diff mbox series

[ovs-dev,1/1] daemon-unix: Support OVS-DPDK HW offloads for non-root user

Message ID 20200915104535.143393-1-ameerm@nvidia.com
State Rejected
Headers show
Series [ovs-dev,1/1] daemon-unix: Support OVS-DPDK HW offloads for non-root user | expand

Commit Message

Ameer Mahagneh Sept. 15, 2020, 10:45 a.m. UTC
For security reasons only root or privileged user can allocate Interconnect
Context Memory (ICM). Add this capability for vendors that require ICM
allocation when applying DPDK rte flows.

Signed-off-by: Ameer Mahagneh <ameerm@nvidia.com>
Acked-by: Eli Britstein <elibr@nvidia.com>
---
 lib/daemon-unix.c | 1 +
 1 file changed, 1 insertion(+)

Comments

David Marchand Sept. 16, 2020, 4:23 p.m. UTC | #1
On Tue, Sep 15, 2020 at 12:52 PM Ameer Mahagneh <ameerm@nvidia.com> wrote:
>
> For security reasons only root or privileged user can allocate Interconnect
> Context Memory (ICM). Add this capability for vendors that require ICM
> allocation when applying DPDK rte flows.
>
> Signed-off-by: Ameer Mahagneh <ameerm@nvidia.com>
> Acked-by: Eli Britstein <elibr@nvidia.com>
> ---
>  lib/daemon-unix.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/lib/daemon-unix.c b/lib/daemon-unix.c
> index ae59ecf2c..d32a60657 100644
> --- a/lib/daemon-unix.c
> +++ b/lib/daemon-unix.c
> @@ -820,6 +820,7 @@ daemon_become_new_user_linux(bool access_datapath OVS_UNUSED)
>              if (access_datapath && !ret) {
>                  ret = capng_update(CAPNG_ADD, cap_sets, CAP_NET_ADMIN)
>                        || capng_update(CAPNG_ADD, cap_sets, CAP_NET_RAW)
> +                      || capng_update(CAPNG_ADD, cap_sets, CAP_SYS_RAWIO)
>                        || capng_update(CAPNG_ADD, cap_sets, CAP_NET_BROADCAST);
>              }
>          } else {

This patch seems incomplete: the manual is not updated and I would
expect some changes in the selinux policy files.
Aaron Conole Sept. 16, 2020, 8:05 p.m. UTC | #2
David Marchand <david.marchand@redhat.com> writes:

> On Tue, Sep 15, 2020 at 12:52 PM Ameer Mahagneh <ameerm@nvidia.com> wrote:
>>
>> For security reasons only root or privileged user can allocate Interconnect
>> Context Memory (ICM). Add this capability for vendors that require ICM
>> allocation when applying DPDK rte flows.
>>
>> Signed-off-by: Ameer Mahagneh <ameerm@nvidia.com>
>> Acked-by: Eli Britstein <elibr@nvidia.com>
>> ---

Why is this needed?  SYS_RAWIO is extremely privileged and means that
there is no point even in dropping privs or changing UID - the process
with these caps is allowed to alter anything, map /dev/mem and
/dev/kmem, etc.

Is there really no other way of doing this?  This feels somewhat like a
security regression rather than an improvement.  NOTE that we cannot
even use an LSM to protect against this - sys_rawio is able to perform
operations that can subvert LSMs.

>>  lib/daemon-unix.c | 1 +
>>  1 file changed, 1 insertion(+)
>>
>> diff --git a/lib/daemon-unix.c b/lib/daemon-unix.c
>> index ae59ecf2c..d32a60657 100644
>> --- a/lib/daemon-unix.c
>> +++ b/lib/daemon-unix.c
>> @@ -820,6 +820,7 @@ daemon_become_new_user_linux(bool access_datapath OVS_UNUSED)
>>              if (access_datapath && !ret) {
>>                  ret = capng_update(CAPNG_ADD, cap_sets, CAP_NET_ADMIN)
>>                        || capng_update(CAPNG_ADD, cap_sets, CAP_NET_RAW)
>> +                      || capng_update(CAPNG_ADD, cap_sets, CAP_SYS_RAWIO)
>>                        || capng_update(CAPNG_ADD, cap_sets, CAP_NET_BROADCAST);
>>              }
>>          } else {
>
> This patch seems incomplete: the manual is not updated and I would
> expect some changes in the selinux policy files.
diff mbox series

Patch

diff --git a/lib/daemon-unix.c b/lib/daemon-unix.c
index ae59ecf2c..d32a60657 100644
--- a/lib/daemon-unix.c
+++ b/lib/daemon-unix.c
@@ -820,6 +820,7 @@  daemon_become_new_user_linux(bool access_datapath OVS_UNUSED)
             if (access_datapath && !ret) {
                 ret = capng_update(CAPNG_ADD, cap_sets, CAP_NET_ADMIN)
                       || capng_update(CAPNG_ADD, cap_sets, CAP_NET_RAW)
+                      || capng_update(CAPNG_ADD, cap_sets, CAP_SYS_RAWIO)
                       || capng_update(CAPNG_ADD, cap_sets, CAP_NET_BROADCAST);
             }
         } else {