-
Ansis Atteka authored
Currently Open vSwitch is unable to create or connect to Unix Domain Sockets outside designated 'run' directory, because of fear of potential remote exploits where a hacked remote OVSDB manager would tell Open vSwitch to connect to a unix domain socket owned by other daemon on the same hypervisor. This patch allows to disable this behavior by changing /etc/default/openvswitch (Ubuntu) or /etc/sysconfig/openvswitch (RHEL) file to: ... OVS_CTL_OPTS=--no-self-confinement ... Note, that it is better to stick with default behavior, unless: 1. You have Open vSwitch running under SELinux or AppArmor that would prevent OVS from messing with sockets owned by other daemons; OR 2. You are sure that relying on OpenFlow handshake is enough to prevent OVS to adversely interact with those other daemons running on the same hypervisor; OR 3. You don't have much worries of remote exploits in the first place, because perhaps OVSDB manager is running on the same host as OVS. The initial use-case for this patch is to allow to connect to OpenFlow controller that has its socket outside OVS run directory. However, in the future it could be generalized to allow to disable self-confinement for other things like DPDK vhost-user sockets or anything else that is specifiable in OVSDB with full path. Signed-off-by:
Ansis Atteka <aatteka@ovn.org> Acked-by:
Jesse Gross <jesse@kernel.org> VMware-BZ: #1525857
81d2f75c
