[ovs-dev] [PATCHv3] bridge: allow OVS to interact with controller through sockets outside run dir
Jesse Gross
jesse at kernel.org
Tue Jun 28 02:52:36 UTC 2016
On Mon, Jun 27, 2016 at 7:20 PM, Ansis Atteka <aatteka at ovn.org> wrote:
> Currently Open vSwitch is unable to create or connect to Unix Domain
> Sockets outside designated 'run' directory, because of fear of potential
> remote exploits where a hacked remote OVSDB manager would tell Open vSwitch
> to connect to a unix domain socket owned by other daemon on the same
> hypervisor.
>
> This patch allows to disable this behavior by changing
> /etc/default/openvswitch (Ubuntu) or /etc/sysconfig/openvswitch (RHEL)
> file to:
>
> ...
> OVS_CTL_OPTS=--no-self-confinement
> ...
>
> Note, that it is better to stick with default behavior, unless:
> 1. You have Open vSwitch running under SELinux or AppArmor
> that would prevent OVS from messing with sockets owned by other
> daemons; OR
> 2. You are sure that relying on OpenFlow handshake is enough to
> prevent OVS to adversely interact with those other daemons
> running on the same hypervisor; OR
> 3. You don't have much worries of remote exploits in the first
> place, because perhaps OVSDB manager is running on the same host
> as OVS.
>
> The initial use-case for this patch is to allow to connect to OpenFlow
> controller that has its socket outside OVS run directory. However,
> in the future it could be generalized to allow to disable self-confinement
> for other things like DPDK vhost-user sockets or anything else
> that is specifiable in OVSDB with full path.
>
> Signed-off-by: Ansis Atteka <aatteka at ovn.org>
> VMware-BZ: #1525857
Acked-by: Jesse Gross <jesse at kernel.org>
More information about the dev
mailing list