[lxc-devel] [PATCH 1/1] Update the openvswitch bridge attach code

Stéphane Graber stgraber at ubuntu.com
Fri Aug 22 20:39:40 UTC 2014 

On Fri, Aug 22, 2014 at 08:29:23PM +0000, Serge Hallyn wrote:
> 1. don't determine ovs-vsctl path at configure time, do it at runtime
> 
> 2. lxc-user-nic: set a sane path to protect from unpriv users
> 
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>

Acked-by: Stéphane Graber <stgraber at ubuntu.com>

> ---
>  configure.ac           | 11 -----------
>  src/lxc/Makefile.am    |  4 ----
>  src/lxc/lxc_user_nic.c |  5 +++++
>  src/lxc/network.c      | 20 +++++++-------------
>  4 files changed, 12 insertions(+), 28 deletions(-)
> 
> diff --git a/configure.ac b/configure.ac
> index 462217e..4b1f554 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -202,16 +202,6 @@ fi
>  
>  AM_CONDITIONAL([ENABLE_API_DOCS], [test "x$HAVE_DOXYGEN" != "x"])
>  
> -# Openvswitch
> -AC_PATH_PROG([OVS_CTL_PATH],[ovs-vsctl])
> -if test "x$OVS_CTL_PATH" != "x"; then
> -	enable_ovs="yes"
> -	AS_AC_EXPAND(OVS_CTL_PATH, "$OVS_CTL_PATH")
> -else
> -	enable_ovs="no"
> -fi
> -AM_CONDITIONAL([HAVE_OVS], [test "x$enable_ovs" = "xyes"])
> -
>  # Apparmor
>  AC_ARG_ENABLE([apparmor],
>  	[AC_HELP_STRING([--enable-apparmor], [enable apparmor support [default=auto]])],
> @@ -779,7 +769,6 @@ Environment:
>   - rpath: $enable_rpath
>   - GnuTLS: $enable_gnutls
>   - Bash integration: $enable_bash
> - - Openvswitch: $enable_ovs
>  
>  Security features:
>   - Apparmor: $enable_apparmor
> diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am
> index f7bc31a..c1a67d6 100644
> --- a/src/lxc/Makefile.am
> +++ b/src/lxc/Makefile.am
> @@ -129,10 +129,6 @@ if ENABLE_APPARMOR
>  AM_CFLAGS += -DHAVE_APPARMOR
>  endif
>  
> -if HAVE_OVS
> -AM_CFLAGS += -DHAVE_OVS -DOVS_CTL_PATH=\"$(OVS_CTL_PATH)\"
> -endif
> -
>  if ENABLE_CGMANAGER
>  AM_CFLAGS += -DHAVE_CGMANAGER
>  endif
> diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c
> index 5a1f6db..145a35d 100644
> --- a/src/lxc/lxc_user_nic.c
> +++ b/src/lxc/lxc_user_nic.c
> @@ -590,6 +590,11 @@ int main(int argc, char *argv[])
>  	char *vethname = NULL;
>  	int pid;
>  
> +	/* set a sane path, because we are setuid-root */
> +	if (setenv("PATH", "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 1) < 0) {
> +		fprintf(stderr, "Failed to set PATH, exiting\n");
> +		exit(1);
> +	}
>  	if ((me = get_username()) == NULL) {
>  		fprintf(stderr, "Failed to get username\n");
>  		exit(1);
> diff --git a/src/lxc/network.c b/src/lxc/network.c
> index dfab159..32edfc4 100644
> --- a/src/lxc/network.c
> +++ b/src/lxc/network.c
> @@ -1171,7 +1171,6 @@ int lxc_ipv6_dest_add(int ifindex, struct in6_addr *dest)
>  	return ip_route_dest_add(AF_INET6, ifindex, dest);
>  }
>  
> -#ifdef HAVE_OVS
>  static bool is_ovs_bridge(const char *bridge)
>  {
>  	char brdirname[22 + IFNAMSIZ + 1] = {0};
> @@ -1186,7 +1185,12 @@ static bool is_ovs_bridge(const char *bridge)
>  static int attach_to_ovs_bridge(const char *bridge, const char *nic)
>  {
>  	pid_t pid;
> -	const char *progname;
> +	char *cmd;
> +
> +	cmd = on_path("ovs-vsctl", NULL);
> +	if (!cmd)
> +		return -1;
> +	free(cmd);
>  
>  	pid = fork();
>  	if (pid < 0)
> @@ -1194,21 +1198,11 @@ static int attach_to_ovs_bridge(const char *bridge, const char *nic)
>  	if (pid > 0)
>  		return wait_for_pid(pid);
>  
> -	progname = strrchr(OVS_CTL_PATH, '/');
> -	if (!progname) // not sane, should we just fail?
> -		progname = OVS_CTL_PATH;
> -	if (execl(OVS_CTL_PATH, progname, "add-port", bridge, nic, NULL))
> +	if (execlp("ovs-vsctl", "ovs-vsctl", "add-port", bridge, nic, NULL))
>  		exit(1);
>  	// not reached
>  	exit(1);
>  }
> -#else
> -static inline bool is_ovs_bridge(const char *bridge) { return false; }
> -static inline int attach_to_ovs_bridge(const char *bridge, const char *nic)
> -{
> -	return -1;
> -}
> -#endif
>  
>  /*
>   * There is a lxc_bridge_attach, but no need of a bridge detach
> -- 
> 2.1.0.rc1
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140822/16e87cae/attachment.sig>

More information about the lxc-devel mailing list