Comment 6 for bug 948520

If the regexp anchors to a root-owned directory (in which Nova can't create symlinks) and checks you don't do path traversal, it should be alright...

Alternatively we could add a more complex filter that checks that the file affected actually lives in a given directory. Something like "RealFileFilter, chown, root, /var/lib/nova/" that would check that would check that whatever is passed to chown actually lives in /var/lib/nova/ (would resolve symlinks and path traversal before allowing the command).