On Thu, Mar 19, 2020 at 11:52 AM Rodolfo Alonso <ralonsoh@redhat.com> wrote:
Hello all:
With this mail I would like to propose the goal to move away from oslo.rootwrap and migrate to oslo.privsep. The last one offers a superior security model, faster and more secure. During the last cycles and since privsep was released, the Community has encouraged the usage of privsep and the deprecation of any existing code still using rootwrap.
For any developer willing to collaborate, there are plenty of code examples, as I’ll provide later, implementing and using privsep for new methods and migrations.
If this goal is approved, I'll open a Story ( https://storyboard.openstack.org/) and any developer will be able to add a task for each patch or set of them related. This would be the tracker for this common effort.
PROJECTS TO MIGRATE. -------------------- Projects that are still using rootwrap: http://codesearch.openstack.org/?q=rootwrap&i=nope&files=.*.py&repos= neutron os-brick designate cinder ironic-inspector neutron-vpnaas nova solum glance_store ironic zun
Zun adopted privsep as early as two years ago: https://review.opendev.org/#/c/511430/ .
magnum manila networking-bagpipe sahara ceilometer cinderlib freezer ironic-lib monasca-agent tacker tripleo-common
USAGE DOCUMENTATION ABOUT PRIVSEP. ---------------------------------- How to create a privsep context, assign privileges and use it as a decorator: https://docs.openstack.org/oslo.privsep/latest/user/index.html
HOW TO MIGRATE FROM ROOTWRAP TO PRIVSEP. ---------------------------------------- From the same link provided previously, in the section “Converting from rootwrap to privsep”:
https://docs.openstack.org/oslo.privsep/latest/user/index.html#converting-fr...
oslo.privsep provides a class, PrivContext, that can be used to create a decorator function. The instance created is a context of execution and has defined a list of capabilities, matching the Linux capabilities. The privsep context decorator should contain the minimum needed capabilities to execute the decorated function.
For example:
default = priv_context.PrivContext( __name__, cfg_section='privsep', pypath=__name__ + '.default', capabilities=[caps.CAP_SYS_ADMIN, caps.CAP_NET_ADMIN, caps.CAP_DAC_OVERRIDE, caps.CAP_DAC_READ_SEARCH, caps.CAP_SYS_PTRACE], )
The function “entrypoint” of this instance can be used as a decorator for another function:
@privileged.default.entrypoint def delete_interface(ifname, namespace, **kwargs): _run_iproute_link("del", ifname, namespace, **kwargs)
As commented in the given link, a straight 1:1 filter:function replacement generally results in functions that are still too broad for good security. It is better to replace each chmod rootwrap call with a narrow privsep function that will limit it to specific files.
MIGRATION EXAMPLES. ------------------- Nova:
https://review.opendev.org/#/q/project:openstack/nova+branch:master+topic:my... Neutron:
https://review.opendev.org/#/q/status:merged+project:openstack/neutron+branc... os-vif <https://review.opendev.org/#/q/status:merged+project:openstack/neutron+branch:master+topic:bug/1492714os-vif>: https://review.opendev.org/#/c/287725/
Thank you and regards.