From fda0a0da4155425ecb7153dfe316e41e68fc87e8 Mon Sep 17 00:00:00 2001 From: James Page Date: Wed, 13 Apr 2016 14:36:42 +0100 Subject: [PATCH] Revert "Add apparmor template for nova compute services" Reverting initial support for AppArmor as this change had some un-intended side-effects and the profiles still need further work. This reverts commit b08fe049066c0519bfab06d871780d45f1b48062. Change-Id: I8538b491bc0c6bd3ad02ac0b1d4fda190b137c41 --- .gitignore | 4 - config.yaml | 6 -- .../charmhelpers/contrib/openstack/context.py | 92 +------------------ hooks/charmhelpers/core/host.py | 15 +-- hooks/nova_compute_context.py | 46 ---------- hooks/nova_compute_hooks.py | 8 +- hooks/nova_compute_utils.py | 24 ----- templates/usr.bin.nova-api | 58 ------------ templates/usr.bin.nova-compute | 57 ------------ templates/usr.bin.nova-network | 29 ------ 10 files changed, 4 insertions(+), 335 deletions(-) delete mode 100644 templates/usr.bin.nova-api delete mode 100644 templates/usr.bin.nova-compute delete mode 100644 templates/usr.bin.nova-network diff --git a/.gitignore b/.gitignore index 21a87a3b..11868ea5 100644 --- a/.gitignore +++ b/.gitignore @@ -5,7 +5,3 @@ bin tags *.sw[nop] *.pyc -trusty/ -xenial/ -tests/cirros-*-disk.img -.unit-state.db diff --git a/config.yaml b/config.yaml index 6306bc93..be7b2c39 100644 --- a/config.yaml +++ b/config.yaml @@ -276,9 +276,3 @@ options: description: | Apply system hardening. Supports a space-delimited list of modules to run. Supported modules currently include os, ssh, apache and mysql. - aa-profile-mode: - type: string - default: 'disable' - description: | - Experimental enable apparmor profile. Valid settings: 'complain', 'enforce' or 'disable'. - AA disabled by default. diff --git a/hooks/charmhelpers/contrib/openstack/context.py b/hooks/charmhelpers/contrib/openstack/context.py index c07b33dd..d495da3f 100644 --- a/hooks/charmhelpers/contrib/openstack/context.py +++ b/hooks/charmhelpers/contrib/openstack/context.py @@ -20,7 +20,7 @@ import os import re import time from base64 import b64decode -from subprocess import check_call, CalledProcessError +from subprocess import check_call import six import yaml @@ -45,7 +45,6 @@ from charmhelpers.core.hookenv import ( INFO, WARNING, ERROR, - status_set, ) from charmhelpers.core.sysctl import create as sysctl_create @@ -1492,92 +1491,3 @@ class InternalEndpointContext(OSContextGenerator): """ def __call__(self): return {'use_internal_endpoints': config('use-internal-endpoints')} - - -class AppArmorContext(OSContextGenerator): - """Base class for apparmor contexts.""" - - def __init__(self): - self._ctxt = None - self.aa_profile = None - self.aa_utils_packages = ['apparmor-utils'] - - @property - def ctxt(self): - if self._ctxt is not None: - return self._ctxt - self._ctxt = self._determine_ctxt() - return self._ctxt - - def _determine_ctxt(self): - """ - Validate aa-profile-mode settings is disable, enforce, or complain. - - :return ctxt: Dictionary of the apparmor profile or None - """ - if config('aa-profile-mode') in ['disable', 'enforce', 'complain']: - ctxt = {'aa-profile-mode': config('aa-profile-mode')} - else: - ctxt = None - return ctxt - - def __call__(self): - return self.ctxt - - def install_aa_utils(self): - """ - Install packages required for apparmor configuration. - """ - log("Installing apparmor utils.") - ensure_packages(self.aa_utils_packages) - - def manually_disable_aa_profile(self): - """ - Manually disable an apparmor profile. - - If aa-profile-mode is set to disabled (default) this is