d $SNAP_SITE_PACKAGES -p1 < $SNAP_ROOT/patches/drop-use-of-fchownat.patch
   templates:
     after: [nova]
     plugin: dump