[ovs-dev] [PATCH 2/3] netdev-dpdk: Do not add vhost-user ports with '/' in name.

Daniele Di Proietto diproiettod at vmware.com
Mon Feb 22 19:44:28 UTC 2016



On 22/02/2016 08:57, "Ben Pfaff" <blp at ovn.org> wrote:

>On Fri, Feb 05, 2016 at 11:40:11AM -0800, Ben Pfaff wrote:
>> On Thu, Feb 04, 2016 at 03:42:34AM +0000, Daniele Di Proietto wrote:
>> > 
>> > 
>> > On 03/02/2016 14:47, "Ben Pfaff" <blp at ovn.org> wrote:
>> > 
>> > >On Tue, Feb 02, 2016 at 05:56:35PM -0800, Daniele Di Proietto wrote:
>> > >> This check prevents an obvious way for a vhost-user socket to
>>escape the
>> > >> intended directory.
>> > >> 
>> > >> There might be other ways to escape the directory (none comes to
>>mind at
>> > >> the moment), but this is a problem that should be properly solved
>>by
>> > >> mandatory access control.
>> > >> 
>> > >> A similar check is done for a bridge name, since that name is used
>>as
>> > >> part of a socket as well.
>> > >> 
>> > >> Signed-off-by: Daniele Di Proietto <diproiettod at vmware.com>
>> > >
>> > >I am not sure whether the restriction for .. is necessary.  Do you
>>have
>> > >something in mind there?
>> > 
>> > The difference between here and the bridge management socket is that
>>here
>> > we have no suffix.  A vhost user port named .. should have a socket in
>> > "/var/run/openvswitch/.."
>> > 
>> > It will not be possible to create a socket like this nor to remove the
>> > directory (I believe unlink should refuse to remove directories), but
>>I
>> > thought it was better to check for this and fail early with a better
>> > error message rather that try to create/unlink an invalid path.
>> > 
>> > Now that I think about it the name "." has the same problem.
>> >  
>> > What do you think?
>> 
>> I think that both unlink and bind for . and .. will yield an error, and
>> I think that the cause will be pretty obvious, so I don't see a need for
>> the special case.
>
>Hi Daniele, are you planning to send a v2 for this patch?  I think that
>we should definitely address it.

Hi Ben,

You're right, I sent a v2 here:

http://openvswitch.org/pipermail/dev/2016-February/066556.html

Thanks




More information about the dev mailing list