required as the - template has been written but apparmor is yet unaware of the profile - and aa-disable aa-profile fails. Without this the profile would kick - into enforce mode on the next service restart. - - """ - profile_path = '/etc/apparmor.d' - disable_path = '/etc/apparmor.d/disable' - if not os.path.lexists(os.path.join(disable_path, self.aa_profile)): - os.symlink(os.path.join(profile_path, self.aa_profile), - os.path.join(disable_path, self.aa_profile)) - - def setup_aa_profile(self): - """ - Setup an apparmor profile. - The ctxt dictionary will contain the apparmor profile mode and - the apparmor profile name. - Makes calls out to aa-disable, aa-complain, or aa-enforce to setup - the apparmor profile. - """ - self() - if not self.ctxt: - log("Not enabling apparmor Profile") - return - self.install_aa_utils() - cmd = ['aa-{}'.format(self.ctxt['aa-profile-mode'])] - cmd.append(self.ctxt['aa-profile']) - log("Setting up the apparmor profile for {} in {} mode." - "".format(self.ctxt['aa-profile'], self.ctxt['aa-profile-mode'])) - try: - check_call(cmd) - except CalledProcessError as e: - # If aa-profile-mode is set to disabled (default) manual - # disabling is required as the template has been written but - # apparmor is yet unaware of the profile and aa-disable aa-profile - # fails. If aa-disable learns to read profile files first this can - # be removed. - if self.ctxt['aa-profile-mode'] == 'disable': - log("Manually disabling the apparmor profile for {}." - "".format(self.ctxt['aa-profile'])) - self.manually_disable_aa_profile() - return - status_set('blocked', "Apparmor profile {} failed to be set to {}." - "".format(self.ctxt['aa-profile'], - self.ctxt['aa-profile-mode'])) - raise e diff --git a/hooks/charmhelpers/core/host.py b/hooks/charmhelpers/core/host.py index bfea6a15..5d9ba58a 100644 --- a/hooks/charmhelpers/core/host.py +++ b/hooks/charmhelpers/core/host.py @@ -128,13 +128,6 @@ def service(action, service_name): return subprocess.call(cmd) == 0 -def systemv_services_running(): - output = subprocess.check_output( - ['service', '--status-all'], - stderr=subprocess.STDOUT).decode('UTF-8') - return [row.split()[-1] for row in output.split('\n') if '[ + ]' in row] - - def service_running(service_name): """Determine whether a system service is running""" if init_is_systemd(): @@ -147,15 +140,11 @@ def service_running(service_name): except subprocess.CalledProcessError: return False else: - # This works for upstart scripts where the 'service' command - # returns a consistent string to represent running 'start/running' if ("start/running" in output or "is running" in output or "up and running" in output): return True - # Check System V scripts init script return codes - if service_name in systemv_services_running(): - return True - return False + else: + return False def service_available(service_name): diff --git a/hooks/nova_compute_context.py b/hooks/nova_compute_context.py index 77ac2147..7f67dbfa 100644 --- a/hooks/nova_compute_context.py +++ b/hooks/nova_compute_context.py @@ -37,10 +37,6 @@ OVS_BRIDGE = 'br-int' CEPH_CONF = '/etc/ceph/ceph.conf' CHARM_CEPH_CONF = '/var/lib/charm/{}/ceph.conf' -NOVA_API_AA_PROFILE = 'usr.bin.nova-api' -NOVA_COMPUTE_AA_PROFILE = 'usr.bin.nova-compute' -NOVA_NETWORK_AA_PROFILE = 'usr.bin.nova-network' - def ceph_config_file(): return CHARM_CEPH_CONF.format(service_name()) @@ -519,45 +515,3 @@ class HostIPContext(context.OSContextGenerator): ctxt['host_ip'] = host_ip return ctxt - - -class NovaAPIAppArmorContext(context.AppArmorContext): - - def __init__(self): - super(NovaAPIAppArmorContext, self).