diff options
| author | Thierry Carrez <thierry@openstack.org> | 2019-12-04 12:32:49 +0100 |
|---|---|---|
| committer | Thierry Carrez <thierry@openstack.org> | 2019-12-04 12:32:49 +0100 |
| commit | 909d0de68edcb232c0d0ca28b755806f7f3780bc (patch) | |
| tree | eebfd1c20560b29231c0bcfd57000138a69066b7 /etc | |
| parent | 1c2b7d8f01814adfd6d28b97013a40cca51dfbdf (diff) | |
| download | nova-909d0de68edcb232c0d0ca28b755806f7f3780bc.tar.gz | |
Remove unused rootwrap filters
Thanks to mikal, nova was fully transitioned to using privsep over
the past cycles. However the old rootwrap filter definitions have been
left behind, which basically means that there is limited security
benefit right now (code gone rogue could still call rootwrap to execute
some code as root).
As far as I can tell, those can be removed now. os-brick calls in
compute.filters should be covered by the os_brick.privileged.default
context.
Rootwrap is now only used to launch the two privileged privsep contexts.
Since those are one-shot at the start of the service, there is little
point in using rootwrap-daemon on nova nodes.
network.filters and api-metadata.filters are being removed in
https://review.opendev.org/#/c/696518 as part of the nova-net cleanup.
Change-Id: Ie5e5ab17dabad713d4ad1261ab8b5d62b017f31e
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/nova/rootwrap.d/compute.filters | 20 |
1 files changed, 2 insertions, 18 deletions
diff --git a/etc/nova/rootwrap.d/compute.filters b/etc/nova/rootwrap.d/compute.filters index 4fe2547115..4ccb5b4c9f 100644 --- a/etc/nova/rootwrap.d/compute.filters +++ b/etc/nova/rootwrap.d/compute.filters @@ -2,24 +2,8 @@ # This file should be owned by (and only-writeable by) the root user [Filters] - -# os-brick needed commands -read_initiator: ReadFileFilter, /etc/iscsi/initiatorname.iscsi -multipath: CommandFilter, multipath, root -# multipathd show status -multipathd: CommandFilter, multipathd, root -systool: CommandFilter, systool, root -vgc-cluster: CommandFilter, vgc-cluster, root -# os_brick/initiator/connector.py -drv_cfg: CommandFilter, /opt/emc/scaleio/sdc/bin/drv_cfg, root, /opt/emc/scaleio/sdc/bin/drv_cfg, --query_guid - -# TODO(smcginnis) Temporary fix. -# Need to pull in os-brick os-brick.filters file instead and clean -# out stale brick values from this file. -scsi_id: CommandFilter, /lib/udev/scsi_id, root # os_brick.privileged.default oslo.privsep context -# This line ties the superuser privs with the config files, context name, -# and (implicitly) the actual python code invoked. privsep-rootwrap-os_brick: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, os_brick.privileged.default, --privsep_sock_path, /tmp/.* -privsep-rootwrap-sys_admin: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, nova.privsep.sys_admin_pctxt, --privsep_sock_path, /tmp/.*
\ No newline at end of file +# nova.privsep.sys_admin_pctxt oslo.privsep context +privsep-rootwrap-sys_admin: RegExpFilter, privsep-helper, root, privsep-helper, --config-file, /etc/(?!\.\.).*, --privsep_context, nova.privsep.sys_admin_pctxt, --privsep_sock_path, /tmp/.* |