Cleanup no longer required filters and add a release note.

Its the end of the road. Change-Id: Ic966bc5f56e578ddf775acbf6e82dbe281fd5ffa
2019-02-27 20:45:16 +00:00 · 2019-02-27 20:45:16 +00:00 · e90c2ba868
commit e90c2ba868
parent 1d2c677641
2 changed files with 7 additions and 134 deletions
--- a/etc/nova/rootwrap.d/compute.filters
+++ b/etc/nova/rootwrap.d/compute.filters
@ -3,121 +3,6 @@

 [Filters]

-# nova/virt/libvirt/utils.py: 'blockdev', '--getsize64', path
-# nova/virt/disk/mount/nbd.py: 'blockdev', '--flushbufs', device
-blockdev: RegExpFilter, blockdev, root, blockdev, (--getsize64|--flushbufs), /dev/.*
-
-# nova/virt/libvirt/vif.py: 'ip', 'tuntap', 'add', dev, 'mode', 'tap'
-# nova/virt/libvirt/vif.py: 'ip', 'link', 'set', dev, 'up'
-# nova/virt/libvirt/vif.py: 'ip', 'link', 'delete', dev
-# nova/network/linux_net.py: 'ip', 'addr', 'add', str(floating_ip)+'/32'i..
-# nova/network/linux_net.py: 'ip', 'addr', 'del', str(floating_ip)+'/32'..
-# nova/network/linux_net.py: 'ip', 'addr', 'add', '169.254.169.254/32',..
-# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', dev, 'scope',..
-# nova/network/linux_net.py: 'ip', 'addr', 'del/add', ip_params, dev)
-# nova/network/linux_net.py: 'ip', 'addr', 'del', params, fields[-1]
-# nova/network/linux_net.py: 'ip', 'addr', 'add', params, bridge
-# nova/network/linux_net.py: 'ip', '-f', 'inet6', 'addr', 'change', ..
-# nova/network/linux_net.py: 'ip', 'link', 'set', 'dev', dev, 'promisc',..
-# nova/network/linux_net.py: 'ip', 'link', 'add', 'link', bridge_if ...
-# nova/network/linux_net.py: 'ip', 'link', 'set', interface, address,..
-# nova/network/linux_net.py: 'ip', 'link', 'set', interface, 'up'
-# nova/network/linux_net.py: 'ip', 'link', 'set', bridge, 'up'
-# nova/network/linux_net.py: 'ip', 'addr', 'show', 'dev', interface, ..
-# nova/network/linux_net.py: 'ip', 'link', 'set', dev, address, ..
-# nova/network/linux_net.py: 'ip', 'link', 'set', dev, 'up'
-# nova/network/linux_net.py: 'ip', 'route', 'add', ..
-# nova/network/linux_net.py: 'ip', 'route', 'del', .
-# nova/network/linux_net.py: 'ip', 'route', 'show', 'dev', dev
-ip: CommandFilter, ip, root
-
-# nova/virt/libvirt/vif.py: 'tunctl', '-b', '-t', dev
-# nova/network/linux_net.py: 'tunctl', '-b', '-t', dev
-tunctl: CommandFilter, tunctl, root
-
-# nova/virt/libvirt/vif.py: 'ovs-vsctl', ...
-# nova/virt/libvirt/vif.py: 'ovs-vsctl', 'del-port', ...
-# nova/network/linux_net.py: 'ovs-vsctl', ....
-ovs-vsctl: CommandFilter, ovs-vsctl, root
-
-# nova/network/linux_net.py: 'ivs-ctl', ....
-ivs-ctl: CommandFilter, ivs-ctl, root
-
-# nova/network/linux_net.py: 'ovs-ofctl', ....
-ovs-ofctl: CommandFilter, ovs-ofctl, root
-
-# nova/virt/xenapi/volume_utils.py: 'iscsiadm', '-m', ...
-iscsiadm: CommandFilter, iscsiadm, root
-
-# nova/virt/libvirt/volume/aoe.py: 'aoe-revalidate', aoedev
-# nova/virt/libvirt/volume/aoe.py: 'aoe-discover'
-aoe-revalidate: CommandFilter, aoe-revalidate, root
-aoe-discover: CommandFilter, aoe-discover, root
-
-# nova/virt/xenapi/vm_utils.py: 'pygrub', '-qn', dev_path
-pygrub: CommandFilter, pygrub, root
-
-# nova/virt/xenapi/vm_utils.py: fdisk %(dev_path)s
-fdisk: CommandFilter, fdisk, root
-
-# nova/virt/xenapi/vm_utils.py: e2fsck, -f, -p, partition_path
-# nova/virt/disk/api.py: e2fsck, -f, -p, image
-e2fsck: CommandFilter, e2fsck, root
-
-# nova/virt/xenapi/vm_utils.py: resize2fs, partition_path
-# nova/virt/disk/api.py: resize2fs, image
-resize2fs: CommandFilter, resize2fs, root
-
-# nova/network/linux_net.py: 'ip[6]tables-save' % (cmd, '-t', ...
-iptables-save: CommandFilter, iptables-save, root
-ip6tables-save: CommandFilter, ip6tables-save, root
-
-# nova/network/linux_net.py: 'ip[6]tables-restore' % (cmd,)
-iptables-restore: CommandFilter, iptables-restore, root
-ip6tables-restore: CommandFilter, ip6tables-restore, root
-
-# nova/network/linux_net.py: 'arping', '-U', floating_ip, '-A', '-I', ...
-# nova/network/linux_net.py: 'arping', '-U', network_ref['dhcp_server'],..
-arping: CommandFilter, arping, root
-
-# nova/network/linux_net.py: 'dhcp_release', dev, address, mac_address
-dhcp_release: CommandFilter, dhcp_release, root
-
-# nova/network/linux_net.py: 'kill', '-9', pid
-# nova/network/linux_net.py: 'kill', '-HUP', pid
-kill_dnsmasq: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP
-
-# nova/network/linux_net.py: 'kill', pid
-kill_radvd: KillFilter, root, /usr/sbin/radvd
-
-# nova/network/linux_net.py: dnsmasq call
-dnsmasq: EnvFilter, env, root, CONFIG_FILE=, NETWORK_ID=, dnsmasq
-
-# nova/network/linux_net.py: 'radvd', '-C', '%s' % _ra_file(dev, 'conf'..
-radvd: CommandFilter, radvd, root
-
-# nova/network/linux_net.py: 'brctl', 'addbr', bridge
-# nova/network/linux_net.py: 'brctl', 'setfd', bridge, 0
-# nova/network/linux_net.py: 'brctl', 'stp', bridge, 'off'
-# nova/network/linux_net.py: 'brctl', 'addif', bridge, interface
-brctl: CommandFilter, brctl, root
-
-# nova/virt/libvirt/utils.py: 'mkswap'
-# nova/virt/xenapi/vm_utils.py: 'mkswap'
-mkswap: CommandFilter, mkswap, root
-
-# nova/virt/xenapi/vm_utils.py: 'mkfs'
-# nova/utils.py: 'mkfs', fs, path, label
-mkfs: CommandFilter, mkfs, root
-
-# nova/virt/libvirt/utils.py: 'qemu-img'
-qemu-img: CommandFilter, qemu-img, root
-
-# nova/virt/disk/api.py:
-mkfs.ext3: CommandFilter, mkfs.ext3, root
-mkfs.ext4: CommandFilter, mkfs.ext4, root
-mkfs.ntfs: CommandFilter, mkfs.ntfs, root
-
 # os-brick needed commands
 read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi
 multipath: CommandFilter, multipath, root
@ -137,22 +22,4 @@ scsi_id: CommandFilter, /lib/udev/scsi_id, root
 # and (implicitly) the actual python code invoked.
 privsep-rootwrap-os_brick: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.*

