diff options
| author | Michael Still <mikal@stillhq.com> | 2017-08-01 10:28:38 +1000 |
|---|---|---|
| committer | Michael Still <mikal@stillhq.com> | 2017-09-12 05:38:26 +1000 |
| commit | 0952f80d013c4ab85ff82355312feb2464796e38 (patch) | |
| tree | b3f9dc673781c29648296d5c734b297d070c9b3f /etc | |
| parent | d83e9c0b177d63c425075438c1462cdd809baa93 (diff) | |
| download | nova-0952f80d013c4ab85ff82355312feb2464796e38.tar.gz | |
Move execs of tee to privsep.
Instead of calling tee to write to files as root, we should just
write to files as root.
Change-Id: Ic48087fdf283b3ba503294a944be91be0c338132
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/nova/rootwrap.d/compute.filters | 5 |
1 files changed, 1 insertions, 4 deletions
diff --git a/etc/nova/rootwrap.d/compute.filters b/etc/nova/rootwrap.d/compute.filters index 8786df809a..1a6127815d 100644 --- a/etc/nova/rootwrap.d/compute.filters +++ b/etc/nova/rootwrap.d/compute.filters @@ -37,10 +37,6 @@ blkid: CommandFilter, blkid, root # nova/virt/disk/mount/nbd.py: 'blockdev', '--flushbufs', device blockdev: RegExpFilter, blockdev, root, blockdev, (--getsize64|--flushbufs), /dev/.* -# nova/virt/libvirt/guest.py: 'tee', -# nova/virt/libvirt/vif.py: utils.execute('tee', -tee: CommandFilter, tee, root - # nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap' # nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up' # nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev @@ -204,6 +200,7 @@ privsep-rootwrap-os_brick: RegExpFilter, privsep-helper, root, privsep-helper, - privsep-rootwrap-dac_admin: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, nova.privsep.dac_admin_pctxt, --privsep_sock_path, /tmp/.* +privsep-rootwrap-dacnet_admin: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, nova.privsep.dacnet_admin_pctxt, --privsep_sock_path, /tmp/.* # nova/virt/libvirt/storage/dmcrypt.py: cryptsetup: CommandFilter, cryptsetup, root |