From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.2 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BA633C433B4 for ; Mon, 5 Apr 2021 15:49:03 +0000 (UTC) Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id EA0AD6139E for ; Mon, 5 Apr 2021 15:49:02 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org EA0AD6139E Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=openbmc-bounces+openbmc=archiver.kernel.org@lists.ozlabs.org Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4FDZp52NxGz30Bq for ; Tue, 6 Apr 2021 01:49:01 +1000 (AEST) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.a=rsa-sha256 header.s=20161025 header.b=OveSRoab; dkim-atps=neutral Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=google.com (client-ip=2607:f8b0:4864:20::12f; helo=mail-il1-x12f.google.com; envelope-from=gmouse@google.com; receiver=) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.a=rsa-sha256 header.s=20161025 header.b=OveSRoab; dkim-atps=neutral Received: from mail-il1-x12f.google.com (mail-il1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4FDZnh04lWz2yjY for ; Tue, 6 Apr 2021 01:48:37 +1000 (AEST) Received: by mail-il1-x12f.google.com with SMTP id 6so819929ilt.9 for ; Mon, 05 Apr 2021 08:48:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=0VnzT4im2CcuK/myUzvJY7fU2v7oyD9nGuEqBJxgbDc=; b=OveSRoabD9ACvHpPDrvPgTW2L+J9nScaugsRW444eirpW5EmCutfoL5FcG5DaJfVxI vjynI4Ixmuq9TklFpxfOAUeXfst+38JK8yPmPZU5ii4Era2zrV4SA1oWBaaJbDTPKfC/ OtiApEqQODHENdDyg1Xs/d77xwY9CwJr74XX7HTxvQNC10sB7f7BNKNnyR8ca1VnBUEG dfazIMBXRQRdvaCcv0jJVBidIJatsznkCGgnnNxU7rC2zbo6P6bBkqVEUEhkj39BcoNa ECza0qBGAqhACg8pmtVLqZu62um9QyStEdjyId6OCF5IoJOLq9pr2EC9ryDblKgBofJE 7QFw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=0VnzT4im2CcuK/myUzvJY7fU2v7oyD9nGuEqBJxgbDc=; b=qg8DFkSYatfWqBJG2qfBfHV4uX88NsFnwucnYaqO7XwFowHvUr50H+2+VE3GrHDy86 Ft84u8K083nbo8cAB06Szdq2gAl/EDqCjPaqG4TIiRhTMFjCNNJVo28fGWOlwj4lqF9D X6VEC17Z4OraANHTunxAxKnF6hZEnjTyay5pAUyKRtdAEeoT+qpm9qGKRl/Ku+wNAnyI H9jj3LGt3e63s/amuDEQKoueJaW21+dKeaiL7P7zI/N9Vqi2AvgHbg70BMR3zEmnhv6I bHrA969ofkV2F4looh1I6EQwd0hr1qTivI2fqMwlTgQX6HXU25xt3SUZBkkj+OaY7l6i rLJw== X-Gm-Message-State: AOAM530rdIeMNohjzkcW2lgn6wk2Rg9TFbwnWM/rtEsRZTD296m6Gmqn x+YwIADMtYqH2MB1IgMZQDAlZ4nLQGnjfuZiRI//RX5YjCqaAg== X-Google-Smtp-Source: ABdhPJzIkxZVpipwGL3UkHIquM34RL1S7kt5HKhGZvkhJj1QE2oONSBxorUjWPRm+VClhakX2dh0hzpA/Xgla5tQ45Q= X-Received: by 2002:a92:730a:: with SMTP id o10mr20297831ilc.160.1617637713906; Mon, 05 Apr 2021 08:48:33 -0700 (PDT) MIME-Version: 1.0 From: Anton Kachalov Date: Mon, 5 Apr 2021 17:48:23 +0200 Message-ID: Subject: OS-level privilege separation work To: OpenBMC Maillist Content-Type: text/plain; charset="UTF-8" X-BeenThere: openbmc@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development list for OpenBMC List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openbmc-bounces+openbmc=archiver.kernel.org@lists.ozlabs.org Sender: "openbmc" Follow-up after last week's Security Working group meeting. The idea is that changes' reviews might be slowed down because the changes don't have instant impact and can not be tested "here and now". A while ago there was a discussion in Discord: https://discord.com/channels/775381525260664832/775694761775464468/803832183260184576 > Brad Bishop: > A couple reasons I had for putting the systemd units and udev rules in the application repositories were: > 1 - I looked at a couple other ubiquitous projects and that is what they were doing > 2 - putting them in bitbake makes it easy for everyone to do one-off hacks in their specific machine layer, so was trying to discourage that a bit. That encourages to move systemd unit files & other configs (e.g. busconfig ACLs) into individual repos whenever possible. We have to modify individual repos three times: 1. Refactor openbmc meta & individual repo to move configs as per above suggestion. 2. Change service one by one to run services as non-root that implies intermediate busconfig ACLs change to include both: root and non-root ACLs. 3. Once we have all applicable services run as non-root, drop root-related ACLs from the configs. First step affects both openbmc meta and individual repo. The change will be complex because of refactoring and introducing new features at the same time. Changes to individual repo, once merged, will block other changes for this repo until openbmc's meta-related change is merged due to incompatibility between individual repo head and current openbmc meta. To reduce complexity and speedup review process for the busconfig ACLs introduction I would like to suggest to proceed with one bigger change to openbmc meta that doesn't refactor how configs are being supplied, keeping the changes to several services in top-level meta simple & similar, easy to review. This approach also will have instant impact: once merged we will have enforced ACLs for D-Bus. Roughly the change will looks like this (it's a bit outdated): https://gerrit.openbmc-project.xyz/c/openbmc/meta-phosphor/+/37844 The final change would exclude refactoring for systemd to make changes scoped & simplified. I've checked those changes on a number of targets that can be run under QEMU. Beforehand we have to review the following changes: - certificate-manager: https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/41430 https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-certificate-manager/+/41166/ https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-user-manager/+/41429 - phosphor-logging: https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-logging/+/41835 https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/41834 - phosphor-hwmon: https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-hwmon/+/40277 https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-hwmon/+/40214 https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/40359 To move towards OS-level privilege separation we need to review this blocking changes: https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/36965 https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/41432 https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/41471