[ovs-dev] [PATCH] bridge: allow OVS to connect to Unix Domain Sockets outside its run directory
Ben Pfaff
blp at ovn.org
Wed Jun 8 21:02:26 UTC 2016
On Thu, Jun 02, 2016 at 07:47:33PM -0700, Ansis Atteka wrote:
> Before this patch OVS refused to connect to a local controller that
> had its Unix Domain Socket outside Open vSwitch run directory (e.g.
> outside '/var/run/openvswitch/').
>
> After this patch this restriction imposed by Open vSwitch itself is
> abandoned and OVS should be able to connect to controller's Unix Domain
> Sockets anywhere under filesystem.
When I run "netstat -lnx" on my laptop, I see a bunch of listening Unix
domain sockets.
Some of these listening sockets are security sensitive, such as SSH
agents, so it wouldn't be good to have a remote manager be able to point
OVS to them: what if a clever person could figure out how to send
arbitrary data to them (maybe in a packet-in message somehow?) via
OpenFlow. Other examples are dbus and udev sockets.
That's my main worry here.
More information about the dev
mailing list