[ovs-dev] [PATCH 1/1] daemon-unix: Support OVS-DPDK HW offloads for non-root user
Aaron Conole
aconole at redhat.com
Wed Sep 16 20:05:55 UTC 2020
David Marchand <david.marchand at redhat.com> writes:
> On Tue, Sep 15, 2020 at 12:52 PM Ameer Mahagneh <ameerm at nvidia.com> wrote:
>>
>> For security reasons only root or privileged user can allocate Interconnect
>> Context Memory (ICM). Add this capability for vendors that require ICM
>> allocation when applying DPDK rte flows.
>>
>> Signed-off-by: Ameer Mahagneh <ameerm at nvidia.com>
>> Acked-by: Eli Britstein <elibr at nvidia.com>
>> ---
Why is this needed? SYS_RAWIO is extremely privileged and means that
there is no point even in dropping privs or changing UID - the process
with these caps is allowed to alter anything, map /dev/mem and
/dev/kmem, etc.
Is there really no other way of doing this? This feels somewhat like a
security regression rather than an improvement. NOTE that we cannot
even use an LSM to protect against this - sys_rawio is able to perform
operations that can subvert LSMs.
>> lib/daemon-unix.c | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/lib/daemon-unix.c b/lib/daemon-unix.c
>> index ae59ecf2c..d32a60657 100644
>> --- a/lib/daemon-unix.c
>> +++ b/lib/daemon-unix.c
>> @@ -820,6 +820,7 @@ daemon_become_new_user_linux(bool access_datapath OVS_UNUSED)
>> if (access_datapath && !ret) {
>> ret = capng_update(CAPNG_ADD, cap_sets, CAP_NET_ADMIN)
>> || capng_update(CAPNG_ADD, cap_sets, CAP_NET_RAW)
>> + || capng_update(CAPNG_ADD, cap_sets, CAP_SYS_RAWIO)
>> || capng_update(CAPNG_ADD, cap_sets, CAP_NET_BROADCAST);
>> }
>> } else {
>
> This patch seems incomplete: the manual is not updated and I would
> expect some changes in the selinux policy files.
More information about the dev
mailing list