[openstack-dev] [nova][cinder][neutron][security] Rootwrap discussions at OSSG mid-cycle

Thierry Carrez thierry at openstack.org
Tue May 12 16:14:46 UTC 2015


Lucas Fisher wrote:
> We spent some time at the OSSG mid-cycle meet-up this week discussing root wrap, looking at the existing code, and considering some of the mailing list discussions.
> 
> Summary of our discussions: https://github.com/hyakuhei/OSSG-Security-Practices/blob/master/ossg_rootwrap.md
> 
> The one line summary is we like the idea of a privileged daemon with higher level interfaces to the commands being run. It has a number of advantages such as easier to audit, enables better input sanitization, cleaner interfaces, and easier to take advantage of Linux capabilities, SELinux, AppArmour, etc. The write-up has some more details.

For those interested in that topic and willing to work on the next
stage, we'll have a work session on the future of rootwrap in the Oslo
track at the Design Summit in Vancouver:

http://sched.co/3B2B

-- 
Thierry Carrez (ttx)



More information about the OpenStack-dev mailing list