Implement privsep boilerplate in Manila

Add the privsep module to Manila, as well as its initialization. All changes to other Manila calls will be reusing this new module and the new root context brought by it. Partially-Implements: bp privsep-migration Change-Id: I35bd548894d96ed66faab4ede7c16f28e9755663
2021-09-29 10:46:26 -03:00 · 2021-09-29 10:46:26 -03:00 · 777954b924
parent b7f417afdf
commit 777954b924
4 changed files with 38 additions and 1 deletions
--- a/lower-constraints.txt
+++ b/lower-constraints.txt
@ -46,7 +46,7 @@ Mako==1.0.7
 MarkupSafe==1.1.1
 monotonic==1.4
 mox3==0.25.0
-msgpack==0.5.6
+msgpack==0.6.0
 munch==2.2.0
 netaddr==0.8.0
 netifaces==0.10.6
@ -65,6 +65,7 @@ oslo.log==4.4.0
 oslo.messaging==12.5.0
 oslo.middleware==4.1.1
 oslo.policy==3.7.0
+oslo.privsep==2.4.0
 oslo.reports==2.2.0
 oslo.rootwrap==6.2.0
 oslo.serialization==4.0.1
--- a/manila/privsep/init.py
+++ b/manila/privsep/init.py
@ -0,0 +1,29 @@
+#    Copyright 2021 Red Hat, Inc.
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+"""Setup privsep decorator."""
+
+from oslo_privsep import capabilities
+from oslo_privsep import priv_context
+
+sys_admin_pctxt = priv_context.PrivContext(
+    'manila',
+    cfg_section='manila_sys_admin',
+    pypath=__name__ + '.sys_admin_pctxt',
+    capabilities=[capabilities.CAP_CHOWN,
+                  capabilities.CAP_DAC_OVERRIDE,
+                  capabilities.CAP_DAC_READ_SEARCH,
+                  capabilities.CAP_FOWNER,
+                  capabilities.CAP_NET_ADMIN,
+                  capabilities.CAP_SYS_ADMIN],
+)
--- a/releasenotes/notes/privsep-migration-846819fdb181d83a.yaml
+++ b/releasenotes/notes/privsep-migration-846819fdb181d83a.yaml
@ -0,0 +1,6 @@
+---
+security:
+  - |
+    Privsep transitions. Manila is transitioning from using the older style
+    rootwrap privilege escalation path to the new style Oslo privsep path.
+    This should improve performance and security of Manila in the long term.
--- a/requirements.txt
+++ b/requirements.txt
@ -18,6 +18,7 @@ oslo.log>=4.4.0 # Apache-2.0
 oslo.messaging>=12.5.0 # Apache-2.0
 oslo.middleware>=4.1.1 # Apache-2.0
 oslo.policy>=3.7.0 # Apache-2.0
+oslo.privsep>=2.4.0 # Apache-2.0
 oslo.reports>=2.2.0 # Apache-2.0
 oslo.rootwrap>=6.2.0 # Apache-2.0
 oslo.serialization>=4.0.1 # Apache-2.0