On Fri, Mar 03, 2023 at 10:16:00AM -0500, Aaron Conole wrote: > Open vSwitch generally tries to let the underlying operating system > managed the low level details of hardware, for example DMA mapping, > bus arbitration, etc. However, when using DPDK, the underlying > operating system yields control of many of these details to userspace > for management. > > In the case of some DPDK port drivers, configuring rte_flow or even > allocating resources may require access to iopl/ioperm calls, which > are guarded by the CAP_SYS_RAWIO privilege on linux systems. These > calls are dangerous, and can allow a process to completely compromise > a system. However, they are needed in the case of some userspace > driver code which manages the hardware (for example, the mlx > implementation of backend support for rte_flow). > > Here, we create an opt-in flag passed to the command line to allow > this access. We need to do this before ever accessing the database, > because we want to drop all privileges asap, and cannot wait for > a connection to the database to be established and functional before > dropping. There may be distribution specific ways to do capability > management as well (using for example, systemd), but they are not > as universal to the vswitchd as a flag. > > Signed-off-by: Aaron Conole <[email protected]>
Fun times. Minor nit below not withstanding this looks good to me, within the context of the description above. Reviewed-by: Simon Horman <[email protected]> ... > @@ -827,6 +829,17 @@ daemon_become_new_user_linux(bool access_datapath > OVS_UNUSED) > ret = capng_update(CAPNG_ADD, cap_sets, CAP_NET_ADMIN) > || capng_update(CAPNG_ADD, cap_sets, CAP_NET_RAW) > || capng_update(CAPNG_ADD, cap_sets, > CAP_NET_BROADCAST); > +#ifdef DPDK_NETDEV > + if (access_hardware_ports && !ret) { > + ret = capng_update(CAPNG_ADD, cap_sets, CAP_SYS_RAWIO); > + VLOG_INFO("CAP_SYS_RAWIO enabled."); > + } > +#else > + ; nit: is the line above needed? > + if (access_hardware_ports) { > + VLOG_WARN("Dropped CAP_SYS_RAWIO request (no drivers)."); > + } > +#endif > } > } else { > ret = -1; _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
