[ovs-dev] rhel: don't drop capabilities when running as root

Message ID f7ty3jw4ldz.fsf@dhcp-25.97.bos.redhat.com
State Accepted
Headers show
Series
  • [ovs-dev] rhel: don't drop capabilities when running as root
Related show

Commit Message

Aaron Conole Feb. 13, 2018, 9:42 p.m.
Currently, regardless of which user is being set as the running user,
Open vSwitch daemons on RHEL systems drop capabilities.  This means the
very powerful CAP_SYS_ADMIN is dropped, even when the user is 'root'.

For the majority of use cases this behavior works, as the user can
enable or disable various configurations, regardless of which datapath
functions are desired.  However, when using certain DPDK PMDs, the
enablement and configuration calls require CAP_SYS_ADMIN.

Instead of retaining CAP_SYS_ADMIN in all cases, which would practically
nullify the uid/gid and privilege drop, we don't pass the --ovs-user
option to the daemons.  This shunts the capability and privilege
dropping code.

Reported-by: Marcos Felipe Schwarz <marcos.f.sch@gmail.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2018-January/045955.html
Fixes: e3e738a3d058 ("redhat: allow dpdk to also run as non-root user")
Signed-off-by: Aaron Conole <aconole@redhat.com>
---
NOTE: I did test this a little bit on my system, passing packets, etc.
      But more eyes can't be bad.

 rhel/usr_lib_systemd_system_ovs-vswitchd.service.in | 7 ++++---
 rhel/usr_lib_systemd_system_ovsdb-server.service    | 6 ++++--
 2 files changed, 8 insertions(+), 5 deletions(-)

--
2.9.0

Comments

Timothy Redaelli March 20, 2018, 3:56 p.m. | #1
On Tue, 13 Feb 2018 16:42:16 -0500
Aaron Conole <aconole@redhat.com> wrote:

> Currently, regardless of which user is being set as the running user,
> Open vSwitch daemons on RHEL systems drop capabilities.  This means
> the very powerful CAP_SYS_ADMIN is dropped, even when the user is
> 'root'.
> 
> For the majority of use cases this behavior works, as the user can
> enable or disable various configurations, regardless of which datapath
> functions are desired.  However, when using certain DPDK PMDs, the
> enablement and configuration calls require CAP_SYS_ADMIN.
> 
> Instead of retaining CAP_SYS_ADMIN in all cases, which would
> practically nullify the uid/gid and privilege drop, we don't pass the
> --ovs-user option to the daemons.  This shunts the capability and
> privilege dropping code.
> 
> Reported-by: Marcos Felipe Schwarz <marcos.f.sch@gmail.com>
> Reported-at:
> https://mail.openvswitch.org/pipermail/ovs-discuss/2018-January/045955.html
> Fixes: e3e738a3d058 ("redhat: allow dpdk to also run as non-root
> user") Signed-off-by: Aaron Conole <aconole@redhat.com> ---
> NOTE: I did test this a little bit on my system, passing packets, etc.
>       But more eyes can't be bad.
> 
>  rhel/usr_lib_systemd_system_ovs-vswitchd.service.in | 7 ++++---
>  rhel/usr_lib_systemd_system_ovsdb-server.service    | 6 ++++--
>  2 files changed, 8 insertions(+), 5 deletions(-)
> 

Acked-By: Timothy Redaelli <tredaelli@redhat.com>
Aaron Conole March 27, 2018, 1:26 p.m. | #2
Aaron Conole <aconole@redhat.com> writes:

> Currently, regardless of which user is being set as the running user,
> Open vSwitch daemons on RHEL systems drop capabilities.  This means the
> very powerful CAP_SYS_ADMIN is dropped, even when the user is 'root'.
>
> For the majority of use cases this behavior works, as the user can
> enable or disable various configurations, regardless of which datapath
> functions are desired.  However, when using certain DPDK PMDs, the
> enablement and configuration calls require CAP_SYS_ADMIN.
>
> Instead of retaining CAP_SYS_ADMIN in all cases, which would practically
> nullify the uid/gid and privilege drop, we don't pass the --ovs-user
> option to the daemons.  This shunts the capability and privilege
> dropping code.
>
> Reported-by: Marcos Felipe Schwarz <marcos.f.sch@gmail.com>
> Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2018-January/045955.html
> Fixes: e3e738a3d058 ("redhat: allow dpdk to also run as non-root user")
> Signed-off-by: Aaron Conole <aconole@redhat.com>
> ---

Ping?
Russell Bryant March 27, 2018, 9:34 p.m. | #3
On Tue, Mar 27, 2018 at 9:26 AM, Aaron Conole <aconole@redhat.com> wrote:
> Aaron Conole <aconole@redhat.com> writes:
>
>> Currently, regardless of which user is being set as the running user,
>> Open vSwitch daemons on RHEL systems drop capabilities.  This means the
>> very powerful CAP_SYS_ADMIN is dropped, even when the user is 'root'.
>>
>> For the majority of use cases this behavior works, as the user can
>> enable or disable various configurations, regardless of which datapath
>> functions are desired.  However, when using certain DPDK PMDs, the
>> enablement and configuration calls require CAP_SYS_ADMIN.
>>
>> Instead of retaining CAP_SYS_ADMIN in all cases, which would practically
>> nullify the uid/gid and privilege drop, we don't pass the --ovs-user
>> option to the daemons.  This shunts the capability and privilege
>> dropping code.
>>
>> Reported-by: Marcos Felipe Schwarz <marcos.f.sch@gmail.com>
>> Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2018-January/045955.html
>> Fixes: e3e738a3d058 ("redhat: allow dpdk to also run as non-root user")
>> Signed-off-by: Aaron Conole <aconole@redhat.com>
>> ---
>
> Ping?

