Add ChainingRegExpFilter into rootwrap¶
https://blueprints.launchpad.net/oslo-incubator/+spec/chaining-regexp-filter
Add new filter which accepts utilities prefixed to other commands, such as ‘nice’ and ‘ionice’. This will increase maintenability of config files.
Problem description¶
Currently we don’t have a good way to define filters to allow prefix utilities. For example, cinder is using 3 RegExpFilter rules to allow ‘ionice’ + ‘dd’ command which cover various ‘dd’ options. But this is fragile to changes of ‘dd’ usage (actually these rules are broken now by a bugfix patch for ‘dd’: https://bugs.launchpad.net/cinder/+bug/1318748 ).
Proposed change¶
By adding ChainingRegExpFilter, which is configured by the format below, we can easily add a new filter that accepts prefix utilities.
- filter_name: ChainingRegExpFilter, <command>, <user>,
<RegExp list for the arguments>
This filter regards the length of the regular expressions list as the number of arguments to be checked, and remaining parts are checked by other filters. That is, the command specified to the argument of prefix utility must be allowed to execute directly.
For example, ‘ionice’+’dd’ can be accepted by single rule below safely (that is, accepted only when the following command is acceptable by other filters).
ionice: ChainingRegExpFilter, ionice, root, ionice, -c[0-3]( -n[0-7])?
‘dd’ must also be allowed to execute directly (without ‘ionice’). Note that cinder currently allows ‘dd’ for root using CommandFilter as default.
Alternatives¶
We could implement a specialized filter class for each prefix command like IpNetnsExecFilter each time it is needed. That might be easier to reuse the same rule among projects, although it may require a lot of classes. ChainingRegExpFilter is more generic, so it is still useful at least until the utility is found sharable.
Impact on Existing APIs¶
None.
Security impact¶
Rules for prefix utilities must be written carefully not to allow unchecked commands executed. For example, it can be dangerous to allowing any string (‘.*’) for the argument that could be interpreted as command to be executed.
Performance Impact¶
None.
Configuration Impact¶
New filter ‘ChainingRegExpFilter’ will be available.
Developer Impact¶
None.
Implementation¶
Assignee(s)¶
- Primary assignee:
tsekiyama
Milestones¶
- Target Milestone for completion:
Juno-1
Work Items¶
Implement ChainingRegExpFilter -> https://review.openstack.org/#/c/97336/
Incubation¶
None.
Adoption¶
None.
Library¶
None.
Anticipated API Stabilization¶
None.
Documentation Impact¶
Usage of ChainingRegExpFilter should be added to the document.
Dependencies¶
This feature provides a good way for Cinder to fix ‘ionice’ command rules
A cinder patch to implement I/O rate limit requires to execute ‘cgexec’ prefix utility with rootwrap ( https://review.openstack.org/#/c/92894/ )
References¶
None.
Note
This work is licensed under a Creative Commons Attribution 3.0 Unported License. http://creativecommons.org/licenses/by/3.0/legalcode