aboutsummaryrefslogtreecommitdiffstats
path: root/main/lxc/0003-Update-the-openvswitch-bridge-attach-code.patch
blob: ff6085d6863af05be7d0b043651c8536e0f5a965 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
From 26e73e11dcf4c59f90dea06fa36749be06202d04 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn@ubuntu.com>
Date: Fri, 22 Aug 2014 20:29:23 +0000
Subject: [PATCH 3/3] Update the openvswitch bridge attach code
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1. don't determine ovs-vsctl path at configure time, do it at runtime

2. lxc-user-nic: set a sane path to protect from unpriv users

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
(cherry picked from commit 6ad22d063aa0fdbd77425acd7f9c9de79e5aff3e)
---
 configure.ac           | 11 -----------
 src/lxc/Makefile.am    |  4 ----
 src/lxc/lxc_user_nic.c |  5 +++++
 src/lxc/network.c      | 20 +++++++-------------
 4 files changed, 12 insertions(+), 28 deletions(-)

diff --git a/configure.ac b/configure.ac
index e0efae7..6ec5740 100644
--- a/configure.ac
+++ b/configure.ac
@@ -192,16 +192,6 @@ fi
 
 AM_CONDITIONAL([ENABLE_API_DOCS], [test "x$HAVE_DOXYGEN" != "x"])
 
-# Openvswitch
-AC_PATH_PROG([OVS_CTL_PATH],[ovs-vsctl])
-if test "x$OVS_CTL_PATH" != "x"; then
-	enable_ovs="yes"
-	AS_AC_EXPAND(OVS_CTL_PATH, "$OVS_CTL_PATH")
-else
-	enable_ovs="no"
-fi
-AM_CONDITIONAL([HAVE_OVS], [test "x$enable_ovs" = "xyes"])
-
 # Apparmor
 AC_ARG_ENABLE([apparmor],
 	[AC_HELP_STRING([--enable-apparmor], [enable apparmor support [default=auto]])],
@@ -750,7 +740,6 @@ Environment:
  - rpath: $enable_rpath
  - GnuTLS: $enable_gnutls
  - Bash integration: $enable_bash
- - Openvswitch: $enable_ovs
 
 Security features:
  - Apparmor: $enable_apparmor
diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am
index ddeb37e..92841aa 100644
--- a/src/lxc/Makefile.am
+++ b/src/lxc/Makefile.am
@@ -129,10 +129,6 @@ if ENABLE_APPARMOR
 AM_CFLAGS += -DHAVE_APPARMOR
 endif
 
-if HAVE_OVS
-AM_CFLAGS += -DHAVE_OVS -DOVS_CTL_PATH=\"$(OVS_CTL_PATH)\"
-endif
-
 if ENABLE_CGMANAGER
 AM_CFLAGS += -DHAVE_CGMANAGER
 endif
diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c
index 64e9d1a..b2a583c 100644
--- a/src/lxc/lxc_user_nic.c
+++ b/src/lxc/lxc_user_nic.c
@@ -590,6 +590,11 @@ int main(int argc, char *argv[])
 	char *vethname = NULL;
 	int pid;
 
+	/* set a sane path, because we are setuid-root */
+	if (setenv("PATH", "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 1) < 0) {
+		fprintf(stderr, "Failed to set PATH, exiting\n");
+		exit(1);
+	}
 	if ((me = get_username()) == NULL) {
 		fprintf(stderr, "Failed to get username\n");
 		exit(1);
diff --git a/src/lxc/network.c b/src/lxc/network.c
index dfab159..32edfc4 100644
--- a/src/lxc/network.c
+++ b/src/lxc/network.c
@@ -1171,7 +1171,6 @@ int lxc_ipv6_dest_add(int ifindex, struct in6_addr *dest)
 	return ip_route_dest_add(AF_INET6, ifindex, dest);
 }
 
-#ifdef HAVE_OVS
 static bool is_ovs_bridge(const char *bridge)
 {
 	char brdirname[22 + IFNAMSIZ + 1] = {0};
@@ -1186,7 +1185,12 @@ static bool is_ovs_bridge(const char *bridge)
 static int attach_to_ovs_bridge(const char *bridge, const char *nic)
 {
 	pid_t pid;
-	const char *progname;
+	char *cmd;
+
+	cmd = on_path("ovs-vsctl");
+	if (!cmd)
+		return -1;
+	free(cmd);
 
 	pid = fork();
 	if (pid < 0)
@@ -1194,21 +1198,11 @@ static int attach_to_ovs_bridge(const char *bridge, const char *nic)
 	if (pid > 0)
 		return wait_for_pid(pid);
 
-	progname = strrchr(OVS_CTL_PATH, '/');
-	if (!progname) // not sane, should we just fail?
-		progname = OVS_CTL_PATH;
-	if (execl(OVS_CTL_PATH, progname, "add-port", bridge, nic, NULL))
+	if (execlp("ovs-vsctl", "ovs-vsctl", "add-port", bridge, nic, NULL))
 		exit(1);
 	// not reached
 	exit(1);
 }
-#else
-static inline bool is_ovs_bridge(const char *bridge) { return false; }
-static inline int attach_to_ovs_bridge(const char *bridge, const char *nic)
-{
-	return -1;
-}
-#endif
 
 /*
  * There is a lxc_bridge_attach, but no need of a bridge detach
-- 
2.1.2