OS-level privilege separation work

OS-level privilege separation work

[Anton Kachalov]

Follow-up after last week's Security Working group meeting.

The idea is that changes' reviews might be slowed down because the
changes don't have instant impact and can not be tested "here and
now".

A while ago there was a discussion in Discord:

https://discord.com/channels/775381525260664832/775694761775464468/803832183260184576

> Brad Bishop:
> A couple reasons I had for putting the systemd units and udev rules in the application repositories were:
> 1 - I looked at a couple other ubiquitous projects and that is what they were doing
> 2 - putting them in bitbake makes it easy for everyone to do one-off hacks in their specific machine layer, so was trying to discourage that a bit.

That encourages to move systemd unit files & other configs (e.g.
busconfig ACLs) into individual repos whenever possible.

We have to modify individual repos three times:
1. Refactor openbmc meta & individual repo to move configs as per
above suggestion.
2. Change service one by one to run services as non-root that implies
intermediate busconfig ACLs change to include both: root and non-root
ACLs.
3. Once we have all applicable services run as non-root, drop
root-related ACLs from the configs.

First step affects both openbmc meta and individual repo. The change
will be complex because of refactoring and introducing new features at
the same time. Changes to individual repo, once merged, will block
other changes for this repo until openbmc's meta-related change is
merged due to incompatibility between individual repo head and current
openbmc meta.

To reduce complexity and speedup review process for the busconfig ACLs
introduction I would like to suggest to proceed with one bigger change
to openbmc meta that doesn't refactor how configs are being supplied,
keeping the changes to several services in top-level meta simple &
similar, easy to review. This approach also will have instant impact:
once merged we will have enforced ACLs for D-Bus.

Roughly the change will looks like this (it's a bit outdated):

   https://gerrit.openbmc-project.xyz/c/openbmc/meta-phosphor/+/37844

The final change would exclude refactoring for systemd to make changes
scoped & simplified. I've checked those changes on a number of targets
that can be run under QEMU.

Beforehand we have to review the following changes:

 - certificate-manager:
   https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/41430
   https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-certificate-manager/+/41166/
   https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-user-manager/+/41429

 - phosphor-logging:
   https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-logging/+/41835
   https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/41834

 - phosphor-hwmon:
   https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-hwmon/+/40277
   https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-hwmon/+/40214
   https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/40359

To move towards OS-level privilege separation we need to review this
blocking changes:

   https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/36965
   https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/41432
   https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/41471

Re: OS-level privilege separation work

[Anton Kachalov]

Please, help on reviewing the following changes:

1. https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/41834
  depends on:
     - https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-logging/+/41835
2. https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/40359
  depends on:
     - https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-hwmon/+/40277
     - https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-hwmon/+/40214
3. https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/41432
4. https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/41471
5. https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/41430
  depends on:
     - https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-certificate-manager/+/41166


Unifying certs paths for nslcd / phosphor-user-manager:
 - https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/42517
 - https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-certificate-manager/+/42513
 - https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-user-manager/+/41429

On Mon, 5 Apr 2021 at 17:48, Anton Kachalov <rnouse@google.com> wrote:
>
> Follow-up after last week's Security Working group meeting.
>
> The idea is that changes' reviews might be slowed down because the
> changes don't have instant impact and can not be tested "here and
> now".
>
> A while ago there was a discussion in Discord:
>
> https://discord.com/channels/775381525260664832/775694761775464468/803832183260184576
>
> > Brad Bishop:
> > A couple reasons I had for putting the systemd units and udev rules in the application repositories were:
> > 1 - I looked at a couple other ubiquitous projects and that is what they were doing
> > 2 - putting them in bitbake makes it easy for everyone to do one-off hacks in their specific machine layer, so was trying to discourage that a bit.
>
> That encourages to move systemd unit files & other configs (e.g.
> busconfig ACLs) into individual repos whenever possible.
>
> We have to modify individual repos three times:
> 1. Refactor openbmc meta & individual repo to move configs as per
> above suggestion.
> 2. Change service one by one to run services as non-root that implies
> intermediate busconfig ACLs change to include both: root and non-root
> ACLs.
> 3. Once we have all applicable services run as non-root, drop
> root-related ACLs from the configs.
>
> First step affects both openbmc meta and individual repo. The change
> will be complex because of refactoring and introducing new features at
> the same time. Changes to individual repo, once merged, will block
> other changes for this repo until openbmc's meta-related change is
> merged due to incompatibility between individual repo head and current
> openbmc meta.
>
> To reduce complexity and speedup review process for the busconfig ACLs
> introduction I would like to suggest to proceed with one bigger change
> to openbmc meta that doesn't refactor how configs are being supplied,
> keeping the changes to several services in top-level meta simple &
> similar, easy to review. This approach also will have instant impact:
> once merged we will have enforced ACLs for D-Bus.
>
> Roughly the change will looks like this (it's a bit outdated):
>
>    https://gerrit.openbmc-project.xyz/c/openbmc/meta-phosphor/+/37844
>
> The final change would exclude refactoring for systemd to make changes
> scoped & simplified. I've checked those changes on a number of targets
> that can be run under QEMU.
>
> Beforehand we have to review the following changes:
>
>  - certificate-manager:
>    https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/41430
>    https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-certificate-manager/+/41166/
>    https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-user-manager/+/41429
>
>  - phosphor-logging:
>    https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-logging/+/41835
>    https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/41834
>
>  - phosphor-hwmon:
>    https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-hwmon/+/40277
>    https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-hwmon/+/40214
>    https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/40359
>
> To move towards OS-level privilege separation we need to review this
> blocking changes:
>
>    https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/36965
>    https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/41432
>    https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/41471