Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enforce image safety during image_conversion #12

Open
wants to merge 1 commit into
base: stackhpc/ussuri
Choose a base branch
from

Conversation

JohnGarbutt
Copy link
Member

This does two things:

  1. It makes us check that the QCOW backing_file is unset on those types of images. Nova and Cinder do this already to prevent an arbitrary (and trivial to accomplish) host file exposure exploit.
  2. It makes us restrict VMDK files to only allowed subtypes. These files can name arbitrary files on disk as extents, providing the same sort of attack. Default that list to just the types we believe are actually useful for openstack, and which are monolithic.

The configuration option to specify allowed subtypes is added in glance's config and not in the import options so that we can extend this check later to image ingest. The format_inspector can tell us what the type and subtype is, and we could reject those images early and even in the case where image_conversion is not enabled.

Closes-Bug: #1996188
Change-Id: Idf561f6306cebf756c787d8eefdc452ce44bd5e0 (cherry picked from commit 0d6282a) (cherry picked from commit 4967ab6) (cherry picked from commit dc8e5a5) (cherry picked from commit f45b5f0) (cherry picked from commit 9a98c4a) Conflicts: glance/tests/unit/async_/flows/plugins/test_image_conversion.py

  • removed code related to missing tests - 050802d (cherry picked from commit 06e6be5)

This does two things:

1. It makes us check that the QCOW backing_file is unset on those
types of images. Nova and Cinder do this already to prevent an
arbitrary (and trivial to accomplish) host file exposure exploit.
2. It makes us restrict VMDK files to only allowed subtypes. These
files can name arbitrary files on disk as extents, providing the
same sort of attack. Default that list to just the types we believe
are actually useful for openstack, and which are monolithic.

The configuration option to specify allowed subtypes is added in
glance's config and not in the import options so that we can extend
this check later to image ingest. The format_inspector can tell us
what the type and subtype is, and we could reject those images early
and even in the case where image_conversion is not enabled.

Closes-Bug: #1996188
Change-Id: Idf561f6306cebf756c787d8eefdc452ce44bd5e0
(cherry picked from commit 0d6282a)
(cherry picked from commit 4967ab6)
(cherry picked from commit dc8e5a5)
(cherry picked from commit f45b5f0)
(cherry picked from commit 9a98c4a)
Conflicts: glance/tests/unit/async_/flows/plugins/test_image_conversion.py
   - removed code related to missing tests - 050802d
(cherry picked from commit 06e6be5)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants