[ovs-dev] [PATCH] bridge: allow OVS to interact with controller through sockets outside run dir
Ben Pfaff
blp at ovn.org
Wed Jun 22 22:44:37 UTC 2016
On Mon, Jun 20, 2016 at 02:19:40PM -0700, Ansis Atteka wrote:
> Currently Open vSwitch is unable to create or connect to Unix Domain
> Sockets outside designated 'run' directory, because of fear of potential
> remote exploits where a hacked remote OVSDB manager would tell Open vSwitch
> to connect to a unix domain sockets owned by other daemons on the same
> hypervisor.
>
> This patch allows to disable this behavior by changing
> /etc/default/openvswitch file to:
>
> ...
> OVS_CTL_OPTS=--no-self-confinement
> ...
>
> Note, that it is better to stick with default behavior, unless:
> 1. You have Open vSwitch running under SELinux or AppArmor
> that would prevent OVS from messing with sockets owned by other
> daemons; OR
> 2. You are sure that relying on OpenFlow handshake is enough to
> prevent OVS to adversely interact with those other daemons
> running on the same hypervisor; OR
> 3. You don't have much worries of remote exploits in the first
> place, because perhaps OVSDB manager is running on the same host
> as OVS.
>
> Signed-off-by: Ansis Atteka <aatteka at ovn.org>
> VMware-BZ: #1525857
I'm comfortable with this idea but I have some comments on the
implementation.
I am surprised to see this implemented in daemon.[ch]. Usually options
implemented there are ones that every daemon can use, but so far at
least only ovs-vswitchd supports this feature. Do you expect to extend
this to other daemons soon?
The description of the default behavior, above, is detailed and useful,
but it is not easily accessible to users, who would need it to appear in
the documentation. I guess that this should be documented in the
ovs-vswitchd manpage, or if you really intend for it to be general, in
daemon.man and daemon-syn.man, as well as in the ovs-ctl manpage.
I'd add a NEWS item.
Thanks,
Ben.
More information about the dev
mailing list