<div dir="ltr"><div>Hi Rob,</div><div><br></div><div>I have several thoughts about the idea.</div><div><br></div><div>1) The first is for message queue, as all components talk to each other via it. If we follow the official installation guide, we only have one account for all the components to use the message queues and there's no access control rules. Although the cloud user can creates its own users and rules in RabbitMQ [1] (I don't know if there's such security mechanism in Qpid). I think there's should be a universal message queue policy for OpenStack. Then this policy could be translated into the low-level rules in RabbitMQ or Qpid. This feature is not security hook related, but it seems to be useful? And besides message queue, is there any other communication mechanisms for OpenStack components?</div><div><br></div><div>2) The VM's access to resources needs to be restricted. The resources include VM themselves, networks, disks and so on. i.e. A disk is provided to a VM, we just mount the disk to the VM, but there's no policy to prevent the disk is not mounted to other VMs. So I wonder if a MAC policy is needed. Then the MAC policy will say that only this VM can access the disk. The drawback is that the MAC policy seems to be changed very frequently based on cloud user's choice, which doesn't look the same as the SELinux policy.</div><div><br></div><div>3) For a security module, the first is to determine the subjects and objects. All access from subjects to objects will be mediated based on policy. Subjects can be OpenStack components, VMM or cloud user. Objects can be OpenStack components, VMM, VM and other resources (such as disks). I don't know if my definition for subjects and objects are suitable.</div><div><br></div><div>4) As for the hook implementation, the most common way is to add check code in the source. While I found this hook mechanism [2], it seems to be more graceful than adding check code, but it is only for nova, is there some way that works in all components?</div><div><br></div><div>Any response would be appreciated.</div><div><br></div><div>-Yang</div><div><br></div><div>[1] <a href="https://www.rabbitmq.com/access-control.html">https://www.rabbitmq.com/access-control.html</a></div><div class="gmail_extra">[2] <a href="http://docs.openstack.org/developer/nova/devref/hooks.html">http://docs.openstack.org/developer/nova/devref/hooks.html</a></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jun 17, 2015 at 4:43 PM, Clark, Robert Graham <span dir="ltr"><<a href="mailto:robert.clark@hp.com" target="_blank">robert.clark@hp.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div lang="EN-GB" link="#0563C1" vlink="#954F72">
<div>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Hi Yang,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">This is an interesting idea. Most operators running production OpenStack deployments will be using OS-level Mandatory Access Controls
already (likely AppArmour or SELinux).<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">I can see where there might be some application on a per-service basis, introducing more security for Swift, Nova etc, I’m not sure
what you could do that would be OpenStack-wide. <u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Interested to hear where you think work on this might go.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">-Rob<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<div style="border-style:none none none solid;border-left-color:blue;border-left-width:1.5pt;padding:0cm 0cm 0cm 4pt">
<div>
<div style="border-style:solid none none;border-top-color:rgb(225,225,225);border-top-width:1pt;padding:3pt 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif">From:</span></b><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif"> Yang Luo [mailto:<a href="mailto:hsluoya@gmail.com" target="_blank">hsluoya@gmail.com</a>]
<br>
<b>Sent:</b> 17 June 2015 07:47<br>
<b>To:</b> <a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a><br>
<b>Subject:</b> [openstack-dev] [Security] the need about implementing a MAC security hook framework for OpenStack<u></u><u></u></span></p>
</div>
</div><div><div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">Hi list,<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal"> I'd like to know the need about implementing a MAC (Mandatory Access Control) security hook framework for OpenStack, just like the Linux Security Module to Linux. It can be used to help construct a security module that mediates the communications
between OpenStack nodes and controls distribution of resources (i.e., images, network, shared disks). This security hook framework should be cluster-wide, dynamic policy updating supported, non-intrusive implemented and with low performance overhead. The famous
module in LSM, SELinux can also be imported into this security hook framework. In my point, as OpenStack has become a leading cloud operating system, it needs some kind of security architecture as standard OS.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">I am a Ph.D student who has been following OpenStack security closely for nearly 1 year. This is just my initial idea and I know this project won't be small, so before I actually work on it, I'd like to hear your suggestions or objections
about it. Thanks!<u></u><u></u></p>
</div>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Best,<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Yang<u></u><u></u></p>
</div>
</div>
</div></div></div>
</div>
</div>
<br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div></div>