Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ros2 daemon inherits the security enclaves silently, possibly expose the secured network. #315

Open
fujitatomoya opened this issue May 16, 2024 · 0 comments
Open

ros2 daemon inherits the security enclaves silently, possibly expose the secured network. #315

fujitatomoya opened this issue May 16, 2024 · 0 comments
Assignees
@fujitatomoya

Comments

@fujitatomoya
Copy link
Contributor

Bug report

Required Info:

  • Operating System:
    • Ubuntu 24.04
  • Installation type:
    • source build
  • Version or commit hash:
  • DDS implementation:
    • Fast-RTPS, RTI Connext, Cyclonedds
  • Client library (if applicable):
    • rclcpp, rclpy

Steps to reproduce issue

This means that ros2 daemon is now enabled and bound with security enclaves.
After daemon is spawned, other unsecure users can see the connectivity and endpoints in the secured network since it can query those data via XMLRPC to the ros2 daemon process.

root@51cdd59e1f3e:~/sros2_demo# export ROS_SECURITY_KEYSTORE=~/sros2_demo/demo_keystore
root@51cdd59e1f3e:~/sros2_demo# export ROS_SECURITY_ENABLE=true
root@51cdd59e1f3e:~/sros2_demo# export ROS_SECURITY_STRATEGY=Enforce
root@51cdd59e1f3e:~/sros2_demo# export ROS_SECURITY_ENCLAVE_OVERRIDE=/talker_listener/listener
root@51cdd59e1f3e:~/sros2_demo# ros2 daemon stop
The daemon is not running
root@51cdd59e1f3e:~/sros2_demo# ros2 topic list
[INFO] [1715901957.898174266] [rcl]: Found security directory: /root/sros2_demo/demo_keystore/enclaves/talker_listener/listener
/parameter_events
/rosout
root@51cdd59e1f3e:~/sros2_demo# ros2 daemon status
The daemon is running
root@51cdd59e1f3e:~/sros2_demo# ps -ef | grep daemon
root         881       1  0 16:25 pts/3    00:00:00 /usr/bin/python3 -c from ros2cli.daemon.daemonize import main; main() --name ros2-daemon --ros-domain-id 0 --rmw-implementation rmw_fastrtps_cpp
root         912     796  0 16:26 pts/3    00:00:00 grep --color=auto daemon
root@51cdd59e1f3e:~/sros2_demo# tr '\0' '\n' < /proc/881/environ | grep ROS_SECURITY
ROS_SECURITY_ENCLAVE_OVERRIDE=/talker_listener/listener
ROS_SECURITY_KEYSTORE=/root/sros2_demo/demo_keystore
ROS_SECURITY_STRATEGY=Enforce
ROS_SECURITY_ENABLE=true

Expected behavior

This is what i would like to discuss on this issue. Maybe ros2 daemon should not inherit the security information silently?

Actual behavior

ros2 daemon inherits the security enclaves silently, possibly expose the secured network.

Additional information

Related issue: #306
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fujitatomoya fujitatomoya

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fujitatomoya