always allow privsep-helper as a command5.0.0

To support the seamless transition from oslo.rootwrap to oslo.privsep across multiple projects: nova, neutron, cinder, and libraries os-vif, os-brick we need to be able to execute privsep-helper as root from rootwrap. Rootwrap's use of etc (by default) for rules makes the upgrade path very manual for operators. Given that every project is going to add the same privsep-helper rule at some point over the next few cycles, instead of making every project have to have a manual update process, we just whitelist privsep-helper. This will immediately make it available for all, and upgrades become far more seamless. Change-Id: If8b60f2d671b9d12c58226019d787917efaedd9c
author: Sean Dague <sean@dague.net> 2016-07-19 13:33:44 -0700
committer: Sean Dague <sean@dague.net> 2016-07-20 15:56:31 -0700
commit: 37c2a041d33f0fdce7ce2832398c1f60f3ee8703 (patch)
tree: cc07f66ae6d93e919b1aba92461caf5ccb6d2b57
parent: 5e5ed2e1338da7eae86f6e661e97c26da5135a13 (diff)
download: oslo-rootwrap-37c2a041d33f0fdce7ce2832398c1f60f3ee8703.tar.gz
2 files changed, 20 insertions, 0 deletions
diff --git a/oslo_rootwrap/tests/test_rootwrap.py b/oslo_rootwrap/tests/test_rootwrap.py
index 3bd2a76..52dfaf9 100644
--- a/oslo_rootwrap/tests/test_rootwrap.py
+++ b/oslo_rootwrap/tests/test_rootwrap.py
@@ -29,6 +29,22 @@ from oslo_rootwrap import subprocess
 from oslo_rootwrap import wrapper
 
 
+class RootwrapLoaderTestCase(testtools.TestCase):
+
+    def test_privsep_in_loader(self):
+        privsep = ["privsep-helper", "--context", "foo"]
+        filterlist = wrapper.load_filters([])
+
+        # mock out get_exec because
+        with mock.patch.object(filters.CommandFilter, 'get_exec') as ge:
+            ge.return_value = "/fake/privsep-helper"
+            filtermatch = wrapper.match_filter(filterlist, privsep)
+
+            self.assertIsNotNone(filtermatch)
+            self.assertEqual(filtermatch.get_command(privsep),
+                             ["/fake/privsep-helper", "--context", "foo"])
+
+
 class RootwrapTestCase(testtools.TestCase):
     if os.path.exists('/sbin/ip'):
         _ip = '/sbin/ip'
diff --git a/oslo_rootwrap/wrapper.py b/oslo_rootwrap/wrapper.py
index 2846011..cd7a253 100644
--- a/oslo_rootwrap/wrapper.py
+++ b/oslo_rootwrap/wrapper.py
@@ -125,6 +125,10 @@ def load_filters(filters_path):
                     continue
                 newfilter.name = name
                 filterlist.append(newfilter)
+    # And always include privsep-helper
+    privsep = build_filter("CommandFilter", "privsep-helper", "root")
+    privsep.name = "privsep-helper"
+    filterlist.append(privsep)
     return filterlist
author	Sean Dague <sean@dague.net>	2016-07-19 13:33:44 -0700
committer	Sean Dague <sean@dague.net>	2016-07-20 15:56:31 -0700
commit	37c2a041d33f0fdce7ce2832398c1f60f3ee8703 (patch)
tree	cc07f66ae6d93e919b1aba92461caf5ccb6d2b57
parent	5e5ed2e1338da7eae86f6e661e97c26da5135a13 (diff)
download	oslo-rootwrap-37c2a041d33f0fdce7ce2832398c1f60f3ee8703.tar.gz