Prevent providing privsep-helper paths outside /etc

This commit aligns privsep filters with other projects
e.g nova[1], cinder[2] to prevent a malicious user from
invoking privsep-helper with an arbitrary configuration file
in case it took control over an unprivileged neutron process.

[1]4f261f98e1/etc/nova/rootwrap.d/compute.filters (L23)
[2]f5feb87ab8/etc/cinder/rootwrap.d/volume.filters (L41)

Change-Id: I0b4e8cdee0cbbc46547599e176efb4420ee1b318
This commit is contained in:
Adrian Chiris
2019-09-23 13:36:40 +03:00
parent db093d024e
commit f9a750fcaf

View File

@@ -22,7 +22,7 @@
# oslo.privsep default neutron context
privsep: PathFilter, privsep-helper, root,
--config-file, /etc,
--config-file, /etc/(?!\.\.).*,
--privsep_context, neutron.privileged.default,
--privsep_sock_path, /