[ovs-discuss] Using unix sockets for controller communication

Fri Oct 14 17:19:51 UTC 2011

On Fri, Oct 14, 2011 at 10:58:09AM +0900, Jari Sundell wrote:
> On Fri, Oct 14, 2011 at 2:36 AM, Ben Pfaff <blp at nicira.com> wrote:
> > On Thu, Oct 13, 2011 at 05:50:37PM +0900, Jari Sundell wrote:
> >> In the thread?"ARP Behavior in XenServer Host"
> >> <http://openvswitch.org/pipermail/discuss/2011-September/005624.html>,
> >> an issue similar to what I'm dealing with was discussed. While I get
> >> my setup working using 'disable-in-band' option, that isn't the
> >> optimal solution.
> >>
> >> What I was really hoping to do was to use a unix socket for
> >> communication with the controller, yet this has been disabled due to
> >> the fear of remote exploits.
> >
> > Every OVS bridge already listens automatically to
> > punix:/var/run/openvswitch/<bridge>.mgmt. ?What if we also whitelisted
> > the exact path unix:/var/run/openvswitch/<bridge>.controller? ?Would
> > that solve your problem?
> >
> > (Hmm, seems that we should probably prohibit "/" in bridge names.)
> 
> Yes, that would solve my problem.
> 
> Since creating a unix socket the permissions, etc, depends on the
> directory, being able to configure the fixed path to use for each
> bridge would be nice. Else the controller will require write
> permission to the openvswitch directory. However getting the above
> whitelist implemented is sufficient for me.

Sounds good.

Here is a patch.  Will you test it for me?

Thanks,

Ben.

--8<--------------------------cut here-------------------------->8--

From: Ben Pfaff <blp at nicira.com>
Date: Fri, 14 Oct 2011 10:17:13 -0700
Subject: [PATCH] bridge: Allow specially named "unix:" controllers.

Some users want to use Unix domain socket controllers, so this relaxes the
restriction.

Requested-by: Jari Sundell <sundell.software at gmail.com>
---
 vswitchd/bridge.c |   25 +++++++++++++++++++------
 1 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/vswitchd/bridge.c b/vswitchd/bridge.c
index 186f250..b5071e2 100644
--- a/vswitchd/bridge.c
+++ b/vswitchd/bridge.c
@@ -2035,13 +2035,26 @@ bridge_configure_remotes(struct bridge *br,
         if (!strncmp(c->target, "punix:", 6)
             || !strncmp(c->target, "unix:", 5)) {
             static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 5);
+            char *whitelist;
+
+            whitelist = xasprintf("unix:%s/%s.controller",
+                                  ovs_rundir(), br->name);
+            if (strcmp(c->target, whitelist)) {
+                /* Prevent remote ovsdb-server users from accessing arbitrary
+                 * Unix domain sockets and overwriting arbitrary local
+                 * files. */
+                VLOG_ERR_RL(&rl, "bridge %s: Not adding Unix domain socket "
+                            "controller \"%s\" due to possibility for remote "
+                            "exploit.  Instead, specify whitelisted \"%s\" or "
+                            "connect to \"unix:%s/%s.mgmt\" (which is always "
+                            "available without special configuration).",
+                            br->name, c->target, whitelist,
+                            ovs_rundir(), br->name);
+                free(whitelist);
+                continue;
+            }
 
-            /* Prevent remote ovsdb-server users from accessing arbitrary Unix
-             * domain sockets and overwriting arbitrary local files. */
-            VLOG_ERR_RL(&rl, "bridge %s: not adding Unix domain socket "
-                        "controller \"%s\" due to possibility for remote "
-                        "exploit", br->name, c->target);
-            continue;
+            free(whitelist);
         }
 
         bridge_configure_local_iface_netdev(br, c);
-- 
1.7.4.4


