On 27 June 2016 at 19:52, Jesse Gross <je...@kernel.org> wrote: > On Mon, Jun 27, 2016 at 7:20 PM, Ansis Atteka <aatt...@ovn.org> wrote: > > Currently Open vSwitch is unable to create or connect to Unix Domain > > Sockets outside designated 'run' directory, because of fear of potential > > remote exploits where a hacked remote OVSDB manager would tell Open > vSwitch > > to connect to a unix domain socket owned by other daemon on the same > > hypervisor. > > > > This patch allows to disable this behavior by changing > > /etc/default/openvswitch (Ubuntu) or /etc/sysconfig/openvswitch (RHEL) > > file to: > > > > ... > > OVS_CTL_OPTS=--no-self-confinement > > ... > > > > Note, that it is better to stick with default behavior, unless: > > 1. You have Open vSwitch running under SELinux or AppArmor > > that would prevent OVS from messing with sockets owned by other > > daemons; OR > > 2. You are sure that relying on OpenFlow handshake is enough to > > prevent OVS to adversely interact with those other daemons > > running on the same hypervisor; OR > > 3. You don't have much worries of remote exploits in the first > > place, because perhaps OVSDB manager is running on the same host > > as OVS. > > > > The initial use-case for this patch is to allow to connect to OpenFlow > > controller that has its socket outside OVS run directory. However, > > in the future it could be generalized to allow to disable > self-confinement > > for other things like DPDK vhost-user sockets or anything else > > that is specifiable in OVSDB with full path. > > > > Signed-off-by: Ansis Atteka <aatt...@ovn.org> > > VMware-BZ: #1525857 > > Acked-by: Jesse Gross <je...@kernel.org> >
Thanks, I pushed this! _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
