Merge lp:~xfactor973/apparmor-profiles/ceph-apparmor-profiles into lp:apparmor-profiles

Proposed by Chris Holcombe on 2016-03-22
Status: Merged
Merged at revision: 165
Proposed branch: lp:~xfactor973/apparmor-profiles/ceph-apparmor-profiles
Merge into: lp:apparmor-profiles
Diff against target: 67 lines (+58/-0)
2 files modified
ubuntu/14.04/usr.bin.ceph-mon (+28/-0)
ubuntu/14.04/usr.bin.ceph-osd (+30/-0)
To merge this branch: bzr merge lp:~xfactor973/apparmor-profiles/ceph-apparmor-profiles
Reviewer Review Type Date Requested Status
Steve Beattie 2016-03-22 Approve on 2016-04-30
Review via email: mp+289844@code.launchpad.net

Description of the change

This patch includes apparmor profiles for the ceph-mon and ceph-osd processes. These were generated by running an extensive amulet test against the ceph-mon and ceph-osd juju charms. I can't say that they've exercised every possible code path but I think this is a good starting armor profile.

To post a comment you must log in.
160. By Chris Holcombe on 2016-03-28

Typo in the ceph-osd profile

Seth Arnold (seth-arnold) wrote :

Looks like a great start, thanks!

It'd be nice if the /proc/*/.. entries would use /proc/${pid}/.. or /proc/${pids}/.. -- while there's currently no difference between the two variables today, we do intend to modify ${pid} to refer to strictly "the current pid" via a kernel variable eventually.

/srv/ceph/ is probably a fair enough starting point to hardcode but if someone stores their OSDs elsewhere, it'd be nice if there was an #include <local/usr.bin.ceph-osd> line near the bottom of the ceph-osd profile, so these sorts of modifications could be made easily. (See /etc/apparmor.d/usr.sbin.rsyslogd or /etc/apparmor.d/usr.sbin.ntpd for examples.)

Thanks

Chris Holcombe (xfactor973) wrote :

Thanks! That's great feedback.

161. By Chris Holcombe on 2016-04-14

Use ${pids} instead of * and also allow users to include site specific overrides

Christian Boltz (cboltz) wrote :

I'm afraid Seth managed to confuse you - it's @{pid} or @{pids}, not ${pid} and ${pids} ;-)

Seth Arnold (seth-arnold) wrote :

Argh, I'm sorry Chris! Nice catch Christian. Sigh.

Chris Holcombe (xfactor973) wrote :

No worries! I'll update this patch after the 16.04 release :)

162. By Chris Holcombe on 2016-04-19

Use @{pid} not ${pid}

Steve Beattie (sbeattie) wrote :

Hi, thanks for fixing up the pid/pids variables. I've gone ahead and merged this after also copying the profiles to the 16.04 and 16.10 trees -- I poked around very briefly at a 16.04 ceph install and didn't see anything radically different in FS layout that would give cause for concern (we'll obivously take updates if there things that need to be updated).

While reviewing, I did have one question; both profiles have:

  owner /etc/ceph/* rw,

Is it expected that ceph will need to write to arbitrary files under /etc/ceph/? What's the usage here?

Thanks for the contribution!

review: Approve
Chris Holcombe (xfactor973) wrote :

Yeah no problem!

For the /etc/ceph/* stuff it does write a few things there. The /etc/ceph/ceph.conf and also various cephx key files under different names. I thought /etc/ceph/* would be a safe thing to do because I won't know in advance what all the key names are going to be that it could create. I could probably tighten it up a little bit to something like:

owner /etc/ceph/ceph.conf rw
owner /etc/ceph/ceph.client.* rw
owner /etc/ceph/rbdmap rw

I don't think the charm or ceph writes anything else to that directory. Here's what a current deployment looks like under /etc/ceph/
root@ip-172-31-2-78:/etc/ceph# ls -lh
total 8.0K
-rw------- 1 root root 63 Apr 28 19:03 ceph.client.admin.keyring
lrwxrwxrwx 1 root root 27 Apr 28 19:01 ceph.conf -> /etc/alternatives/ceph.conf
-rw-r--r-- 1 root root 92 Feb 22 21:15 rbdmap

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== added file 'ubuntu/14.04/usr.bin.ceph-mon'
2--- ubuntu/14.04/usr.bin.ceph-mon 1970-01-01 00:00:00 +0000
3+++ ubuntu/14.04/usr.bin.ceph-mon 2016-04-19 13:54:25 +0000
4@@ -0,0 +1,28 @@
5+# vim:syntax=apparmor
6+# Author: Chris Holcombe <xfactor973 at gmail_com>
7+#include <tunables/global>
8+
9+/usr/bin/ceph-mon {
10+ #include <abstractions/base>
11+
12+ /usr/bin/ceph-mon mr,
13+
14+ network inet stream,
15+ network inet6 stream,
16+
17+ owner /etc/ceph/* rw,
18+ /etc/passwd r,
19+
20+ /proc/@{pid}/auxv r,
21+ /proc/@{pid}/net/dev r,
22+
23+ /run/ceph/* rw,
24+ /tmp/ r,
25+ /var/lib/ceph/** rwk,
26+ /var/lib/charm/*/ceph.conf r,
27+ /var/log/ceph/* rwk,
28+ /var/run/ceph/* rwk,
29+ /var/tmp/ r,
30+ # Site-specific additions and overrides.
31+ #include <local/usr.bin.ceph-mon>
32+}
33
34=== added file 'ubuntu/14.04/usr.bin.ceph-osd'
35--- ubuntu/14.04/usr.bin.ceph-osd 1970-01-01 00:00:00 +0000
36+++ ubuntu/14.04/usr.bin.ceph-osd 2016-04-19 13:54:25 +0000
37@@ -0,0 +1,30 @@
38+# vim:syntax=apparmor
39+# Author: Chris Holcombe <xfactor973 at gmail_com>
40+#include <tunables/global>
41+
42+/usr/bin/ceph-osd {
43+ #include <abstractions/base>
44+
45+ /usr/bin/ceph-osd mr,
46+
47+ network inet stream,
48+ network inet6 stream,
49+
50+ owner /etc/ceph/* rw,
51+ /etc/passwd r,
52+
53+ /proc/@{pids}/auxv r,
54+ /proc/@{pids}/net/dev r,
55+ /proc/loadavg r,
56+
57+ /run/ceph/* rw,
58+ /srv/ceph/** r,
59+ /tmp/ r,
60+ /var/lib/ceph/** rwk,
61+ /var/lib/charm/*/ceph.conf r,
62+ /var/log/ceph/* rwk,
63+ /var/run/ceph/* rwk,
64+ /var/tmp/ r,
65+ # Site-specific additions and overrides.
66+ #include <local/usr.bin.ceph-osd>
67+}

Subscribers

People subscribed via source and target branches

to status/vote changes: