On 22 June 2016 at 15:44, Ben Pfaff <b...@ovn.org> wrote: > On Mon, Jun 20, 2016 at 02:19:40PM -0700, Ansis Atteka wrote: > > Currently Open vSwitch is unable to create or connect to Unix Domain > > Sockets outside designated 'run' directory, because of fear of potential > > remote exploits where a hacked remote OVSDB manager would tell Open > vSwitch > > to connect to a unix domain sockets owned by other daemons on the same > > hypervisor. > > > > This patch allows to disable this behavior by changing > > /etc/default/openvswitch file to: > > > > ... > > OVS_CTL_OPTS=--no-self-confinement > > ... > > > > Note, that it is better to stick with default behavior, unless: > > 1. You have Open vSwitch running under SELinux or AppArmor > > that would prevent OVS from messing with sockets owned by other > > daemons; OR > > 2. You are sure that relying on OpenFlow handshake is enough to > > prevent OVS to adversely interact with those other daemons > > running on the same hypervisor; OR > > 3. You don't have much worries of remote exploits in the first > > place, because perhaps OVSDB manager is running on the same host > > as OVS. > > > > Signed-off-by: Ansis Atteka <aatt...@ovn.org> > > VMware-BZ: #1525857 > > I'm comfortable with this idea but I have some comments on the > implementation. >
Thanks for review, I sent PATCHv2 that should address your concerns regarding documentation - https://patchwork.ozlabs.org/patch/640601/. > I am surprised to see this implemented in daemon.[ch]. Usually options > implemented there are ones that every daemon can use, but so far at > least only ovs-vswitchd supports this feature. Do you expect to extend > this to other daemons soon? > Yes, I think --no-self-confinement flag should extend over other daemons. > > The description of the default behavior, above, is detailed and useful, > but it is not easily accessible to users, who would need it to appear in > the documentation. I guess that this should be documented in the > ovs-vswitchd manpage, or if you really intend for it to be general, in > daemon.man and daemon-syn.man, as well as in the ovs-ctl manpage. > > I'd add a NEWS item. > > Thanks, > > Ben. > _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
