RFD: Ensure code executed on the worker is confined#7127
Open
d3flex wants to merge 1 commit intoos-autoinst:masterfrom
Open
RFD: Ensure code executed on the worker is confined#7127d3flex wants to merge 1 commit intoos-autoinst:masterfrom
d3flex wants to merge 1 commit intoos-autoinst:masterfrom
Conversation
okurz
reviewed
Mar 18, 2026
Member
okurz
left a comment
okurz
left a comment
There was a problem hiding this comment.
content looks good although I don't think we should commit this file into the repo at the current state.
|
|
||
| ## Investigation | ||
|
|
||
| To demonstrate the attack surface I wrote a test module (`tests/install/explore.pm`) that uses standard testapi calls (`script_run`, `upload_logs`) alongside direct Perl code to do sensitive things from inside the worker process on the host side. |
Member
There was a problem hiding this comment.
I wrote a test module (
tests/install/explore.pm)
where can I find this?
Contributor
Author
There was a problem hiding this comment.
that not really important. I will add something similar to the openqa-in-opena as suggested in the RFD.
Martchus
reviewed
Mar 20, 2026
Contributor
Martchus
left a comment
Martchus
left a comment
There was a problem hiding this comment.
For this to become part of our documentation you should avoid the use of "I". Maybe that's also not strictly necessary right now.
It would be interesting to test the isolation of tests runs from each other. I think it would be easily possible to restrict accessible directories even more so tests would only be able to read needed files from the system and from their own pool directory (but not pool directories of other worker slots).
It would also be interesting to test whether it works with the cache service or whether further settings need to be added.
| ## Investigation | ||
|
|
||
| To demonstrate the attack surface I wrote a test module (`tests/install/explore.pm`) that uses standard testapi calls (`script_run`, `upload_logs`) alongside direct Perl code to do sensitive things from inside the worker process on the host side. | ||
| This covers the main ways a malicious test module could exploit the worker: testapi calls that run commands in the VM but also give access to the host process, direct host file reads, and leaking files via `upload_logs` to the WebUI. |
Contributor
There was a problem hiding this comment.
Suggested change
| This covers the main ways a malicious test module could exploit the worker: testapi calls that run commands in the VM but also give access to the host process, direct host file reads, and leaking files via `upload_logs` to the WebUI. | |
| This covers the main ways a malicious test module could exploit the worker: testapi calls that run commands in the VM but also give access to the host process, direct host file reads, and leaking files via `upload_logs` to the web UI. |
|
|
||
| ### systemd hardening — tested and working | ||
|
|
||
| I added standard systemd hardening directives to the worker unit. This solution seems to be the simplier less efortless to great value approach, which should be applied first . |
Contributor
There was a problem hiding this comment.
"less efortless to great value approach" is incomprehensible.
Member
As I stated in #7127 (review) I don't see the benefit of submitting this to the repo. |
Issue: https://progress.opensuse.org/issues/194717 Signed-off-by: Ioannis Bonatakis <ybonatakis@suse.com>
d3flex
force-pushed
the
docs/rfd-worker-confinement
branch
from
b62b5d7 to
2a1ec03
Compare
d3flex
added a commit
to d3flex/os-autoinst-distri-openQA
that referenced
this pull request
Mar 30, 2026
Provide a set of scripts which explore the confined capabilities of the workers. There are two main approaches: using the test API to read/write from within the SUT and the Host level operations using system(). RFD: os-autoinst/openQA#7127 Issue: https://progress.opensuse.org/issues/194717 Signed-off-by: Ioannis Bonatakis <ybonatakis@suse.com>
d3flex
added a commit
to d3flex/os-autoinst-distri-openQA
that referenced
this pull request
Apr 2, 2026
Provide a set of scripts which explore the confined capabilities of the workers. There are two main approaches: using the test API to read/write from within the SUT and the Host level operations using system(). RFD: os-autoinst/openQA#7127 Issue: https://progress.opensuse.org/issues/194717 Signed-off-by: Ioannis Bonatakis <ybonatakis@suse.com>
d3flex
added a commit
to d3flex/os-autoinst-distri-openQA
that referenced
this pull request
Apr 2, 2026
Provide a set of scripts which explore the confined capabilities of the workers. There are two main approaches: using the test API to read/write from within the SUT and the Host level operations using system(). RFD: os-autoinst/openQA#7127 Issue: https://progress.opensuse.org/issues/194717 Signed-off-by: Ioannis Bonatakis <ybonatakis@suse.com>
d3flex
added a commit
to d3flex/os-autoinst-distri-openQA
that referenced
this pull request
Apr 2, 2026
Provide a set of scripts which explore the confined capabilities of the workers. There are two main approaches: using the test API to read/write from within the SUT and the Host level operations using system(). RFD: os-autoinst/openQA#7127 Issue: https://progress.opensuse.org/issues/194717 Signed-off-by: Ioannis Bonatakis <ybonatakis@suse.com>
d3flex
added a commit
to d3flex/os-autoinst-distri-openQA
that referenced
this pull request
Apr 2, 2026
Provide a set of scripts which explore the confined capabilities of the workers. There are two main approaches: using the test API to read/write from within the SUT and the Host level operations using system(). RFD: os-autoinst/openQA#7127 Issue: https://progress.opensuse.org/issues/194717 Signed-off-by: Ioannis Bonatakis <ybonatakis@suse.com>
d3flex
added a commit
to d3flex/os-autoinst-distri-openQA
that referenced
this pull request
Apr 2, 2026
Provide a set of scripts which explore the confined capabilities of the workers. There are two main approaches: using the test API to read/write from within the SUT and the Host level operations using system(). RFD: os-autoinst/openQA#7127 Issue: https://progress.opensuse.org/issues/194717 Signed-off-by: Ioannis Bonatakis <ybonatakis@suse.com>
d3flex
added a commit
to d3flex/os-autoinst-distri-openQA
that referenced
this pull request
Apr 6, 2026
Provide a set of scripts which explore the confined capabilities of the workers. There are two main approaches: using the test API to read/write from within the SUT and the Host level operations using system(). RFD: os-autoinst/openQA#7127 Issue: https://progress.opensuse.org/issues/194717 Signed-off-by: Ioannis Bonatakis <ybonatakis@suse.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue: https://progress.opensuse.org/issues/194717