diff options
Diffstat (limited to 'main/lxc/0003-Update-the-openvswitch-bridge-attach-code.patch')
| -rw-r--r-- | main/lxc/0003-Update-the-openvswitch-bridge-attach-code.patch | 134 |
1 files changed, 134 insertions, 0 deletions
diff --git a/main/lxc/0003-Update-the-openvswitch-bridge-attach-code.patch b/main/lxc/0003-Update-the-openvswitch-bridge-attach-code.patch new file mode 100644 index 0000000000..ff6085d686 --- /dev/null +++ b/main/lxc/0003-Update-the-openvswitch-bridge-attach-code.patch @@ -0,0 +1,134 @@ +From 26e73e11dcf4c59f90dea06fa36749be06202d04 Mon Sep 17 00:00:00 2001 +From: Serge Hallyn <serge.hallyn@ubuntu.com> +Date: Fri, 22 Aug 2014 20:29:23 +0000 +Subject: [PATCH 3/3] Update the openvswitch bridge attach code +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +1. don't determine ovs-vsctl path at configure time, do it at runtime + +2. lxc-user-nic: set a sane path to protect from unpriv users + +Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> +Acked-by: Stéphane Graber <stgraber@ubuntu.com> +(cherry picked from commit 6ad22d063aa0fdbd77425acd7f9c9de79e5aff3e) +--- + configure.ac | 11 ----------- + src/lxc/Makefile.am | 4 ---- + src/lxc/lxc_user_nic.c | 5 +++++ + src/lxc/network.c | 20 +++++++------------- + 4 files changed, 12 insertions(+), 28 deletions(-) + +diff --git a/configure.ac b/configure.ac +index e0efae7..6ec5740 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -192,16 +192,6 @@ fi + + AM_CONDITIONAL([ENABLE_API_DOCS], [test "x$HAVE_DOXYGEN" != "x"]) + +-# Openvswitch +-AC_PATH_PROG([OVS_CTL_PATH],[ovs-vsctl]) +-if test "x$OVS_CTL_PATH" != "x"; then +- enable_ovs="yes" +- AS_AC_EXPAND(OVS_CTL_PATH, "$OVS_CTL_PATH") +-else +- enable_ovs="no" +-fi +-AM_CONDITIONAL([HAVE_OVS], [test "x$enable_ovs" = "xyes"]) +- + # Apparmor + AC_ARG_ENABLE([apparmor], + [AC_HELP_STRING([--enable-apparmor], [enable apparmor support [default=auto]])], +@@ -750,7 +740,6 @@ Environment: + - rpath: $enable_rpath + - GnuTLS: $enable_gnutls + - Bash integration: $enable_bash +- - Openvswitch: $enable_ovs + + Security features: + - Apparmor: $enable_apparmor +diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am +index ddeb37e..92841aa 100644 +--- a/src/lxc/Makefile.am ++++ b/src/lxc/Makefile.am +@@ -129,10 +129,6 @@ if ENABLE_APPARMOR + AM_CFLAGS += -DHAVE_APPARMOR + endif + +-if HAVE_OVS +-AM_CFLAGS += -DHAVE_OVS -DOVS_CTL_PATH=\"$(OVS_CTL_PATH)\" +-endif +- + if ENABLE_CGMANAGER + AM_CFLAGS += -DHAVE_CGMANAGER + endif +diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c +index 64e9d1a..b2a583c 100644 +--- a/src/lxc/lxc_user_nic.c ++++ b/src/lxc/lxc_user_nic.c +@@ -590,6 +590,11 @@ int main(int argc, char *argv[]) + char *vethname = NULL; + int pid; + ++ /* set a sane path, because we are setuid-root */ ++ if (setenv("PATH", "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 1) < 0) { ++ fprintf(stderr, "Failed to set PATH, exiting\n"); ++ exit(1); ++ } + if ((me = get_username()) == NULL) { + fprintf(stderr, "Failed to get username\n"); + exit(1); +diff --git a/src/lxc/network.c b/src/lxc/network.c +index dfab159..32edfc4 100644 +--- a/src/lxc/network.c ++++ b/src/lxc/network.c +@@ -1171,7 +1171,6 @@ int lxc_ipv6_dest_add(int ifindex, struct in6_addr *dest) + return ip_route_dest_add(AF_INET6, ifindex, dest); + } + +-#ifdef HAVE_OVS + static bool is_ovs_bridge(const char *bridge) + { + char brdirname[22 + IFNAMSIZ + 1] = {0}; +@@ -1186,7 +1185,12 @@ static bool is_ovs_bridge(const char *bridge) + static int attach_to_ovs_bridge(const char *bridge, const char *nic) + { + pid_t pid; +- const char *progname; ++ char *cmd; ++ ++ cmd = on_path("ovs-vsctl"); ++ if (!cmd) ++ return -1; ++ free(cmd); + + pid = fork(); + if (pid < 0) +@@ -1194,21 +1198,11 @@ static int attach_to_ovs_bridge(const char *bridge, const char *nic) + if (pid > 0) + return wait_for_pid(pid); + +- progname = strrchr(OVS_CTL_PATH, '/'); +- if (!progname) // not sane, should we just fail? +- progname = OVS_CTL_PATH; +- if (execl(OVS_CTL_PATH, progname, "add-port", bridge, nic, NULL)) ++ if (execlp("ovs-vsctl", "ovs-vsctl", "add-port", bridge, nic, NULL)) + exit(1); + // not reached + exit(1); + } +-#else +-static inline bool is_ovs_bridge(const char *bridge) { return false; } +-static inline int attach_to_ovs_bridge(const char *bridge, const char *nic) +-{ +- return -1; +-} +-#endif + + /* + * There is a lxc_bridge_attach, but no need of a bridge detach +-- +2.1.2 + |