On Mon, Jun 27, 2016 at 7:20 PM, Ansis Atteka <aatt...@ovn.org> wrote: > Currently Open vSwitch is unable to create or connect to Unix Domain > Sockets outside designated 'run' directory, because of fear of potential > remote exploits where a hacked remote OVSDB manager would tell Open vSwitch > to connect to a unix domain socket owned by other daemon on the same > hypervisor. > > This patch allows to disable this behavior by changing > /etc/default/openvswitch (Ubuntu) or /etc/sysconfig/openvswitch (RHEL) > file to: > > ... > OVS_CTL_OPTS=--no-self-confinement > ... > > Note, that it is better to stick with default behavior, unless: > 1. You have Open vSwitch running under SELinux or AppArmor > that would prevent OVS from messing with sockets owned by other > daemons; OR > 2. You are sure that relying on OpenFlow handshake is enough to > prevent OVS to adversely interact with those other daemons > running on the same hypervisor; OR > 3. You don't have much worries of remote exploits in the first > place, because perhaps OVSDB manager is running on the same host > as OVS. > > The initial use-case for this patch is to allow to connect to OpenFlow > controller that has its socket outside OVS run directory. However, > in the future it could be generalized to allow to disable self-confinement > for other things like DPDK vhost-user sockets or anything else > that is specifiable in OVSDB with full path. > > Signed-off-by: Ansis Atteka <aatt...@ovn.org> > VMware-BZ: #1525857
Acked-by: Jesse Gross <je...@kernel.org> _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
