# This is needed because we should ping
# from inside a namespace which requires root
-ping: RegExpFilter, /bin/ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+
-ping6: RegExpFilter, /bin/ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+
+ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+
+ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+
[Filters]
# dhcp-agent
-ip_exec_dnsmasq: DnsmasqNetnsFilter, /sbin/ip, root
+ip_exec_dnsmasq: DnsmasqNetnsFilter, ip, root
dnsmasq: DnsmasqFilter, /sbin/dnsmasq, root
dnsmasq_usr: DnsmasqFilter, /usr/sbin/dnsmasq, root
# dhcp-agent uses kill as well, that's handled by the generic KillFilter
kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP
# dhcp-agent uses cat
-cat: RegExpFilter, /bin/cat, root, cat, /proc/\d+/cmdline
-ovs-vsctl: CommandFilter, /bin/ovs-vsctl, root
-ovs-vsctl_usr: CommandFilter, /usr/bin/ovs-vsctl, root
-ovs-vsctl_sbin: CommandFilter, /sbin/ovs-vsctl, root
-ovs-vsctl_sbin_usr: CommandFilter, /usr/sbin/ovs-vsctl, root
+cat: RegExpFilter, cat, root, cat, /proc/\d+/cmdline
+ovs-vsctl: CommandFilter, ovs-vsctl, root
# metadata proxy
-metadata_proxy: CommandFilter, /usr/bin/quantum-ns-metadata-proxy, root
+metadata_proxy: CommandFilter, quantum-ns-metadata-proxy, root
# If installed from source (say, by devstack), the prefix will be
# /usr/local instead of /usr/bin.
metadata_proxy_local: CommandFilter, /usr/local/bin/quantum-ns-metadata-proxy, root
kill_metadata6: KillFilter, root, /usr/bin/python2.6, -9
# ip_lib
-ip: IpFilter, /sbin/ip, root
-ip_usr: IpFilter, /usr/sbin/ip, root
-ip_exec: IpNetnsExecFilter, /sbin/ip, root
-ip_exec_usr: IpNetnsExecFilter, /usr/sbin/ip, root
+ip: IpFilter, ip, root
+ip_exec: IpNetnsExecFilter, ip, root
# quantum/agent/linux/iptables_manager.py
# "iptables-save", ...
-iptables-save: CommandFilter, /sbin/iptables-save, root
-iptables-restore: CommandFilter, /sbin/iptables-restore, root
-ip6tables-save: CommandFilter, /sbin/ip6tables-save, root
-ip6tables-restore: CommandFilter, /sbin/ip6tables-restore, root
+iptables-save: CommandFilter, iptables-save, root
+iptables-restore: CommandFilter, iptables-restore, root
+ip6tables-save: CommandFilter, ip6tables-save, root
+ip6tables-restore: CommandFilter, ip6tables-restore, root
# quantum/agent/linux/iptables_manager.py
# "iptables", "-A", ...
-iptables: CommandFilter, /sbin/iptables, root
-ip6tables: CommandFilter, /sbin/ip6tables, root
+iptables: CommandFilter, iptables, root
+ip6tables: CommandFilter, ip6tables, root
[Filters]
# arping
-arping: CommandFilter, /usr/bin/arping, root
-arping_sbin: CommandFilter, /sbin/arping, root
+arping: CommandFilter, arping, root
# l3_agent
-sysctl: CommandFilter, /sbin/sysctl, root
-route: CommandFilter, /sbin/route, root
+sysctl: CommandFilter, sysctl, root
+route: CommandFilter, route, root
# metadata proxy
-metadata_proxy: CommandFilter, /usr/bin/quantum-ns-metadata-proxy, root
+metadata_proxy: CommandFilter, quantum-ns-metadata-proxy, root
# If installed from source (say, by devstack), the prefix will be
# /usr/local instead of /usr/bin.
metadata_proxy_local: CommandFilter, /usr/local/bin/quantum-ns-metadata-proxy, root
kill_metadata6: KillFilter, root, /usr/bin/python2.6, -9
# ip_lib
-ip: IpFilter, /sbin/ip, root
-ip_usr: IpFilter, /usr/sbin/ip, root
-ip_exec: IpNetnsExecFilter, /sbin/ip, root
-ip_exec_usr: IpNetnsExecFilter, /usr/sbin/ip, root
+ip: IpFilter, ip, root
+ip_exec: IpNetnsExecFilter, ip, root
# ovs_lib (if OVSInterfaceDriver is used)
-ovs-vsctl: CommandFilter, /bin/ovs-vsctl, root
-ovs-vsctl_usr: CommandFilter, /usr/bin/ovs-vsctl, root
-ovs-vsctl_sbin: CommandFilter, /sbin/ovs-vsctl, root
-ovs-vsctl_sbin_usr: CommandFilter, /usr/sbin/ovs-vsctl, root
+ovs-vsctl: CommandFilter, ovs-vsctl, root
# iptables_manager
-iptables-save: CommandFilter, /sbin/iptables-save, root
-iptables-restore: CommandFilter, /sbin/iptables-restore, root
-ip6tables-save: CommandFilter, /sbin/ip6tables-save, root
-ip6tables-restore: CommandFilter, /sbin/ip6tables-restore, root
