[ovs-git] [openvswitch/ovs] 81d2f7: bridge: allow OVS to interact with controller thro...

GitHub noreply at github.com
Tue Jun 28 03:52:07 UTC 2016 

  Branch: refs/heads/master
  Home:   https://github.com/openvswitch/ovs
  Commit: 81d2f75cfc760b0c5ba0c2d5a4c4b2b0f3854740
      https://github.com/openvswitch/ovs/commit/81d2f75cfc760b0c5ba0c2d5a4c4b2b0f3854740
  Author: Ansis Atteka <aatteka at ovn.org>
  Date:   2016-06-27 (Mon, 27 Jun 2016)

  Changed paths:
    M NEWS
    M lib/daemon-syn.man
    M lib/daemon.c
    M lib/daemon.h
    M lib/daemon.man
    M utilities/ovs-ctl.8
    M utilities/ovs-ctl.in
    M vswitchd/bridge.c

  Log Message:
  -----------
  bridge: allow OVS to interact with controller through sockets outside run dir

Currently Open vSwitch is unable to create or connect to Unix Domain
Sockets outside designated 'run' directory, because of fear of potential
remote exploits where a hacked remote OVSDB manager would tell Open vSwitch
to connect to a unix domain socket owned by other daemon on the same
hypervisor.

This patch allows to disable this behavior by changing
/etc/default/openvswitch (Ubuntu) or /etc/sysconfig/openvswitch (RHEL)
file to:

...
OVS_CTL_OPTS=--no-self-confinement
...

Note, that it is better to stick with default behavior, unless:
1. You have Open vSwitch running under SELinux or AppArmor
   that would prevent OVS from messing with sockets owned by other
   daemons; OR
2. You are sure that relying on OpenFlow handshake is enough to
   prevent OVS to adversely interact with those other daemons
   running on the same hypervisor; OR
3. You don't have much worries of remote exploits in the first
   place, because perhaps OVSDB manager is running on the same host
   as OVS.

The initial use-case for this patch is to allow to connect to OpenFlow
controller that has its socket outside OVS run directory.  However,
in the future it could be generalized to allow to disable self-confinement
for other things like DPDK vhost-user sockets or anything else
that is specifiable in OVSDB with full path.

Signed-off-by: Ansis Atteka <aatteka at ovn.org>
Acked-by: Jesse Gross <jesse at kernel.org>
VMware-BZ: #1525857

More information about the git mailing list