-privsep-rootwrap-sys_admin: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, nova.privsep.sys_admin_pctxt, --privsep_sock_path, /tmp/.*
-
-# nova/virt/libvirt/storage/dmcrypt.py:
-cryptsetup: CommandFilter, cryptsetup, root
-
-# nova/virt/xenapi/vm_utils.py:
-xenstore-read: CommandFilter, xenstore-read, root
-
-# nova/virt/libvirt/utils.py:
-rbd: CommandFilter, rbd, root
-
-# nova/virt/libvirt/volume/volume.py: 'cp', '/dev/stdin', delete_control..
-cp: CommandFilter, cp, root
-
-# nova/virt/xenapi/vm_utils.py:
-sync: CommandFilter, sync, root
-
-# nova/virt/libvirt/volume/vzstorage.py
-pstorage-mount: CommandFilter, pstorage-mount, root
+privsep-rootwrap-sys_admin: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, nova.privsep.sys_admin_pctxt, --privsep_sock_path, /tmp/.*
--- a/releasenotes/notes/rootwrap-removed-3faca1fdc214f6bf.yaml
+++ b/releasenotes/notes/rootwrap-removed-3faca1fdc214f6bf.yaml
@ -0,0 +1,6 @@
+---
+security:
+  - |
+    The transition from rootwrap (or sudo) to privsep has been completed for
+    nova. The only case where rootwrap is still used is to start privsep
+    helpers. All other rootwrap configurations for nova may now be removed.