Re: OS-level privilege separation work

From: Anton Kachalov <rnouse@google.com>
To: OpenBMC Maillist <openbmc@lists.ozlabs.org>
Cc: Brandon Kim <brandonkim@google.com>,
	Ed Tanous <edtanous@google.com>,
	Brad Bishop <bradleyb@fuzziesquirrel.com>,
	Joseph Reynolds <jrey@linux.ibm.com>,
	Andrew Geissler <geissonator@yahoo.com>
Subject: Re: OS-level privilege separation work
Date: Wed, 21 Apr 2021 23:51:14 +0200	[thread overview]
Message-ID: <CADVsX88qTL7Tm_cugrSPz26OMVyAUETvvrN1dO5jhKanWhYGwg@mail.gmail.com> (raw)
In-Reply-To: <CADVsX8-pPS6F22WUt_6NRk1raSQ6pr0M6vZfz0SKCH0zvwoU2g@mail.gmail.com>

Please, help on reviewing the following changes:

1. https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/41834
  depends on:
     - https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-logging/+/41835
2. https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/40359
  depends on:
     - https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-hwmon/+/40277
     - https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-hwmon/+/40214
3. https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/41432
4. https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/41471
5. https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/41430
  depends on:
     - https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-certificate-manager/+/41166

Unifying certs paths for nslcd / phosphor-user-manager:
 - https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/42517
 - https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-certificate-manager/+/42513
 - https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-user-manager/+/41429

On Mon, 5 Apr 2021 at 17:48, Anton Kachalov <rnouse@google.com> wrote:
>
> Follow-up after last week's Security Working group meeting.
>
> The idea is that changes' reviews might be slowed down because the
> changes don't have instant impact and can not be tested "here and
> now".
>
> A while ago there was a discussion in Discord:
>
> https://discord.com/channels/775381525260664832/775694761775464468/803832183260184576
>
> > Brad Bishop:
> > A couple reasons I had for putting the systemd units and udev rules in the application repositories were:
> > 1 - I looked at a couple other ubiquitous projects and that is what they were doing
> > 2 - putting them in bitbake makes it easy for everyone to do one-off hacks in their specific machine layer, so was trying to discourage that a bit.
>
> That encourages to move systemd unit files & other configs (e.g.
> busconfig ACLs) into individual repos whenever possible.
>
> We have to modify individual repos three times:
> 1. Refactor openbmc meta & individual repo to move configs as per
> above suggestion.
> 2. Change service one by one to run services as non-root that implies
> intermediate busconfig ACLs change to include both: root and non-root
> ACLs.
> 3. Once we have all applicable services run as non-root, drop
> root-related ACLs from the configs.
>
> First step affects both openbmc meta and individual repo. The change
> will be complex because of refactoring and introducing new features at
> the same time. Changes to individual repo, once merged, will block
> other changes for this repo until openbmc's meta-related change is
> merged due to incompatibility between individual repo head and current
> openbmc meta.
>
> To reduce complexity and speedup review process for the busconfig ACLs
> introduction I would like to suggest to proceed with one bigger change
> to openbmc meta that doesn't refactor how configs are being supplied,
> keeping the changes to several services in top-level meta simple &
> similar, easy to review. This approach also will have instant impact:
> once merged we will have enforced ACLs for D-Bus.
>
> Roughly the change will looks like this (it's a bit outdated):
>
>    https://gerrit.openbmc-project.xyz/c/openbmc/meta-phosphor/+/37844
>
> The final change would exclude refactoring for systemd to make changes
> scoped & simplified. I've checked those changes on a number of targets
> that can be run under QEMU.
>
> Beforehand we have to review the following changes:
>
>  - certificate-manager:
>    https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/41430
>    https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-certificate-manager/+/41166/
>    https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-user-manager/+/41429
>
>  - phosphor-logging:
>    https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-logging/+/41835
>    https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/41834
>
>  - phosphor-hwmon:
>    https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-hwmon/+/40277
>    https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-hwmon/+/40214
>    https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/40359
>
> To move towards OS-level privilege separation we need to review this
> blocking changes:
>
>    https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/36965
>    https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/41432
>    https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/41471