Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rootless preempt-rt mode (Work in Progress) #918

Draft
wants to merge 6 commits into
base: master
Choose a base branch
from

Conversation

dwrobel
Copy link
Contributor

@dwrobel dwrobel commented Aug 4, 2020

Allows to run linuxcnc in preempt-rt mode without root (setuid bit).

Benefits:

  • allows to always run using SCHED_FIFO policy (on both rt and non-rt kernels),
  • CI flow can use and tests exactly the same code flow as will be used on the production,
  • latency-test (on modern hardware) should return much more reliable results on non-rt kernel,
  • will help packaging linuxcnc in Fedora (see: setuid removal) and maybe other distros where setuid binaries are not welcome.

How to run it:

  • In order to run it in place, just set the following capabilities:
$ sudo setcap cap_ipc_lock,cap_net_admin,cap_sys_rawio,cap_sys_nice+ep  bin/rtapi_app
  • If you're going to use parallel port, just add yourself to the appropriate group (as you would do for accessing printer).

TODO list:

  • add something like make setcap target to set capabilities on rtapi_app,
  • decide how to clean up the API: like rtapi_is_realtime(),
  • add an option to not invoke iptables in hm2_eth.c (it's much easier and more reliable to configure the rules using firewalld/NetworkManager e.g. on Fedora >=32 firewalld switched from iptables to nftables backend),
  • test with pci cards (currently tested with parport and ethernet based mesa card),
  • very likely other things were missed - would appreciate to get a feedback.

Signed-off-by: Damian Wrobel <[email protected]>
The code tries to unify the codebase of using FIFO_SCHED
between root and non-root as being a root is not a prerequisite
to set FIFO_SCHED scheduler policy (see capabilities(7)).

Signed-off-by: Damian Wrobel <[email protected]>
Temporarily disable executing iptables.

Signed-off-by: Damian Wrobel <[email protected]>
Also print out both linuxcnc_debug.txt and linuxcnc_print.txt
in case of failure.

Signed-off-by: Damian Wrobel <[email protected]>
@dwrobel dwrobel marked this pull request as draft August 4, 2020 19:58
@dwrobel dwrobel mentioned this pull request Aug 4, 2020
@jepler
Copy link
Contributor

jepler commented Aug 4, 2020

Things to make sure of as you work on this:

  • Top priority: Identify parts of this which can be separated into pull requests which can be incorporated one by one, so that you have to carry less "outstanding work" as the process continues and you can monitor community acceptance of the coding choices you're making instead of getting the real feedback at the end.
    For instance, these immediately strike me as separate PRs that can be evaluated on their own merits:
    • re-working how hm2_eth does firewalls
    • re-working how harden_rt can work without root but with capabilities (if you can keep as-root and as-capabilities intact, or as a configure-time flag)
  • It must remain possible to run LinuxCNC in a pure simulator mode with no elevated privileges required to build it, run the tests, run UIs in simulator mode, etc.
  • It must work on whatever range of platforms we will commit to supporting in our main development branch
  • It must be furnished with the debian packaging work completed as well. I am not familiar with how capabilities are represented in debian packages, so you may have to educate yourself.
  • It must not regress on preventing non-rtapi_app processes from sending packets on the ethernet interface while LinuxCNC is running.

I don't know what's the point of protecting a system against a setuid binary but allowing a binary with cap_sys_rawio, but linux security decisions are a land of contrasts.

@andypugh
Copy link
Collaborator

It's been quite a while, but this might still be a good idea. Any comments?

@petterreinholdtsen
Copy link
Collaborator

It sound like a great idea to reduce the privileges needed to run linuxcnc. Any hope to get this patch out of draft / work in progress mode?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants