`ros2 daemon` inherits the security enclaves silently, possibly expose the secured network.

[fujitatomoya]

Bug report

Required Info:

• Operating System:
  • Ubuntu 24.04
• Installation type:
  • source build
• Version or commit hash:
  • https://github.com/ros2/ros2/commit/ba357a0ea9175c419b0b124670f9abce1749faba
• DDS implementation:
  • Fast-RTPS, RTI Connext, Cyclonedds
• Client library (if applicable):
  • rclcpp, rclpy

Steps to reproduce issue

This means that ros2 daemon is now enabled and bound with security enclaves. After daemon is spawned, other unsecure users can see the connectivity and endpoints in the secured network since it can query those data via XMLRPC to the ros2 daemon process.

root@51cdd59e1f3e:~/sros2_demo# export ROS_SECURITY_KEYSTORE=~/sros2_demo/demo_keystore
root@51cdd59e1f3e:~/sros2_demo# export ROS_SECURITY_ENABLE=true
root@51cdd59e1f3e:~/sros2_demo# export ROS_SECURITY_STRATEGY=Enforce
root@51cdd59e1f3e:~/sros2_demo# export ROS_SECURITY_ENCLAVE_OVERRIDE=/talker_listener/listener
root@51cdd59e1f3e:~/sros2_demo# ros2 daemon stop
The daemon is not running
root@51cdd59e1f3e:~/sros2_demo# ros2 topic list
[INFO] [1715901957.898174266] [rcl]: Found security directory: /root/sros2_demo/demo_keystore/enclaves/talker_listener/listener
/parameter_events
/rosout
root@51cdd59e1f3e:~/sros2_demo# ros2 daemon status
The daemon is running
root@51cdd59e1f3e:~/sros2_demo# ps -ef | grep daemon
root         881       1  0 16:25 pts/3    00:00:00 /usr/bin/python3 -c from ros2cli.daemon.daemonize import main; main() --name ros2-daemon --ros-domain-id 0 --rmw-implementation rmw_fastrtps_cpp
root         912     796  0 16:26 pts/3    00:00:00 grep --color=auto daemon
root@51cdd59e1f3e:~/sros2_demo# tr '\0' '\n' < /proc/881/environ | grep ROS_SECURITY
ROS_SECURITY_ENCLAVE_OVERRIDE=/talker_listener/listener
ROS_SECURITY_KEYSTORE=/root/sros2_demo/demo_keystore
ROS_SECURITY_STRATEGY=Enforce
ROS_SECURITY_ENABLE=true

Expected behavior

This is what i would like to discuss on this issue. Maybe ros2 daemon should not inherit the security information silently?

Actual behavior

ros2 daemon inherits the security enclaves silently, possibly expose the secured network.

Additional information

Related issue: https://github.com/ros2/sros2/issues/306