Simon Horman <[email protected]> writes: > On Fri, Mar 03, 2023 at 10:16:00AM -0500, Aaron Conole wrote: >> Open vSwitch generally tries to let the underlying operating system >> managed the low level details of hardware, for example DMA mapping, >> bus arbitration, etc. However, when using DPDK, the underlying >> operating system yields control of many of these details to userspace >> for management. >> >> In the case of some DPDK port drivers, configuring rte_flow or even >> allocating resources may require access to iopl/ioperm calls, which >> are guarded by the CAP_SYS_RAWIO privilege on linux systems. These >> calls are dangerous, and can allow a process to completely compromise >> a system. However, they are needed in the case of some userspace >> driver code which manages the hardware (for example, the mlx >> implementation of backend support for rte_flow). >> >> Here, we create an opt-in flag passed to the command line to allow >> this access. We need to do this before ever accessing the database, >> because we want to drop all privileges asap, and cannot wait for >> a connection to the database to be established and functional before >> dropping. There may be distribution specific ways to do capability >> management as well (using for example, systemd), but they are not >> as universal to the vswitchd as a flag. >> >> Signed-off-by: Aaron Conole <[email protected]> > > Fun times.
:) > Minor nit below not withstanding this looks good to me, > within the context of the description above. > > > Reviewed-by: Simon Horman <[email protected]> Thanks for the review, Simon! > ... > >> @@ -827,6 +829,17 @@ daemon_become_new_user_linux(bool access_datapath >> OVS_UNUSED) >> ret = capng_update(CAPNG_ADD, cap_sets, CAP_NET_ADMIN) >> || capng_update(CAPNG_ADD, cap_sets, CAP_NET_RAW) >> || capng_update(CAPNG_ADD, cap_sets, >> CAP_NET_BROADCAST); >> +#ifdef DPDK_NETDEV >> + if (access_hardware_ports && !ret) { >> + ret = capng_update(CAPNG_ADD, cap_sets, CAP_SYS_RAWIO); >> + VLOG_INFO("CAP_SYS_RAWIO enabled."); >> + } >> +#else >> + ; > > nit: is the line above needed? d'oh. I removed it when I reviewed, but forgot to generate a new patch. Thanks for looking! v2 incoming. >> + if (access_hardware_ports) { >> + VLOG_WARN("Dropped CAP_SYS_RAWIO request (no >> drivers)."); >> + } >> +#endif >> } >> } else { >> ret = -1; _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
