On 22/02/2016 08:57, "Ben Pfaff" <b...@ovn.org> wrote:
>On Fri, Feb 05, 2016 at 11:40:11AM -0800, Ben Pfaff wrote: >> On Thu, Feb 04, 2016 at 03:42:34AM +0000, Daniele Di Proietto wrote: >> > >> > >> > On 03/02/2016 14:47, "Ben Pfaff" <b...@ovn.org> wrote: >> > >> > >On Tue, Feb 02, 2016 at 05:56:35PM -0800, Daniele Di Proietto wrote: >> > >> This check prevents an obvious way for a vhost-user socket to >>escape the >> > >> intended directory. >> > >> >> > >> There might be other ways to escape the directory (none comes to >>mind at >> > >> the moment), but this is a problem that should be properly solved >>by >> > >> mandatory access control. >> > >> >> > >> A similar check is done for a bridge name, since that name is used >>as >> > >> part of a socket as well. >> > >> >> > >> Signed-off-by: Daniele Di Proietto <diproiet...@vmware.com> >> > > >> > >I am not sure whether the restriction for .. is necessary. Do you >>have >> > >something in mind there? >> > >> > The difference between here and the bridge management socket is that >>here >> > we have no suffix. A vhost user port named .. should have a socket in >> > "/var/run/openvswitch/.." >> > >> > It will not be possible to create a socket like this nor to remove the >> > directory (I believe unlink should refuse to remove directories), but >>I >> > thought it was better to check for this and fail early with a better >> > error message rather that try to create/unlink an invalid path. >> > >> > Now that I think about it the name "." has the same problem. >> > >> > What do you think? >> >> I think that both unlink and bind for . and .. will yield an error, and >> I think that the cause will be pretty obvious, so I don't see a need for >> the special case. > >Hi Daniele, are you planning to send a v2 for this patch? I think that >we should definitely address it. Hi Ben, You're right, I sent a v2 here: http://openvswitch.org/pipermail/dev/2016-February/066556.html Thanks _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
