From patchwork Tue Feb 13 21:42:16 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Aaron Conole <aconole@redhat.com>
X-Patchwork-Id: 873183
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=openvswitch.org
	(client-ip=140.211.169.12; helo=mail.linuxfoundation.org;
	envelope-from=ovs-dev-bounces@openvswitch.org;
	receiver=<UNKNOWN>)
Received: from mail.linuxfoundation.org (mail.linuxfoundation.org
	[140.211.169.12])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3zgwxD58P9z9t3F
	for <incoming@patchwork.ozlabs.org>;
	Wed, 14 Feb 2018 08:42:23 +1100 (AEDT)
Received: from mail.linux-foundation.org (localhost [127.0.0.1])
	by mail.linuxfoundation.org (Postfix) with ESMTP id A69D3FFE;
	Tue, 13 Feb 2018 21:42:21 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@mail.linuxfoundation.org
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 6F2E3FF7
	for <dev@openvswitch.org>; Tue, 13 Feb 2018 21:42:20 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 176F81C0
	for <dev@openvswitch.org>; Tue, 13 Feb 2018 21:42:19 +0000 (UTC)
Received: from smtp.corp.redhat.com
	(int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 199E0402290A;
	Tue, 13 Feb 2018 21:42:18 +0000 (UTC)
Received: from dhcp-25.97.bos.redhat.com (unknown [10.18.25.61])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 902FC2026DFD;
	Tue, 13 Feb 2018 21:42:17 +0000 (UTC)
From: Aaron Conole <aconole@redhat.com>
To: dev@openvswitch.org
Date: Tue, 13 Feb 2018 16:42:16 -0500
Message-ID: <f7ty3jw4ldz.fsf@dhcp-25.97.bos.redhat.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.0.90 (gnu/linux)
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16
	(mx1.redhat.com [10.11.55.6]);
	Tue, 13 Feb 2018 21:42:18 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com
	[10.11.55.6]);
	Tue, 13 Feb 2018 21:42:18 +0000 (UTC) for IP:'10.11.54.4'
	DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com'
	HELO:'smtp.corp.redhat.com' FROM:'aconole@redhat.com' RCPT:''
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_LOW,
	T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Cc: Marcos Felipe Schwarz <marcos.f.sch@gmail.com>
Subject: [ovs-dev] [PATCH] rhel: don't drop capabilities when running as root
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
Sender: ovs-dev-bounces@openvswitch.org
Errors-To: ovs-dev-bounces@openvswitch.org

Currently, regardless of which user is being set as the running user,
Open vSwitch daemons on RHEL systems drop capabilities.  This means the
very powerful CAP_SYS_ADMIN is dropped, even when the user is 'root'.

For the majority of use cases this behavior works, as the user can
enable or disable various configurations, regardless of which datapath
functions are desired.  However, when using certain DPDK PMDs, the
enablement and configuration calls require CAP_SYS_ADMIN.

Instead of retaining CAP_SYS_ADMIN in all cases, which would practically
nullify the uid/gid and privilege drop, we don't pass the --ovs-user
option to the daemons.  This shunts the capability and privilege
dropping code.

Reported-by: Marcos Felipe Schwarz <marcos.f.sch@gmail.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2018-January/045955.html
Fixes: e3e738a3d058 ("redhat: allow dpdk to also run as non-root user")
Signed-off-by: Aaron Conole <aconole@redhat.com>
Acked-By: Timothy Redaelli <tredaelli@redhat.com>
---
NOTE: I did test this a little bit on my system, passing packets, etc.
      But more eyes can't be bad.

 rhel/usr_lib_systemd_system_ovs-vswitchd.service.in | 7 ++++---
 rhel/usr_lib_systemd_system_ovsdb-server.service    | 6 ++++--
 2 files changed, 8 insertions(+), 5 deletions(-)

--
2.9.0

diff --git a/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
index c6d9aa1..889740f 100644
--- a/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
+++ b/rhel/usr_lib_systemd_system_ovs-vswitchd.service.in
@@ -13,17 +13,18 @@ Restart=on-failure
 Environment=HOME=/var/run/openvswitch
 EnvironmentFile=/etc/openvswitch/default.conf
 EnvironmentFile=-/etc/sysconfig/openvswitch
+EnvironmentFile=-/run/openvswitch/useropts
 @begin_dpdk@
-ExecStartPre=-/usr/bin/chown :hugetlbfs /dev/hugepages
+ExecStartPre=-/bin/sh -c '/usr/bin/chown :${OVS_USER_ID##*:} /dev/hugepages'
 ExecStartPre=-/usr/bin/chmod 0775 /dev/hugepages
 @end_dpdk@
 ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
           --no-ovsdb-server --no-monitor --system-id=random \
-          --ovs-user=${OVS_USER_ID} \
+          ${OVSUSER} \
           start $OPTIONS
 ExecStop=/usr/share/openvswitch/scripts/ovs-ctl --no-ovsdb-server stop
 ExecReload=/usr/share/openvswitch/scripts/ovs-ctl --no-ovsdb-server \
           --no-monitor --system-id=random \
-          --ovs-user=${OVS_USER_ID} \
+          ${OVSUSER} \
           restart $OPTIONS
 TimeoutSec=300
diff --git a/rhel/usr_lib_systemd_system_ovsdb-server.service b/rhel/usr_lib_systemd_system_ovsdb-server.service
index 234d393..e05742d 100644
--- a/rhel/usr_lib_systemd_system_ovsdb-server.service
+++ b/rhel/usr_lib_systemd_system_ovsdb-server.service
@@ -11,13 +11,15 @@ Restart=on-failure
 EnvironmentFile=/etc/openvswitch/default.conf
 EnvironmentFile=-/etc/sysconfig/openvswitch
 ExecStartPre=/usr/bin/chown ${OVS_USER_ID} /var/run/openvswitch
+ExecStartPre=/bin/sh -c 'rm -f /run/openvswitch/useropts; if [ "${OVS_USER_ID/:*/}" != "root" ]; then /usr/bin/echo "OVSUSER=--ovs-user=${OVS_USER_ID}" > /run/openvswitch/useropts; fi'
+EnvironmentFile=-/run/openvswitch/useropts
 ExecStart=/usr/share/openvswitch/scripts/ovs-ctl \
           --no-ovs-vswitchd --no-monitor --system-id=random \
-          --ovs-user=${OVS_USER_ID} \
+          ${OVSUSER} \
           start $OPTIONS
 ExecStop=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd stop
 ExecReload=/usr/share/openvswitch/scripts/ovs-ctl --no-ovs-vswitchd \
-           --ovs-user=${OVS_USER_ID} \
+           ${OVSUSER} \
            --no-monitor restart $OPTIONS
 RuntimeDirectory=openvswitch
 RuntimeDirectoryMode=0755