[openstack-dev] [nova][cinder][neutron][security] Rootwrap discussions at OSSG mid-cycle
Angus Lees
gus at inodes.org
Thu May 14 07:48:44 UTC 2015
On Wed, 13 May 2015 at 02:16 Thierry Carrez <thierry at openstack.org> wrote:
> Lucas Fisher wrote:
> > We spent some time at the OSSG mid-cycle meet-up this week discussing
> root wrap, looking at the existing code, and considering some of the
> mailing list discussions.
> >
> > Summary of our discussions:
> https://github.com/hyakuhei/OSSG-Security-Practices/blob/master/ossg_rootwrap.md
> >
> > The one line summary is we like the idea of a privileged daemon with
> higher level interfaces to the commands being run. It has a number of
> advantages such as easier to audit, enables better input sanitization,
> cleaner interfaces, and easier to take advantage of Linux capabilities,
> SELinux, AppArmour, etc. The write-up has some more details.
>
> For those interested in that topic and willing to work on the next
> stage, we'll have a work session on the future of rootwrap in the Oslo
> track at the Design Summit in Vancouver:
>
> http://sched.co/3B2B
>
>
Fwiw, I've continued work on my privsep proposal(*) and how it interacts
with existing rootwrap. I look forward to discussing it and alternatives
at the session.
(*) https://review.openstack.org/#/c/155631
- Gus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150514/90892401/attachment.html>
More information about the OpenStack-dev
mailing list