diff --git a/files/rootwrap.d/dhcp.filters b/files/rootwrap.d/dhcp.filters index ab87abb2..3f06b4ae 100644 --- a/files/rootwrap.d/dhcp.filters +++ b/files/rootwrap.d/dhcp.filters @@ -13,8 +13,8 @@ dnsmasq: CommandFilter, dnsmasq, root # dhcp-agent uses kill as well, that's handled by the generic KillFilter # it looks like these are the only signals needed, per # neutron/agent/linux/dhcp.py -kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP -kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP +kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP, -15 +kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP, -15 ovs-vsctl: CommandFilter, ovs-vsctl, root ivs-ctl: CommandFilter, ivs-ctl, root diff --git a/files/rootwrap.d/l3.filters b/files/rootwrap.d/l3.filters index 0fdf60cd..789a16f8 100644 --- a/files/rootwrap.d/l3.filters +++ b/files/rootwrap.d/l3.filters @@ -19,10 +19,10 @@ radvd: CommandFilter, radvd, root # metadata proxy metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root # RHEL invocation of the metadata proxy will report /usr/bin/python -kill_metadata: KillFilter, root, python, -9 -kill_metadata7: KillFilter, root, python2.7, -9 -kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -9, -HUP -kill_radvd: KillFilter, root, /sbin/radvd, -9, -HUP +kill_metadata: KillFilter, root, python, -15, -9 +kill_metadata7: KillFilter, root, python2.7, -15, -9 +kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -15, -9, -HUP +kill_radvd: KillFilter, root, /sbin/radvd, -15, -9, -HUP # ip_lib ip: IpFilter, ip, root diff --git a/files/rootwrap.d/netns-cleanup.filters b/files/rootwrap.d/netns-cleanup.filters new file mode 100644 index 00000000..1ee142e5 --- /dev/null +++ b/files/rootwrap.d/netns-cleanup.filters @@ -0,0 +1,12 @@ +# neutron-rootwrap command filters for nodes on which neutron is +# expected to control network +# +# This file should be owned by (and only-writeable by) the root user + +# format seems to be +# cmd-name: filter-name, raw-command, user, args + +[Filters] + +# netns-cleanup +netstat: CommandFilter, netstat, root diff --git a/files/rootwrap.d/privsep.filters b/files/rootwrap.d/privsep.filters new file mode 100644 index 00000000..58e3b909 --- /dev/null +++ b/files/rootwrap.d/privsep.filters @@ -0,0 +1,36 @@ +# Command filters to allow privsep daemon to be started via rootwrap. +# +# This file should be owned by (and only-writeable by) the root user + +[Filters] + +# By installing the following, the local admin is asserting that: +# +# 1. The python module load path used by privsep-helper +# command as root (as started by sudo/rootwrap) is trusted. +# 2. Any oslo.config files matching the --config-file +# arguments below are trusted. +# 3. Users allowed to run sudo/rootwrap with this configuration(*) are +# also allowed to invoke python "entrypoint" functions from +# --privsep_context with the additional (possibly root) privileges +# configured for that context. +# +# (*) ie: the user is allowed by /etc/sudoers to run rootwrap as root +# +# In particular, the oslo.config and python module path must not +# be writeable by the unprivileged user. + +# oslo.privsep default neutron context +privsep: PathFilter, privsep-helper, root, + --config-file, /etc, + --privsep_context, neutron.privileged.default, + --privsep_sock_path, / + +# Same as above with a second `--config-file` arg, since many neutron +# components are installed like that (eg: by devstack). Adjust to +# suit local requirements. +privsep: PathFilter, privsep-helper, root, + --config-file, /etc, + --config-file, /etc, + --privsep_context, neutron.privileged.default, + --privsep_sock_path, /