Run firewalld as a regular user |
|||
Issue descriptionNow that we have ambient capabilities support in firewalld, we no longer need to run it as root. Next steps: -Add a user for firewalld -Launch it as that user, keeping CAP_NET_ADMIN, CAP_NET_RAW -Change the iptables launching code to not drop caps.
,
Apr 27 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/eclass-overlay/+/48c2f1375a255e78c57afb1649ee8dce9e1474dc commit 48c2f1375a255e78c57afb1649ee8dce9e1474dc Author: Jorge Lucangeli Obes <jorgelo@chromium.org> Date: Thu Apr 27 18:15:44 2017 Add 'firewall' user for firewalld. We can now run firewalld as a non-root user using ambient capabilities. BUG= chromium:715678 TEST=Build image, check /etc/{passwd,group}. Change-Id: I9a38d60c109bd8b4e06bec06c15974be1fd9cae1 Reviewed-on: https://chromium-review.googlesource.com/488301 Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Mattias Nissler <mnissler@chromium.org> [add] https://crrev.com/48c2f1375a255e78c57afb1649ee8dce9e1474dc/profiles/base/accounts/user/firewall [add] https://crrev.com/48c2f1375a255e78c57afb1649ee8dce9e1474dc/profiles/base/accounts/group/firewall
,
Apr 28 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/autotest/+/fb4508d4260e0267b2d69eb2a44b48bda156b8cc commit fb4508d4260e0267b2d69eb2a44b48bda156b8cc Author: Jorge Lucangeli Obes <jorgelo@chromium.org> Date: Fri Apr 28 21:16:08 2017 security_AccountsBaseline: Add 'firewall' user to baseline. The test will not fail if it doesn't find the new user, so it's safe to land this before CL:487742. BUG= chromium:715678 TEST=Passes. CQ-DEPEND=CL:488301 Change-Id: I1ce50dca35b7a7aa9a07e4933e0f99052cb27462 Reviewed-on: https://chromium-review.googlesource.com/488681 Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/fb4508d4260e0267b2d69eb2a44b48bda156b8cc/client/site_tests/security_AccountsBaseline/baseline.group [modify] https://crrev.com/fb4508d4260e0267b2d69eb2a44b48bda156b8cc/client/site_tests/security_AccountsBaseline/baseline.passwd
,
May 2 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/011a9765c22cbb8b9060e931e66d05b925e0574b commit 011a9765c22cbb8b9060e931e66d05b925e0574b Author: Jorge Lucangeli Obes <jorgelo@chromium.org> Date: Tue May 02 12:20:27 2017 Install 'firewall' user. BUG= chromium:715678 TEST=Build image, check /etc/{passwd,group}. CQ-DEPEND=CL:488301,CL:488681 Change-Id: Idfe287c86118e8cf84a45f86fec70fd622567fff Reviewed-on: https://chromium-review.googlesource.com/487742 Commit-Ready: Ilja H. Friedel <ihf@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/011a9765c22cbb8b9060e931e66d05b925e0574b/chromeos-base/firewalld/firewalld-9999.ebuild
,
May 4 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/autotest/+/dc03d2cb224f92b177333284ebc32224674ba9dc commit dc03d2cb224f92b177333284ebc32224674ba9dc Author: Jorge Lucangeli Obes <jorgelo@chromium.org> Date: Thu May 04 17:36:42 2017 security_SandboxedServices: Fix style issues. BUG= chromium:715678 TEST=Passes Change-Id: I801b5255b4f4a65acd4813813c97228509e59688 Reviewed-on: https://chromium-review.googlesource.com/495348 Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/dc03d2cb224f92b177333284ebc32224674ba9dc/client/site_tests/security_SandboxedServices/security_SandboxedServices.py
,
May 18 2017
The following revision refers to this bug: https://chromium.googlesource.com/aosp/platform/system/firewalld/+/64fc5a23a1ae487409cc585b3fbf261c553acb4e commit 64fc5a23a1ae487409cc585b3fbf261c553acb4e Author: Jorge Lucangeli Obes <jorgelo@chromium.org> Date: Thu May 18 02:06:17 2017 Run firewalld as a regular user, in a PID namespace. Now that we have ambient capabilities, we don't need to run firewalld as root. BUG= chromium:715678 TEST=platform_Firewall TEST=readlink /proc/`pgrep firewalld`/ns/pid TEST=pid:[4026532158] TEST=readlink /proc/1/ns/pid TEST=pid:[4026531836] CQ-DEPEND=CL:494127 Change-Id: I5e65c56886e8d57bb261edb171ff16dd931d7f1d Reviewed-on: https://chromium-review.googlesource.com/488701 Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/64fc5a23a1ae487409cc585b3fbf261c553acb4e/iptables.h [modify] https://crrev.com/64fc5a23a1ae487409cc585b3fbf261c553acb4e/dbus/org.chromium.Firewalld.conf [modify] https://crrev.com/64fc5a23a1ae487409cc585b3fbf261c553acb4e/firewalld.conf [modify] https://crrev.com/64fc5a23a1ae487409cc585b3fbf261c553acb4e/iptables_unittest.cc [modify] https://crrev.com/64fc5a23a1ae487409cc585b3fbf261c553acb4e/iptables.cc [modify] https://crrev.com/64fc5a23a1ae487409cc585b3fbf261c553acb4e/mock_iptables.cc [modify] https://crrev.com/64fc5a23a1ae487409cc585b3fbf261c553acb4e/mock_iptables.h
,
May 18 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/autotest/+/fb744f1dad229edcdc8a742e766cda032eb6a3a0 commit fb744f1dad229edcdc8a742e766cda032eb6a3a0 Author: Jorge Lucangeli Obes <jorgelo@chromium.org> Date: Thu May 18 02:06:17 2017 security_SandboxedServices: update baseline for firewalld. BUG= chromium:715678 TEST=Passes. CQ-DEPEND=CL:488701 Change-Id: I015e0c61657cb08e975cc4758fd1a145bfe5ed43 Reviewed-on: https://chromium-review.googlesource.com/494127 Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/fb744f1dad229edcdc8a742e766cda032eb6a3a0/client/site_tests/security_SandboxedServices/baseline
,
May 18 2017
This is done.
,
Jan 22 2018
|
|||
►
Sign in to add a comment |
|||
Comment 1 by jorgelo@chromium.org
, Apr 26 2017