diff options
| author | Ansis Atteka <aatteka@ovn.org> | 2016-06-20 14:19:40 -0700 |
|---|---|---|
| committer | Ansis Atteka <aatteka@ovn.org> | 2016-06-27 20:36:16 -0700 |
| commit | 81d2f75cfc760b0c5ba0c2d5a4c4b2b0f3854740 (patch) | |
| tree | 2eba7b11d138ebfc6ca6e88236a469003dfc865c /vswitchd | |
| parent | 1ec0750ea876e0b7d4910891c9f0b688fa3c6be2 (diff) | |
| download | openvswitch-81d2f75cfc760b0c5ba0c2d5a4c4b2b0f3854740.tar.gz | |
bridge: allow OVS to interact with controller through sockets outside run dir
Currently Open vSwitch is unable to create or connect to Unix Domain
Sockets outside designated 'run' directory, because of fear of potential
remote exploits where a hacked remote OVSDB manager would tell Open vSwitch
to connect to a unix domain socket owned by other daemon on the same
hypervisor.
This patch allows to disable this behavior by changing
/etc/default/openvswitch (Ubuntu) or /etc/sysconfig/openvswitch (RHEL)
file to:
...
OVS_CTL_OPTS=--no-self-confinement
...
Note, that it is better to stick with default behavior, unless:
1. You have Open vSwitch running under SELinux or AppArmor
that would prevent OVS from messing with sockets owned by other
daemons; OR
2. You are sure that relying on OpenFlow handshake is enough to
prevent OVS to adversely interact with those other daemons
running on the same hypervisor; OR
3. You don't have much worries of remote exploits in the first
place, because perhaps OVSDB manager is running on the same host
as OVS.
The initial use-case for this patch is to allow to connect to OpenFlow
controller that has its socket outside OVS run directory. However,
in the future it could be generalized to allow to disable self-confinement
for other things like DPDK vhost-user sockets or anything else
that is specifiable in OVSDB with full path.
Signed-off-by: Ansis Atteka <aatteka@ovn.org>
Acked-by: Jesse Gross <jesse@kernel.org>
VMware-BZ: #1525857
Diffstat (limited to 'vswitchd')
| -rw-r--r-- | vswitchd/bridge.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/vswitchd/bridge.c b/vswitchd/bridge.c index 917a80cb8..8ebfc667d 100644 --- a/vswitchd/bridge.c +++ b/vswitchd/bridge.c @@ -3570,8 +3570,9 @@ bridge_configure_remotes(struct bridge *br, for (i = 0; i < n_controllers; i++) { struct ovsrec_controller *c = controllers[i]; - if (!strncmp(c->target, "punix:", 6) - || !strncmp(c->target, "unix:", 5)) { + if (daemon_should_self_confine() + && (!strncmp(c->target, "punix:", 6) + || !strncmp(c->target, "unix:", 5))) { static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 5); char *whitelist; |