hardening horizon: don't mount hosts /tmp

consider this a security hardening as it would be possible to write to host owned private tmp files e.g. of systemd-logind when you are able to highjack the apache2 process inside the horizon container, which runs as root. see the bug report for a demonstration of this. I checked the horizon code, it only facilitates python tempfiles module for temp file usage. I also checked the horizon container we build via `kolla-build -b ubuntu horizon`, which has a /tmp/ directory. So no mountpoint should be needed. Closes-Bug: #2068126 Signed-off-by: Sven Kieske <kieske@osism.tech> Change-Id: I7ae1db8d42c83b773047bb01e846d4abee02710a
2024-06-05 11:49:59 +02:00 · 2024-06-05 11:49:59 +02:00 · f306e9ca88
commit f306e9ca88
parent cbf514869a
2 changed files with 6 additions and 1 deletions
--- a/ansible/roles/horizon/defaults/main.yml
+++ b/ansible/roles/horizon/defaults/main.yml
@ -127,7 +127,6 @@ horizon_default_volumes:
  - "/etc/localtime:/etc/localtime:ro"
  - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}"
  - "kolla_logs:/var/log/kolla/"
-  - "/tmp:/tmp"

 horizon_extra_volumes: "{{ default_extra_volumes }}"

--- a/releasenotes/notes/harden_horizon_tmp_usage-0d690e49645b99a8.yaml
+++ b/releasenotes/notes/harden_horizon_tmp_usage-0d690e49645b99a8.yaml
@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Removes the default `/tmp/` mountpoint from the horizon container. This
+    change is made to harden the container and prevent potential security
+    issues. For more information, see the Bug Report: `LP#2068126 <https://bugs.launchpad.net/kolla-ansible/+bug/2068126>`__.