Applied to master and branch-2.9.

Please continue to CC me on rhel patches like this that have been
reviewed by someone and you feel are ready to be applied.

Thanks,
Aaron Conole March 28, 2018, 9:04 p.m. | #4
Russell Bryant <russell@ovn.org> writes:

> On Tue, Mar 27, 2018 at 9:26 AM, Aaron Conole <aconole@redhat.com> wrote:
>> Aaron Conole <aconole@redhat.com> writes:
>>
>>> Currently, regardless of which user is being set as the running user,
>>> Open vSwitch daemons on RHEL systems drop capabilities.  This means the
>>> very powerful CAP_SYS_ADMIN is dropped, even when the user is 'root'.
>>>
>>> For the majority of use cases this behavior works, as the user can
>>> enable or disable various configurations, regardless of which datapath
>>> functions are desired.  However, when using certain DPDK PMDs, the
>>> enablement and configuration calls require CAP_SYS_ADMIN.
>>>
>>> Instead of retaining CAP_SYS_ADMIN in all cases, which would practically
>>> nullify the uid/gid and privilege drop, we don't pass the --ovs-user
>>> option to the daemons.  This shunts the capability and privilege
>>> dropping code.
>>>
>>> Reported-by: Marcos Felipe Schwarz <marcos.f.sch@gmail.com>
>>> Reported-at:
>>> https://mail.openvswitch.org/pipermail/ovs-discuss/2018-January/045955.html
>>> Fixes: e3e738a3d058 ("redhat: allow dpdk to also run as non-root user")
>>> Signed-off-by: Aaron Conole <aconole@redhat.com>
>>> ---
>>
>> Ping?
>
> Applied to master and branch-2.9.
>
> Please continue to CC me on rhel patches like this that have been
> reviewed by someone and you feel are ready to be applied.

Cool, will do.  Thanks Russell!

> Thanks,

Patch

diff --git a/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
index c6d9aa1..889740f 100644
--- a/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
+++ b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
@@ -13,17 +13,18 @@  Restart=on-failure
 Environment=HOME=/var/run/openvswitch
 EnvironmentFile=/etc/openvswitch/default.conf
 EnvironmentFile=-/etc/sysconfig/openvswitch
+EnvironmentFile=-/run/openvswitch/useropts
 @begin_dpdk@
-ExecStartPre=-/usr/bin/chown :hugetlbfs /dev/hugepages
+ExecStartPre=-/bin/sh -c '/usr/bin/chown :${OVS_USER_ID##*:} /dev/hugepages'
 ExecStartPre=-/usr/bin/chmod 0775 /dev/hugepages
 @end_dpdk@
 ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
           --no-ovsdb-server --no-monitor --system-id=random \
-          --ovs-user=${OVS_USER_ID} \
+          ${OVSUSER} \
           start $OPTIONS
 ExecStop=/usr/share/openvswitch/scripts/ovs-ctl --no-ovsdb-server stop
 ExecReload=/usr/share/openvswitch/scripts/ovs-ctl --no-ovsdb-server \
           --no-monitor --system-id=random \
-          --ovs-user=${OVS_USER_ID} \
+          ${OVSUSER} \
           restart $OPTIONS
 TimeoutSec=300
diff --git a/rhel/usr_lib_systemd_system_ovsdb-server.service b/rhel/usr_lib_systemd_system_ovsdb-server.service
index 234d393..e05742d 100644
--- a/rhel/usr_lib_systemd_system_ovsdb-server.service
+++ b/rhel/usr_lib_systemd_system_ovsdb-server.service
@@ -11,13 +11,15 @@  Restart=on-failure
 EnvironmentFile=/etc/openvswitch/default.conf
 EnvironmentFile=-/etc/sysconfig/openvswitch
 ExecStartPre=/usr/bin/chown ${OVS_USER_ID} /var/run/openvswitch
+ExecStartPre=/bin/sh -c 'rm -f /run/openvswitch/useropts; if [ "${OVS_USER_ID/:*/}" != "root" ]; then /usr/bin/echo "OVSUSER=--ovs-user=${OVS_USER_ID}" > /run/openvswitch/useropts; fi'
+EnvironmentFile=-/run/openvswitch/useropts
 ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
           --no-ovs-vswitchd --no-monitor --system-id=random \
-          --ovs-user=${OVS_USER_ID} \
+          ${OVSUSER} \
           start $OPTIONS
 ExecStop=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd stop
 ExecReload=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd \
-           --ovs-user=${OVS_USER_ID} \
+           ${OVSUSER} \
            --no-monitor restart $OPTIONS
 RuntimeDirectory=openvswitch
 RuntimeDirectoryMode=0755