openstack/openstack-manuals
Code Issues Proposed changes

Replace tabs with spaces

Browse Source 
Replace tabs with spaces in files

Change-Id: I058657fa8d294210502c647b2612e139d079b440
This commit is contained in:
Andreas Jaeger 2013-12-26 22:18:52 +01:00
parent a02a29af61
commit e127b409d2
8 changed files with 42 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/security-guide/ch024_authentication.xml
View File

@ -79,7 +79,7 @@
<para>Each OpenStack service has a policy file in json format, called <emphasis role="bold">policy.json</emphasis>. The policy file specifies rules, and the rule that governs each resource. A resource could be API access, the ability to attach to a volume, or to fire up instances.</para>
<para>The policies can be updated by the cloud administrator to further control access to the various resources. The middleware could also be further customized. Note that your users must be assigned to groups/roles that you refer to in your policies.</para>
<para>Below is a snippet of the Block Storage service policy.json file.</para>
<screen> 
<screen>
{
"context_is_admin": [["role:admin"]],
"admin_or_owner": [["is_admin:True"], ["project_id:%(project_id)s"]],

6
doc/security-guide/ch052_devices.xml
View File

@ -42,7 +42,7 @@
<section xml:id="ch052_devices-idp490976">
<title>Minimizing the Qemu Codebase</title>
<para>One classic security principle is to remove any unused components from your system. QEMU provides support for many different virtual hardware devices. However, only a small number of devices are needed for a given instance. Most instances will use the virtio devices. However, some legacy instances will need access to specific hardware, which can be specified using glance metadata:</para>
<screen> 
<screen>
glance image-update \
    --property hw_disk_bus=ide \
    --property hw_cdrom_bus=ide \
@ -71,7 +71,7 @@ glance image-update \
</listitem>
</itemizedlist>
<para>Putting this all together, and adding in some additional useful protections, we recommend the following compiler options for gcc when compiling QEMU:</para>
<screen> 
<screen>
CFLAGS="-arch x86_64 -fstack-protector-all -Wstack-protector --param ssp-buffer-size=4 -pie -fPIE -ftrapv -­D_FORTIFY_SOURCE=2 ­O2 -Wl,-z,relro,-z,now"</screen>
<para>We recommend testing your QEMU executable file after it is compiled to ensure that the compiler hardening worked properly.</para>
<para>Most cloud deployments will not want to build software such as QEMU by hand. It is better to use packaging to ensure that the process is repeatable and to ensure that the end result can be easily deployed throughout the cloud. The references below provide some additional details on applying compiler hardening options to existing packages.</para>
@ -120,7 +120,7 @@ CFLAGS="-arch x86_64 -fstack-protector-all -Wstack-protector --param ssp-buffer-
<section xml:id="ch052_devices-idp523744">
<title>Labels and Categories</title>
<para>KVM-based virtual machine instances are labelled with their own SELinux data type, known as svirt_image_t. Kernel level protections prevent unauthorized system processes, such as malware, from manipulating the virtual machine image files on disk. When virtual machines are powered off, images are stored as svirt_image_t as shown below:</para>
<screen> 
<screen>
system_u:object_r:svirt_image_t:SystemLow image1
system_u:object_r:svirt_image_t:SystemLow image2
system_u:object_r:svirt_image_t:SystemLow image3