[ovs-dev] [PATCH 0/3][RFC] Implement a chroot for ovsdb-server

Ben Pfaff blp at nicira.com
Thu Jul 17 16:57:09 UTC 2014


On Thu, Jul 17, 2014 at 08:35:04AM +0200, Eric Sesterhenn wrote:
> On 07/16/2014 08:04 PM, Ben Pfaff wrote:
> > A thought I've had about hardening ovs-vswitchd is to adopt an
> > OpenSSH-like privilege separation model, where a simple, separate
> > process with high privilege doles out restricted access to resources
> > as necessary to the main process over an RPC-based API.
> 
> That would be the best option, other projects like vsftpd do this as well,
> since the attacker requires a bug in the RPC mechanism or the kernel
> to escape the sandbox.

It probably wouldn't be too hard to do this in OVS, because we used to
do something very similar for non-security reasons.  It would be a
matter of resurrecting the "worker" library and adjusting it to better
suit as a security feature (e.g. passing a function pointer over an
RPC channel and then calling it on the rx side is a bad idea for
security!).

Look through the history for lib/worker.c to see the old library.

A security-oriented library might be simpler because it could probably
be synchronous rather than asynchronous.



More information about the dev mailing list