diff options
| author | Ansis Atteka <aatteka@ovn.org> | 2016-06-20 14:19:40 -0700 |
|---|---|---|
| committer | Ansis Atteka <aatteka@ovn.org> | 2016-06-27 20:36:16 -0700 |
| commit | 81d2f75cfc760b0c5ba0c2d5a4c4b2b0f3854740 (patch) | |
| tree | 2eba7b11d138ebfc6ca6e88236a469003dfc865c /lib/daemon.h | |
| parent | 1ec0750ea876e0b7d4910891c9f0b688fa3c6be2 (diff) | |
| download | openvswitch-81d2f75cfc760b0c5ba0c2d5a4c4b2b0f3854740.tar.gz | |
bridge: allow OVS to interact with controller through sockets outside run dir
Currently Open vSwitch is unable to create or connect to Unix Domain
Sockets outside designated 'run' directory, because of fear of potential
remote exploits where a hacked remote OVSDB manager would tell Open vSwitch
to connect to a unix domain socket owned by other daemon on the same
hypervisor.
This patch allows to disable this behavior by changing
/etc/default/openvswitch (Ubuntu) or /etc/sysconfig/openvswitch (RHEL)
file to:
...
OVS_CTL_OPTS=--no-self-confinement
...
Note, that it is better to stick with default behavior, unless:
1. You have Open vSwitch running under SELinux or AppArmor
that would prevent OVS from messing with sockets owned by other
daemons; OR
2. You are sure that relying on OpenFlow handshake is enough to
prevent OVS to adversely interact with those other daemons
running on the same hypervisor; OR
3. You don't have much worries of remote exploits in the first
place, because perhaps OVSDB manager is running on the same host
as OVS.
The initial use-case for this patch is to allow to connect to OpenFlow
controller that has its socket outside OVS run directory. However,
in the future it could be generalized to allow to disable self-confinement
for other things like DPDK vhost-user sockets or anything else
that is specifiable in OVSDB with full path.
Signed-off-by: Ansis Atteka <aatteka@ovn.org>
Acked-by: Jesse Gross <jesse@kernel.org>
VMware-BZ: #1525857
Diffstat (limited to 'lib/daemon.h')
| -rw-r--r-- | lib/daemon.h | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/lib/daemon.h b/lib/daemon.h index 49904159c..b0350551b 100644 --- a/lib/daemon.h +++ b/lib/daemon.h @@ -39,6 +39,7 @@ #ifndef _WIN32 #define DAEMON_OPTION_ENUMS \ OPT_DETACH, \ + OPT_NO_SELF_CONFINEMENT, \ OPT_NO_CHDIR, \ OPT_OVERWRITE_PIDFILE, \ OPT_PIDFILE, \ @@ -47,6 +48,7 @@ #define DAEMON_LONG_OPTIONS \ {"detach", no_argument, NULL, OPT_DETACH}, \ + {"no-self-confinement", no_argument, NULL, OPT_NO_SELF_CONFINEMENT}, \ {"no-chdir", no_argument, NULL, OPT_NO_CHDIR}, \ {"pidfile", optional_argument, NULL, OPT_PIDFILE}, \ {"overwrite-pidfile", no_argument, NULL, OPT_OVERWRITE_PIDFILE}, \ @@ -58,6 +60,10 @@ set_detach(); \ break; \ \ + case OPT_NO_SELF_CONFINEMENT: \ + daemon_disable_self_confinement(); \ + break; \ + \ case OPT_NO_CHDIR: \ set_no_chdir(); \ break; \ @@ -86,6 +92,7 @@ pid_t read_pidfile(const char *name); #else #define DAEMON_OPTION_ENUMS \ OPT_DETACH, \ + OPT_NO_SELF_CONFINEMENT, \ OPT_NO_CHDIR, \ OPT_PIDFILE, \ OPT_PIPE_HANDLE, \ @@ -95,6 +102,7 @@ pid_t read_pidfile(const char *name); #define DAEMON_LONG_OPTIONS \ {"detach", no_argument, NULL, OPT_DETACH}, \ + {"no-self-confinement" no_argument, NULL, OPT_NO_SELF_CONFINEMENT}, \ {"no-chdir", no_argument, NULL, OPT_NO_CHDIR}, \ {"pidfile", optional_argument, NULL, OPT_PIDFILE}, \ {"pipe-handle", required_argument, NULL, OPT_PIPE_HANDLE}, \ @@ -106,6 +114,10 @@ pid_t read_pidfile(const char *name); case OPT_DETACH: \ break; \ \ + case OPT_NO_SELF_CONFINEMENT: \ + daemon_disable_self_confinement(); \ + break; \ + \ case OPT_NO_CHDIR: \ break; \ \ @@ -138,6 +150,8 @@ void daemonize_complete(void); void daemon_set_new_user(const char * user_spec); void daemon_become_new_user(bool access_datapath); void daemon_usage(void); +void daemon_disable_self_confinement(void); +bool daemon_should_self_confine(void); void service_start(int *argcp, char **argvp[]); void service_stop(void); bool should_service_stop(void); |