[openstack-dev] [nova][cinder][neutron][security] Rootwrap discussions at OSSG mid-cycle
Thierry Carrez
thierry at openstack.org
Tue May 12 16:14:46 UTC 2015
Lucas Fisher wrote:
> We spent some time at the OSSG mid-cycle meet-up this week discussing root wrap, looking at the existing code, and considering some of the mailing list discussions.
>
> Summary of our discussions: https://github.com/hyakuhei/OSSG-Security-Practices/blob/master/ossg_rootwrap.md
>
> The one line summary is we like the idea of a privileged daemon with higher level interfaces to the commands being run. It has a number of advantages such as easier to audit, enables better input sanitization, cleaner interfaces, and easier to take advantage of Linux capabilities, SELinux, AppArmour, etc. The write-up has some more details.
For those interested in that topic and willing to work on the next
stage, we'll have a work session on the future of rootwrap in the Oslo
track at the Design Summit in Vancouver:
http://sched.co/3B2B
--
Thierry Carrez (ttx)
More information about the OpenStack-dev
mailing list