__init__() - self.aa_profile = NOVA_API_AA_PROFILE - - def __call__(self): - super(NovaAPIAppArmorContext, self).__call__() - if not self.ctxt: - return self.ctxt - self._ctxt.update({'aa-profile': self.aa_profile}) - return self.ctxt - - -class NovaComputeAppArmorContext(context.AppArmorContext): - - def __init__(self): - super(NovaComputeAppArmorContext, self).__init__() - self.aa_profile = NOVA_COMPUTE_AA_PROFILE - - def __call__(self): - super(NovaComputeAppArmorContext, self).__call__() - if not self.ctxt: - return self.ctxt - self._ctxt.update({'aa-profile': self.aa_profile}) - return self.ctxt - - -class NovaNetworkAppArmorContext(context.AppArmorContext): - - def __init__(self): - super(NovaNetworkAppArmorContext, self).__init__() - self.aa_profile = NOVA_NETWORK_AA_PROFILE - - def __call__(self): - super(NovaNetworkAppArmorContext, self).__call__() - if not self.ctxt: - return self.ctxt - self._ctxt.update({'aa-profile': self.aa_profile}) - return self.ctxt diff --git a/hooks/nova_compute_hooks.py b/hooks/nova_compute_hooks.py index 192859a0..e3b7432e 100755 --- a/hooks/nova_compute_hooks.py +++ b/hooks/nova_compute_hooks.py @@ -82,10 +82,7 @@ from charmhelpers.core.unitdata import kv from nova_compute_context import ( CEPH_SECRET_UUID, - assert_libvirt_imagebackend_allowed, - NovaAPIAppArmorContext, - NovaComputeAppArmorContext, - NovaNetworkAppArmorContext, + assert_libvirt_imagebackend_allowed ) from charmhelpers.contrib.charmsupport import nrpe from charmhelpers.core.sysctl import create as create_sysctl @@ -178,9 +175,6 @@ def config_changed(): for unit in related_units(rid): ceph_changed(rid=rid, unit=unit) - NovaAPIAppArmorContext().setup_aa_profile() - NovaComputeAppArmorContext().setup_aa_profile() - NovaNetworkAppArmorContext().setup_aa_profile() CONFIGS.write_all() diff --git a/hooks/nova_compute_utils.py b/hooks/nova_compute_utils.py index c5c807a2..44f1c64f 100644 --- a/hooks/nova_compute_utils.py +++ b/hooks/nova_compute_utils.py @@ -81,12 +81,6 @@ from nova_compute_context import ( ceph_config_file, HostIPContext, DesignateContext, - NOVA_API_AA_PROFILE, - NOVA_COMPUTE_AA_PROFILE, - NOVA_NETWORK_AA_PROFILE, - NovaAPIAppArmorContext, - NovaComputeAppArmorContext, - NovaNetworkAppArmorContext, ) CA_CERT_PATH = '/usr/local/share/ca-certificates/keystone_juju_ca_cert.crt' @@ -165,12 +159,6 @@ LIBVIRT_BIN = '/etc/default/libvirt-bin' LIBVIRT_BIN_OVERRIDES = '/etc/init/libvirt-bin.override' NOVA_CONF = '%s/nova.conf' % NOVA_CONF_DIR QEMU_KVM = '/etc/default/qemu-kvm' -NOVA_API_AA_PROFILE_PATH = ('/etc/apparmor.d/{}'.format(NOVA_API_AA_PROFILE)) -NOVA_COMPUTE_AA_PROFILE_PATH = ('/etc/apparmor.d/{}' - ''.format(NOVA_COMPUTE_AA_PROFILE)) -NOVA_NETWORK_AA_PROFILE_PATH = ('/etc/apparmor.d/{}' - ''.format(NOVA_NETWORK_AA_PROFILE)) - BASE_RESOURCE_MAP = { NOVA_CONF: { @@ -198,18 +186,6 @@ BASE_RESOURCE_MAP = { context.LogLevelContext(), context.InternalEndpointContext()], }, - NOVA_API_AA_PROFILE_PATH: { - 'services': ['nova-api'], - 'contexts': [NovaAPIAppArmorContext()], - }, - NOVA_COMPUTE_AA_PROFILE_PATH: { - 'services': ['nova-compute'], - 'contexts': [NovaComputeAppArmorContext()], - }, - NOVA_NETWORK_AA_PROFILE_PATH: { - 'services': ['nova-network'], - 'contexts': [NovaNetworkAppArmorContext()], - }, } LIBVIRT_RESOURCE_MAP = { diff --git a/templates/usr.bin.nova-api b/templates/usr.bin.nova-api deleted file mode 100644 index 26384e0f..00000000 --- a/templates/usr.bin.nova-api +++ /dev/null @@ -1,58 +0,0 @@ -# Last Modified: Thu Mar 31 18:53:33 2016 -#include - -/usr/bin/nova-api { - #include - #include - #include - #include - #include - #include - - - capability audit_write, - capability net_admin, - capability net_raw, - capability sys_resource, - - network inet raw, - - /bin/dash ix, - /etc/nova/api-paste.ini r, - /etc/nova/nova.conf r, - /etc/nova/rootwrap.conf r, - /etc/nova/rootwrap.d/ r, - /etc/nova/rootwrap.d/api-metadata.filters r, - /etc/nova/rootwrap.d/compute.filters r, - /etc/nova/rootwrap.d/network.filters r, - /etc/sudoers r, - /etc/sudoers.d/ r, - /etc/sudoers.d/90-cloud-init-users r, - /etc/sudoers.d/README r, - /etc/sudoers.d/nova_sudoers r, - /lib{,32,64}/** mr, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/net/ip_tables_names r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/status r, - /run/lock/nova/nova-iptables wk, - /sbin/ldconfig rix, - /sbin/ldconfig.real rix, - /sbin/xtables-multi rix, - /tmp/ r, - /tmp/** rwk, - /usr/bin/ r, - /usr/bin/nova-api r, - /usr/bin/nova-rootwrap rix, - /usr/bin/python2.7 ix, - /usr/bin/python3.4 ix, - /usr/bin/sudo ix, - /usr/lib{,32,64}/** mr, - /var/lib/nova/ r, - /var/lib/nova/** rw, - /var/log/nova/nova-api.log w, - /var/tmp/ r, - /var/tmp/** rwk, - -} diff --git a/templates/usr.bin.nova-compute b/templates/usr.bin.nova-compute deleted file mode 100644 index b7536e63..00000000 --- a/templates/usr.bin.nova-compute +++ /dev/null @@ -1,57 +0,0 @@ -# Last Modified: Tue Apr 5 22:19:53 2016 -#include - -/usr/bin/nova-compute { - #include - #include - #include - - capability dac_override, - capability dac_read_search, - - network inet dgram, - network inet stream, - - deny /* w, - /bin/dash rix, - /bin/mv rix, - /bin/uname rix, - /etc/nova/nova-compute.conf r, - /etc/nova/nova.conf r, - /etc/nova/policy.json r, - /etc/nsswitch.conf r, - /etc/passwd r, - /proc/*/net/psched r, - /run/libvirt/libvirt-sock rw, - /run/lock/nova/nova-iptables wk, - /sbin/ldconfig rix, - /sbin/ldconfig.real rix, - /sys/devices/system/cpu/ r, - /sys/devices/system/node/ r, - /sys/devices/system/node/** r, - /tmp/* rw, - /tmp/*/ rw, - /usr/bin/ r, - /usr/bin/env rix, - /usr/bin/gcc-4.8 rix, - /usr/bin/nova-compute r, - /usr/bin/python2.7 ix, - /usr/bin/python3.4 ix, - /usr/bin/qemu-img rix, - /usr/bin/sudo rix, - /usr/lib/gcc/x86_64-linux-gnu/4.8/collect2 rix, - /usr/lib{,32,64}/** rw, - /usr/lib{,32,64}/python{2,3}.[34567]/**.{pyc,so} mrw, - /var/lib/nova/* rwk, - /var/lib/nova/instances/ r, - /var/lib/nova/instances/** rwk, - /var/lib/nova/instances/locks/nova-storage-registry-lock k, - /var/log/nova/nova-compute.log w, - /var/run/libvirt/* rw, - /var/run/libvirt/libvirt-sock rw, - /var/tmp/* w, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/net/psched r, - owner @{PROC}/@{pid}/status r, - -} diff --git a/templates/usr.bin.nova-network b/templates/usr.bin.nova-network deleted file mode 100644 index 757f6427..00000000 --- a/templates/usr.bin.nova-network +++ /dev/null @@ -1,29 +0,0 @@ -# Last Modified: Thu Mar 31 18:21:05 2016 -#include - -/usr/bin/nova-network { - #include - #include - #include - #include - - deny /usr/bin/sudo x, - - /bin/dash rix, - /bin/uname rix, - /etc/nova/nova.conf r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/status r, - /sbin/ldconfig rix, - /sbin/ldconfig.real rix, - /tmp/** rw, - /usr/bin/ r, - /usr/bin/nova-network r, - /usr/bin/python2.7 ix, - /usr/bin/python3.4 ix, - /usr/lib{,32,64}/python{2,3}.[34567]/**.{pyc,so} mra, - /var/lib/nova/* a, - /var/log/nova/nova-network.log w, - /var/tmp/* a, - -}