From f306e9ca88796f3f77fb2f3fef343c167d11b13a Mon Sep 17 00:00:00 2001
From: Sven Kieske <kieske@osism.tech>
Date: Wed, 5 Jun 2024 11:49:59 +0200
Subject: [PATCH] hardening horizon: don't mount hosts /tmp

consider this a security hardening
as it would be possible to write to host
owned private tmp files e.g. of systemd-logind
when you are able to highjack the apache2 process
inside the horizon container, which runs as root.

see the bug report for a demonstration of this.

I checked the horizon code, it only facilitates
python tempfiles module for temp file usage.

I also checked the horizon container we build
via `kolla-build -b ubuntu horizon`, which has
a /tmp/ directory.
So no mountpoint should be needed.

Closes-Bug: #2068126

Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: I7ae1db8d42c83b773047bb01e846d4abee02710a
---
 ansible/roles/horizon/defaults/main.yml                     | 1 -
 .../notes/harden_horizon_tmp_usage-0d690e49645b99a8.yaml    | 6 ++++++
 2 files changed, 6 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/harden_horizon_tmp_usage-0d690e49645b99a8.yaml

diff --git a/ansible/roles/horizon/defaults/main.yml b/ansible/roles/horizon/defaults/main.yml
index 04bf1763ac..93cd0058cd 100644
--- a/ansible/roles/horizon/defaults/main.yml
+++ b/ansible/roles/horizon/defaults/main.yml
@@ -127,7 +127,6 @@ horizon_default_volumes:
   - "/etc/localtime:/etc/localtime:ro"
   - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}"
   - "kolla_logs:/var/log/kolla/"
-  - "/tmp:/tmp"
 
 horizon_extra_volumes: "{{ default_extra_volumes }}"
 
diff --git a/releasenotes/notes/harden_horizon_tmp_usage-0d690e49645b99a8.yaml b/releasenotes/notes/harden_horizon_tmp_usage-0d690e49645b99a8.yaml
new file mode 100644
index 0000000000..323ccd53be
--- /dev/null
+++ b/releasenotes/notes/harden_horizon_tmp_usage-0d690e49645b99a8.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Removes the default `/tmp/` mountpoint from the horizon container. This
+    change is made to harden the container and prevent potential security
+    issues. For more information, see the Bug Report: `LP#2068126 <https://bugs.launchpad.net/kolla-ansible/+bug/2068126>`__.
-- 
GitLab