On Mon, 22 Feb 2016 11:43:23 -0800
Daniele Di Proietto <diproiet...@vmware.com> wrote:

> This check prevents an obvious way for a vhost-user socket to escape the
> intended directory.
> 
> There might be other ways to escape the directory (none comes to mind at
> the moment), but this is a problem that should be properly solved by
> mandatory access control.
> 
> A similar check is done for a bridge name, since that name is used as
> part of a socket as well.
> 
> Signed-off-by: Daniele Di Proietto <diproiet...@vmware.com>
> ---
> v2:
> * Do not check for '..', as this doesn't really create a problem
> * Document restriction in INSTALL.DPDK.md
> * Also check for backward slash
> * Drop next patch that unlinks the socket before creating it.  As pointed
>   out by Ansis, it enables users deleting other sockets (db or management)
>   in the run directory
> ---
>  INSTALL.DPDK.md   |  3 ++-
>  lib/netdev-dpdk.c | 16 ++++++++++++++--
>  2 files changed, 16 insertions(+), 3 deletions(-)

Acked-by: Flavio Leitner <f...@sysclose.org>

-- 
fbl

_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

Reply via email to