[ovs-dev] [PATCH 0/3][RFC] Implement a chroot for ovsdb-server
Justin Pettit
jpettit at nicira.com
Thu Jul 17 21:38:38 UTC 2014
On Thu, Jul 17, 2014 at 6:57 PM, Ben Pfaff <blp at nicira.com> wrote:
>
> It probably wouldn't be too hard to do this in OVS, because we used to
> do something very similar for non-security reasons. It would be a
> matter of resurrecting the "worker" library and adjusting it to better
> suit as a security feature (e.g. passing a function pointer over an
> RPC channel and then calling it on the rx side is a bad idea for
> security!).
>
> Look through the history for lib/worker.c to see the old library.
>
> A security-oriented library might be simpler because it could probably
> be synchronous rather than asynchronous.
By coincidence, I started sketching out a design for this earlier in the
week. I was going to show you an early draft when I'm back in the office
next week for a quick sniff test before sharing it more widely. I think
providing privilege separation as a run-time option would be valuable in
some environments.
--Justin
More information about the dev
mailing list