Update paste, policy and rootwrap configurations 2016-12-23

Change-Id: Idc93131fc2540db325298c5843c521c29f48671c

files/rootwrap.d/dhcp.filters

@@ -13,8 +13,8 @@ dnsmasq: CommandFilter, dnsmasq, root
 # dhcp-agent uses kill as well, that's handled by the generic KillFilter
 # it looks like these are the only signals needed, per
 # neutron/agent/linux/dhcp.py
-kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP
-kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP
+kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP, -15
+kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP, -15
 
 ovs-vsctl: CommandFilter, ovs-vsctl, root
 ivs-ctl: CommandFilter, ivs-ctl, root

files/rootwrap.d/l3.filters

@@ -19,10 +19,10 @@ radvd: CommandFilter, radvd, root
 # metadata proxy
 metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
 # RHEL invocation of the metadata proxy will report /usr/bin/python
-kill_metadata: KillFilter, root, python, -9
-kill_metadata7: KillFilter, root, python2.7, -9
-kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -9, -HUP
-kill_radvd: KillFilter, root, /sbin/radvd, -9, -HUP
+kill_metadata: KillFilter, root, python, -15, -9
+kill_metadata7: KillFilter, root, python2.7, -15, -9
+kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -15, -9, -HUP
+kill_radvd: KillFilter, root, /sbin/radvd, -15, -9, -HUP
 
 # ip_lib
 ip: IpFilter, ip, root

files/rootwrap.d/netns-cleanup.filters

@@ -0,0 +1,12 @@
+# neutron-rootwrap command filters for nodes on which neutron is
+# expected to control network
+#
+# This file should be owned by (and only-writeable by) the root user
+
+# format seems to be
+# cmd-name: filter-name, raw-command, user, args
+
+[Filters]
+
+# netns-cleanup
+netstat: CommandFilter, netstat, root

files/rootwrap.d/privsep.filters

@@ -0,0 +1,36 @@
+# Command filters to allow privsep daemon to be started via rootwrap.
+#
+# This file should be owned by (and only-writeable by) the root user
+
+[Filters]
+
+# By installing the following, the local admin is asserting that:
+#
+# 1. The python module load path used by privsep-helper
+#    command as root (as started by sudo/rootwrap) is trusted.
+# 2. Any oslo.config files matching the --config-file
+#    arguments below are trusted.
+# 3. Users allowed to run sudo/rootwrap with this configuration(*) are
+#    also allowed to invoke python "entrypoint" functions from
+#    --privsep_context with the additional (possibly root) privileges
+#    configured for that context.
+#
+# (*) ie: the user is allowed by /etc/sudoers to run rootwrap as root
+#
+# In particular, the oslo.config and python module path must not
+# be writeable by the unprivileged user.
+
+# oslo.privsep default neutron context
+privsep: PathFilter, privsep-helper, root,
+ --config-file, /etc,
+ --privsep_context, neutron.privileged.default,
+ --privsep_sock_path, /
+
+# Same as above with a second `--config-file` arg, since many neutron
+# components are installed like that (eg: by devstack).  Adjust to
+# suit local requirements.
+privsep: PathFilter, privsep-helper, root,
+ --config-file, /etc,
+ --config-file, /etc,
+ --privsep_context, neutron.privileged.default,
+ --privsep_sock_path, /