openstack
/
nova
Code Issues Proposed changes

Remove unused rootwrap filters 

Thanks to mikal, nova was fully transitioned to using privsep over
the past cycles. However the old rootwrap filter definitions have been
left behind, which basically means that there is limited security
benefit right now (code gone rogue could still call rootwrap to execute
some code as root).

As far as I can tell, those can be removed now. os-brick calls in
compute.filters should be covered by the os_brick.privileged.default
context.

Rootwrap is now only used to launch the two privileged privsep contexts.
Since those are one-shot at the start of the service, there is little
point in using rootwrap-daemon on nova nodes.

network.filters and api-metadata.filters are being removed in
https://review.opendev.org/#/c/696518 as part of the nova-net cleanup.

Change-Id: Ie5e5ab17dabad713d4ad1261ab8b5d62b017f31e
This commit is contained in:
Thierry Carrez 2019-12-04 12:32:49 +01:00
parent 1c2b7d8f01
commit 909d0de68e
1 changed files with 2 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
etc/nova/rootwrap.d/compute.filters
View File

@ -2,24 +2,8 @@
# This file should be owned by (and only-writeable by) the root user
[Filters]
# os-brick needed commands
read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi
multipath: CommandFilter, multipath, root
# multipathd show status
multipathd: CommandFilter, multipathd, root
systool: CommandFilter, systool, root
vgc-cluster: CommandFilter, vgc-cluster, root
# os_brick/initiator/connector.py
drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid
# TODO(smcginnis) Temporary fix.
# Need to pull in os-brick os-brick.filters file instead and clean
# out stale brick values from this file.
scsi_id: CommandFilter, /lib/udev/scsi_id, root
# os_brick.privileged.default oslo.privsep context
# This line ties the superuser privs with the config files, context name,
# and (implicitly) the actual python code invoked.
privsep-rootwrap-os_brick: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*
privsep-rootwrap-sys_admin: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, nova.privsep.sys_admin_pctxt, --privsep_sock_path, /tmp/.*
# nova.privsep.sys_admin_pctxt oslo.privsep context
privsep-rootwrap-sys_admin: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, nova.privsep.sys_admin_pctxt, --privsep_sock_path, /tmp/.*