Prevent providing privsep-helper paths outside /etc

This commit aligns privsep filters with other projects e.g nova[1], cinder[2] to prevent a malicious user from invoking privsep-helper with an arbitrary configuration file in case it took control over an unprivileged neutron process. [1]4f261f98e1/etc/nova/rootwrap.d/compute.filters (L23) [2]f5feb87ab8/etc/cinder/rootwrap.d/volume.filters (L41) Change-Id: I0b4e8cdee0cbbc46547599e176efb4420ee1b318
2019-09-23 13:36:40 +03:00 · 2019-09-23 13:36:40 +03:00 · f9a750fcaf
commit f9a750fcaf
parent db093d024e
1 changed files with 1 additions and 1 deletions
--- a/etc/neutron/rootwrap.d/privsep.filters
+++ b/etc/neutron/rootwrap.d/privsep.filters
@ -22,7 +22,7 @@

 # oslo.privsep default neutron context
 privsep: PathFilter, privsep-helper, root,
- --config-file, /etc,
+ --config-file, /etc/(?!\.\.).*,
 --privsep_context, neutron.privileged.default,
 --privsep_sock_path, /