From patchwork Fri Jun  3 02:47:33 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ansis Atteka <aatteka@ovn.org>
X-Patchwork-Id: 629594
Return-Path: <dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from archives.nicira.com (archives.nicira.com [96.126.127.54])
	by ozlabs.org (Postfix) with ESMTP id 3rLWXt4M1fz9t8B
	for <incoming@patchwork.ozlabs.org>;
	Fri,  3 Jun 2016 14:37:34 +1000 (AEST)
Received: from archives.nicira.com (localhost [127.0.0.1])
	by archives.nicira.com (Postfix) with ESMTP id D296A22C3A1;
	Thu,  2 Jun 2016 19:52:29 -0700 (PDT)
X-Original-To: dev@openvswitch.org
Delivered-To: dev@openvswitch.org
Received: from mx1e3.cudamail.com (mx1.cudamail.com [69.90.118.67])
	by archives.nicira.com (Postfix) with ESMTPS id EDA0222C393
	for <dev@openvswitch.org>; Thu,  2 Jun 2016 19:52:28 -0700 (PDT)
Received: from bar5.cudamail.com (localhost [127.0.0.1])
	by mx1e3.cudamail.com (Postfix) with ESMTPS id 731544204EE
	for <dev@openvswitch.org>; Thu,  2 Jun 2016 20:52:28 -0600 (MDT)
X-ASG-Debug-ID: 1464922347-09eadd4ab49a750001-byXFYA
Received: from mx1-pf2.cudamail.com ([192.168.24.2]) by bar5.cudamail.com
	with
	ESMTP id USyY7mnSKJ2BYDd1 (version=TLSv1 cipher=DHE-RSA-AES256-SHA
	bits=256 verify=NO) for <dev@openvswitch.org>;
	Thu, 02 Jun 2016 20:52:27 -0600 (MDT)
X-Barracuda-Envelope-From: aatteka@ovn.org
X-Barracuda-RBL-Trusted-Forwarder: 192.168.24.2
Received: from unknown (HELO relay5-d.mail.gandi.net) (217.70.183.197)
	by mx1-pf2.cudamail.com with ESMTPS (DHE-RSA-AES256-SHA encrypted);
	3 Jun 2016 02:52:27 -0000
Received-SPF: pass (mx1-pf2.cudamail.com: SPF record at ovn.org designates
	217.70.183.197 as permitted sender)
X-Barracuda-Apparent-Source-IP: 217.70.183.197
X-Barracuda-RBL-IP: 217.70.183.197
Received: from mfilter13-d.gandi.net (mfilter13-d.gandi.net [217.70.178.141])
	by relay5-d.mail.gandi.net (Postfix) with ESMTP id 305AF41C07F;
	Fri,  3 Jun 2016 04:52:24 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mfilter13-d.gandi.net
Received: from relay5-d.mail.gandi.net ([IPv6:::ffff:217.70.183.197])
	by mfilter13-d.gandi.net (mfilter13-d.gandi.net [::ffff:10.0.15.180])
	(amavisd-new, port 10024)
	with ESMTP id hgGlJrV653B2; Fri,  3 Jun 2016 04:52:22 +0200 (CEST)
X-Originating-IP: 208.91.1.34
Received: from aatteka-PowerEdge-T110.eng.vmware.com (unknown [208.91.1.34])
	(Authenticated sender: aatteka@ovn.org)
	by relay5-d.mail.gandi.net (Postfix) with ESMTPSA id DEBE241C07D;
	Fri,  3 Jun 2016 04:52:21 +0200 (CEST)
X-CudaMail-Envelope-Sender: aatteka@ovn.org
From: Ansis Atteka <aatteka@ovn.org>
To: dev@openvswitch.org
X-CudaMail-Whitelist-To: dev@openvswitch.org
X-CudaMail-MID: CM-E2-601094806
X-CudaMail-DTE: 060216
X-CudaMail-Originating-IP: 217.70.183.197
Date: Thu,  2 Jun 2016 19:47:33 -0700
X-ASG-Orig-Subj: [##CM-E2-601094806##][PATCH] bridge: allow OVS to connect to
	Unix Domain Sockets outside its run directory
Message-Id: <1464922053-30254-1-git-send-email-aatteka@ovn.org>
X-Mailer: git-send-email 2.7.4
X-Barracuda-Connect: UNKNOWN[192.168.24.2]
X-Barracuda-Start-Time: 1464922347
X-Barracuda-Encrypted: DHE-RSA-AES256-SHA
X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi
X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?=
X-Virus-Scanned: by bsmtpd at cudamail.com
X-Barracuda-BRTS-Status: 1
Cc: Ansis Atteka <aatteka@ovn.org>
Subject: [ovs-dev] [PATCH] bridge: allow OVS to connect to Unix Domain
	Sockets outside its run directory
X-BeenThere: dev@openvswitch.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: <dev.openvswitch.org>
List-Unsubscribe: <http://openvswitch.org/mailman/options/dev>,
	<mailto:dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://openvswitch.org/pipermail/dev>
List-Post: <mailto:dev@openvswitch.org>
List-Help: <mailto:dev-request@openvswitch.org?subject=help>
List-Subscribe: <http://openvswitch.org/mailman/listinfo/dev>,
	<mailto:dev-request@openvswitch.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: dev-bounces@openvswitch.org
Sender: "dev" <dev-bounces@openvswitch.org>

Before this patch OVS refused to connect to a local controller that
had its Unix Domain Socket outside Open vSwitch run directory (e.g.
outside '/var/run/openvswitch/').

