From 26e73e11dcf4c59f90dea06fa36749be06202d04 Mon Sep 17 00:00:00 2001 From: Serge Hallyn Date: Fri, 22 Aug 2014 20:29:23 +0000 Subject: [PATCH 3/3] Update the openvswitch bridge attach code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 1. don't determine ovs-vsctl path at configure time, do it at runtime 2. lxc-user-nic: set a sane path to protect from unpriv users Signed-off-by: Serge Hallyn Acked-by: Stéphane Graber (cherry picked from commit 6ad22d063aa0fdbd77425acd7f9c9de79e5aff3e) --- configure.ac | 11 ----------- src/lxc/Makefile.am | 4 ---- src/lxc/lxc_user_nic.c | 5 +++++ src/lxc/network.c | 20 +++++++------------- 4 files changed, 12 insertions(+), 28 deletions(-) diff --git a/configure.ac b/configure.ac index e0efae7..6ec5740 100644 --- a/configure.ac +++ b/configure.ac @@ -192,16 +192,6 @@ fi AM_CONDITIONAL([ENABLE_API_DOCS], [test "x$HAVE_DOXYGEN" != "x"]) -# Openvswitch -AC_PATH_PROG([OVS_CTL_PATH],[ovs-vsctl]) -if test "x$OVS_CTL_PATH" != "x"; then - enable_ovs="yes" - AS_AC_EXPAND(OVS_CTL_PATH, "$OVS_CTL_PATH") -else - enable_ovs="no" -fi -AM_CONDITIONAL([HAVE_OVS], [test "x$enable_ovs" = "xyes"]) - # Apparmor AC_ARG_ENABLE([apparmor], [AC_HELP_STRING([--enable-apparmor], [enable apparmor support [default=auto]])], @@ -750,7 +740,6 @@ Environment: - rpath: $enable_rpath - GnuTLS: $enable_gnutls - Bash integration: $enable_bash - - Openvswitch: $enable_ovs Security features: - Apparmor: $enable_apparmor diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am index ddeb37e..92841aa 100644 --- a/src/lxc/Makefile.am +++ b/src/lxc/Makefile.am @@ -129,10 +129,6 @@ if ENABLE_APPARMOR AM_CFLAGS += -DHAVE_APPARMOR endif -if HAVE_OVS -AM_CFLAGS += -DHAVE_OVS -DOVS_CTL_PATH=\"$(OVS_CTL_PATH)\" -endif - if ENABLE_CGMANAGER AM_CFLAGS += -DHAVE_CGMANAGER endif diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c index 64e9d1a..b2a583c 100644 --- a/src/lxc/lxc_user_nic.c +++ b/src/lxc/lxc_user_nic.c @@ -590,6 +590,11 @@ int main(int argc, char *argv[]) char *vethname = NULL; int pid; + /* set a sane path, because we are setuid-root */ + if (setenv("PATH", "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 1) < 0) { + fprintf(stderr, "Failed to set PATH, exiting\n"); + exit(1); + } if ((me = get_username()) == NULL) { fprintf(stderr, "Failed to get username\n"); exit(1); diff --git a/src/lxc/network.c b/src/lxc/network.c index dfab159..32edfc4 100644 --- a/src/lxc/network.c +++ b/src/lxc/network.c @@ -1171,7 +1171,6 @@ int lxc_ipv6_dest_add(int ifindex, struct in6_addr *dest) return ip_route_dest_add(AF_INET6, ifindex, dest); } -#ifdef HAVE_OVS static bool is_ovs_bridge(const char *bridge) { char brdirname[22 + IFNAMSIZ + 1] = {0}; @@ -1186,7 +1185,12 @@ static bool is_ovs_bridge(const char *bridge) static int attach_to_ovs_bridge(const char *bridge, const char *nic) { pid_t pid; - const char *progname; + char *cmd; + + cmd = on_path("ovs-vsctl"); + if (!cmd) + return -1; + free(cmd); pid = fork(); if (pid < 0) @@ -1194,21 +1198,11 @@ static int attach_to_ovs_bridge(const char *bridge, const char *nic) if (pid > 0) return wait_for_pid(pid); - progname = strrchr(OVS_CTL_PATH, '/'); - if (!progname) // not sane, should we just fail? - progname = OVS_CTL_PATH; - if (execl(OVS_CTL_PATH, progname, "add-port", bridge, nic, NULL)) + if (execlp("ovs-vsctl", "ovs-vsctl", "add-port", bridge, nic, NULL)) exit(1); // not reached exit(1); } -#else -static inline bool is_ovs_bridge(const char *bridge) { return false; } -static inline int attach_to_ovs_bridge(const char *bridge, const char *nic) -{ - return -1; -} -#endif /* * There is a lxc_bridge_attach, but no need of a bridge detach -- 2.1.2