+iptables-save: CommandFilter, iptables-save, root
+iptables-restore: CommandFilter, iptables-restore, root
+ip6tables-save: CommandFilter, ip6tables-save, root
+ip6tables-restore: CommandFilter, ip6tables-restore, root
[Filters]
# haproxy
-haproxy: CommandFilter, /usr/sbin/haproxy, root
+haproxy: CommandFilter, haproxy, root
# lbaas-agent uses kill as well, that's handled by the generic KillFilter
kill_haproxy_usr: KillFilter, root, /usr/sbin/haproxy, -9, -HUP
# lbaas-agent uses cat
-cat: RegExpFilter, /bin/cat, root, cat, /proc/\d+/cmdline
+cat: RegExpFilter, cat, root, cat, /proc/\d+/cmdline
-ovs-vsctl: CommandFilter, /bin/ovs-vsctl, root
-ovs-vsctl_usr: CommandFilter, /usr/bin/ovs-vsctl, root
-ovs-vsctl_sbin: CommandFilter, /sbin/ovs-vsctl, root
-ovs-vsctl_sbin_usr: CommandFilter, /usr/sbin/ovs-vsctl, root
+ovs-vsctl: CommandFilter, ovs-vsctl, root
# ip_lib
-ip: IpFilter, /sbin/ip, root
-ip_usr: IpFilter, /usr/sbin/ip, root
-ip_exec: IpNetnsExecFilter, /sbin/ip, root
-ip_exec_usr: IpNetnsExecFilter, /usr/sbin/ip, root
+ip: IpFilter, ip, root
+ip_exec: IpNetnsExecFilter, ip, root
# linuxbridge-agent
# unclear whether both variants are necessary, but I'm transliterating
# from the old mechanism
-brctl: CommandFilter, /sbin/brctl, root
-brctl_usr: CommandFilter, /usr/sbin/brctl, root
+brctl: CommandFilter, brctl, root
# ip_lib
-ip: IpFilter, /sbin/ip, root
-ip_usr: IpFilter, /usr/sbin/ip, root
-ip_exec: IpNetnsExecFilter, /sbin/ip, root
-ip_exec_usr: IpNetnsExecFilter, /usr/sbin/ip, root
+ip: IpFilter, ip, root
+ip_exec: IpNetnsExecFilter, ip, root
[Filters]
# nec_quantum_agent
-ovs-vsctl: CommandFilter, /bin/ovs-vsctl, root
-ovs-vsctl_usr: CommandFilter, /usr/bin/ovs-vsctl, root
-ovs-vsctl_sbin: CommandFilter, /sbin/ovs-vsctl, root
-ovs-vsctl_sbin_usr: CommandFilter, /usr/sbin/ovs-vsctl, root
+ovs-vsctl: CommandFilter, ovs-vsctl, root
# openvswitch-agent
# unclear whether both variants are necessary, but I'm transliterating
# from the old mechanism
-ovs-vsctl: CommandFilter, /bin/ovs-vsctl, root
-ovs-vsctl_usr: CommandFilter, /usr/bin/ovs-vsctl, root
-ovs-vsctl_sbin: CommandFilter, /sbin/ovs-vsctl, root
-ovs-vsctl_sbin_usr: CommandFilter, /usr/sbin/ovs-vsctl, root
-ovs-ofctl: CommandFilter, /bin/ovs-ofctl, root
-ovs-ofctl_usr: CommandFilter, /usr/bin/ovs-ofctl, root
-ovs-ofctl_sbin: CommandFilter, /sbin/ovs-ofctl, root
-ovs-ofctl_sbin_usr: CommandFilter, /usr/sbin/ovs-ofctl, root
-xe: CommandFilter, /sbin/xe, root
-xe_usr: CommandFilter, /usr/sbin/xe, root
+ovs-vsctl: CommandFilter, ovs-vsctl, root
+ovs-ofctl: CommandFilter, ovs-ofctl, root
+xe: CommandFilter, xe, root
# ip_lib
-ip: IpFilter, /sbin/ip, root
-ip_usr: IpFilter, /usr/sbin/ip, root
-ip_exec: IpNetnsExecFilter, /sbin/ip, root
-ip_exec_usr: IpNetnsExecFilter, /usr/sbin/ip, root
+ip: IpFilter, ip, root
+ip_exec: IpNetnsExecFilter, ip, root
# quantum/plugins/ryu/agent/ryu_quantum_agent.py:
# "ovs-vsctl", "--timeout=2", ...
-ovs-vsctl: CommandFilter, /bin/ovs-vsctl, root
-ovs-vsctl_usr: CommandFilter, /usr/bin/ovs-vsctl, root
-ovs-vsctl_sbin: CommandFilter, /sbin/ovs-vsctl, root
-ovs-vsctl_sbin_usr: CommandFilter, /usr/sbin/ovs-vsctl, root
+ovs-vsctl: CommandFilter, ovs-vsctl, root
# quantum/plugins/ryu/agent/ryu_quantum_agent.py:
# "xe", "vif-param-get", ...
-xe: CommandFilter, /bin/xe, root
-xe_usr: CommandFilter, /usr/bin/xe, root
+xe: CommandFilter, xe, root
# These directories MUST all be only writeable by root !
filters_path=/etc/quantum/rootwrap.d,/usr/share/quantum/rootwrap
+# List of directories to search executables in, in case filters do not
+# explicitely specify a full path (separated by ',')
+# If not specified, defaults to system PATH environment variable.
+# These directories MUST all be only writeable by root !
+exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
+
[XENAPI]
# XenAPI configuration is only required by the L2 agent if it is to
# target a XenServer/XCP compute host's dom0.
Code Review / openstack-build / neutron-build.git / commitdiff