After this patch this restriction imposed by Open vSwitch itself is
abandoned and OVS should be able to connect to controller's Unix Domain
Sockets anywhere under filesystem.

Note, that, if process is running under 'root' user and is acting
as client, then it is effectively bypassing all access control
restrictions imposed by Unix Discretionary Access Control (because
root does not care who owns UNIX domain socket).  The security precautions
that should be taken into account after this patch are that directory under
which controller will create its server socket and OVS will be told
to connect should not be:
1. writable by "everyone" (i.e. o+w); OR
2. writable by "group" (g+w) to which untrusted user belongs; OR
3. owned by untrusted "user".
Otherwise, a malicious process could create its Unix Domain Socket and
trick Open vSwitch to connect to it.  Nevertheless, this should not be
a big concern, because the same issue is already present in TCP
mode (e.g. tcp:127.0.0.1:6632) that would not obey any Unix Discretionary
Access restrictions anyway.

VMware-BZ: #1525857
---
 lib/vconn-active.man |  3 +++
 vswitchd/bridge.c    | 61 ++++++++++++++++------------------------------------
 2 files changed, 22 insertions(+), 42 deletions(-)

diff --git a/lib/vconn-active.man b/lib/vconn-active.man
index 252438d..6b5fce9 100644
--- a/lib/vconn-active.man
+++ b/lib/vconn-active.man
@@ -10,5 +10,8 @@ If \fIport\fR is not specified, it defaults to 6653.
 .TP
 \fBunix:\fIfile\fR
 On POSIX, a Unix domain server socket named \fIfile\fR.
+For best security practices ensure that directory under
+which \fIfile\fR resides is accessible only for trusted
+users (as minimum o+w should not be set).
 .IP
 On Windows, a localhost TCP port written in \fIfile\fR.
diff --git a/vswitchd/bridge.c b/vswitchd/bridge.c
index 41ec4ba..72947b3 100644
--- a/vswitchd/bridge.c
+++ b/vswitchd/bridge.c
@@ -3558,49 +3558,26 @@ bridge_configure_remotes(struct bridge *br,
     for (i = 0; i < n_controllers; i++) {
         struct ovsrec_controller *c = controllers[i];
 
-        if (!strncmp(c->target, "punix:", 6)
-            || !strncmp(c->target, "unix:", 5)) {
+        if (!strncmp(c->target, "punix:", 6)) {
             static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 5);
-            char *whitelist;
-
-            if (!strncmp(c->target, "unix:", 5)) {
-                /* Connect to a listening socket */
-                whitelist = xasprintf("unix:%s/", ovs_rundir());
-                if (strchr(c->target, '/') &&
-                   !equal_pathnames(c->target, whitelist,
-                     strlen(whitelist))) {
-                    /* Absolute path specified, but not in ovs_rundir */
-                    VLOG_ERR_RL(&rl, "bridge %s: Not connecting to socket "
-                                  "controller \"%s\" due to possibility for "
-                                  "remote exploit.  Instead, specify socket "
-                                  "in whitelisted \"%s\" or connect to "
-                                  "\"unix:%s/%s.mgmt\" (which is always "
-                                  "available without special configuration).",
-                                  br->name, c->target, whitelist,
-                                  ovs_rundir(), br->name);
-                    free(whitelist);
-                    continue;
-                }
-            } else {
-               whitelist = xasprintf("punix:%s/%s.",
-                                     ovs_rundir(), br->name);
-               if (!equal_pathnames(c->target, whitelist, strlen(whitelist))
-                   || strchr(c->target + strlen(whitelist), '/')) {
-                   /* Prevent remote ovsdb-server users from accessing
-                    * arbitrary Unix domain sockets and overwriting arbitrary
-                    * local files. */
-                   VLOG_ERR_RL(&rl, "bridge %s: Not adding Unix domain socket "
-                                  "controller \"%s\" due to possibility of "
-                                  "overwriting local files. Instead, specify "
-                                  "path in whitelisted format \"%s*\" or "
-                                  "connect to \"unix:%s/%s.mgmt\" (which is "
-                                  "always available without special "
-                                  "configuration).",
-                                  br->name, c->target, whitelist,
-                                  ovs_rundir(), br->name);
-                   free(whitelist);
-                   continue;
-               }
+            char *whitelist = xasprintf("punix:%s/%s.", ovs_rundir(),
+                                        br->name);
+            if (!equal_pathnames(c->target, whitelist, strlen(whitelist))
+                || strchr(c->target + strlen(whitelist), '/')) {
+                /* Prevent remote ovsdb-server users from accessing
+                 * arbitrary Unix domain sockets and overwriting arbitrary
+                 * local files. */
+                VLOG_ERR_RL(&rl, "bridge %s: Not adding Unix domain socket "
+                            "controller \"%s\" due to possibility of "
+                            "overwriting local files. Instead, specify "
+                            "path in whitelisted format \"%s*\" or "
+                            "connect to \"unix:%s/%s.mgmt\" (which is "
+                            "always available without special "
+                            "configuration).",
+                            br->name, c->target, whitelist,
+                            ovs_rundir(), br->name);
+                free(whitelist);
+                continue;
             }
 
             free(whitelist);