On Thu, Jul 17, 2014 at 08:35:04AM +0200, Eric Sesterhenn wrote: > On 07/16/2014 08:04 PM, Ben Pfaff wrote: > > A thought I've had about hardening ovs-vswitchd is to adopt an > > OpenSSH-like privilege separation model, where a simple, separate > > process with high privilege doles out restricted access to resources > > as necessary to the main process over an RPC-based API. > > That would be the best option, other projects like vsftpd do this as well, > since the attacker requires a bug in the RPC mechanism or the kernel > to escape the sandbox.
It probably wouldn't be too hard to do this in OVS, because we used to do something very similar for non-security reasons. It would be a matter of resurrecting the "worker" library and adjusting it to better suit as a security feature (e.g. passing a function pointer over an RPC channel and then calling it on the rx side is a bad idea for security!). Look through the history for lib/worker.c to see the old library. A security-oriented library might be simpler because it could probably be synchronous rather than asynchronous. _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
