Skip to content

Commit

Permalink
stream-unix: Use rundir as root for relative paths.
Browse files Browse the repository at this point in the history
Until now, "unix:" and "punix:" paths that are not absolute have
been considered relative to the current working directory.  It
is more useful to consider them relative to the rundir, so this
commit makes that change to the C and Python implementations of
the stream code.

This commit also relaxes the whitelist check in the bridge code
so that any name that does not contain a "/" is considered OK.

Signed-off-by: Pavithra Ramesh <[email protected]>
Signed-off-by: Ben Pfaff <[email protected]>
paramesh2012 authored and blp committed Feb 11, 2013
1 parent 1f3c5ef commit 2c487bc
Showing 12 changed files with 50 additions and 9 deletions.
20 changes: 14 additions & 6 deletions lib/stream-unix.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2008, 2009, 2010, 2011, 2012 Nicira, Inc.
* Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013 Nicira, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -29,6 +29,7 @@
#include "packets.h"
#include "poll-loop.h"
#include "socket-util.h"
#include "dirs.h"
#include "util.h"
#include "stream-provider.h"
#include "stream-fd.h"
@@ -42,15 +43,19 @@ static int
unix_open(const char *name, char *suffix, struct stream **streamp,
uint8_t dscp OVS_UNUSED)
{
const char *connect_path = suffix;
char *connect_path;
int fd;

connect_path = abs_file_name(ovs_rundir(), suffix);
fd = make_unix_socket(SOCK_STREAM, true, NULL, connect_path);

if (fd < 0) {
VLOG_DBG("%s: connection failed (%s)", connect_path, strerror(-fd));
free(connect_path);
return -fd;
}

free(connect_path);
return new_fd_stream(name, fd, check_connection_completion(fd), streamp);
}

@@ -76,23 +81,26 @@ static int
punix_open(const char *name OVS_UNUSED, char *suffix,
struct pstream **pstreamp, uint8_t dscp OVS_UNUSED)
{
char *bind_path;
int fd, error;

fd = make_unix_socket(SOCK_STREAM, true, suffix, NULL);
bind_path = abs_file_name(ovs_rundir(), suffix);
fd = make_unix_socket(SOCK_STREAM, true, bind_path, NULL);
if (fd < 0) {
VLOG_ERR("%s: binding failed: %s", suffix, strerror(errno));
VLOG_ERR("%s: binding failed: %s", bind_path, strerror(errno));
free(bind_path);
return errno;
}

if (listen(fd, 10) < 0) {
error = errno;
VLOG_ERR("%s: listen: %s", name, strerror(error));
close(fd);
free(bind_path);
return error;
}

return new_fd_pstream(name, fd, punix_accept, NULL,
xstrdup(suffix), pstreamp);
return new_fd_pstream(name, fd, punix_accept, NULL, bind_path, pstreamp);
}

static int
4 changes: 4 additions & 0 deletions python/ovs/stream.py
Original file line number Diff line number Diff line change
@@ -107,6 +107,8 @@ def open(name, dscp=DSCP_DEFAULT):
return errno.EAFNOSUPPORT, None

suffix = name.split(":", 1)[1]
if name.startswith("unix:"):
suffix = ovs.util.abs_file_name(ovs.dirs.RUNDIR, suffix)
error, sock = cls._open(suffix, dscp)
if error:
return error, None
@@ -282,6 +284,8 @@ def open(name):
return errno.EAFNOSUPPORT, None

bind_path = name[6:]
if name.startswith("punix:"):
bind_path = ovs.util.abs_file_name(ovs.dirs.RUNDIR, bind_path)
error, sock = ovs.socket_util.make_unix_socket(socket.SOCK_STREAM,
True, bind_path, None)
if error:
3 changes: 3 additions & 0 deletions tests/jsonrpc-py.at
Original file line number Diff line number Diff line change
@@ -2,6 +2,7 @@ AT_BANNER([JSON-RPC - Python])

AT_SETUP([JSON-RPC request and successful reply - Python])
AT_SKIP_IF([test $HAVE_PYTHON = no])
OVS_RUNDIR=`pwd`; export OVS_RUNDIR
AT_CHECK([$PYTHON $srcdir/test-jsonrpc.py --detach --pidfile=`pwd`/pid listen punix:socket])
AT_CHECK([test -s pid])
AT_CHECK([kill -0 `cat pid`])
@@ -14,6 +15,7 @@ AT_CLEANUP

AT_SETUP([JSON-RPC request and error reply - Python])
AT_SKIP_IF([test $HAVE_PYTHON = no])
OVS_RUNDIR=`pwd`; export OVS_RUNDIR
AT_CHECK([$PYTHON $srcdir/test-jsonrpc.py --detach --pidfile=`pwd`/pid listen punix:socket])
AT_CHECK([test -s pid])
AT_CHECK([kill -0 `cat pid`])
@@ -26,6 +28,7 @@ AT_CLEANUP

AT_SETUP([JSON-RPC notification - Python])
AT_SKIP_IF([test $HAVE_PYTHON = no])
OVS_RUNDIR=`pwd`; export OVS_RUNDIR
AT_CHECK([$PYTHON $srcdir/test-jsonrpc.py --detach --pidfile=`pwd`/pid listen punix:socket])
AT_CHECK([test -s pid])
# When a daemon dies it deletes its pidfile, so make a copy.
3 changes: 3 additions & 0 deletions tests/jsonrpc.at
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
AT_BANNER([JSON-RPC - C])

AT_SETUP([JSON-RPC request and successful reply])
OVS_RUNDIR=`pwd`; export OVS_RUNDIR
AT_CHECK([test-jsonrpc --detach --no-chdir --pidfile="`pwd`"/pid listen punix:socket])
AT_CHECK([test -s pid])
AT_CHECK([kill -0 `cat pid`])
@@ -12,6 +13,7 @@ AT_CHECK([kill `cat pid`])
AT_CLEANUP

AT_SETUP([JSON-RPC request and error reply])
OVS_RUNDIR=`pwd`; export OVS_RUNDIR
AT_CHECK([test-jsonrpc --detach --no-chdir --pidfile="`pwd`"/pid listen punix:socket])
AT_CHECK([test -s pid])
AT_CHECK([kill -0 `cat pid`])
@@ -23,6 +25,7 @@ AT_CHECK([kill `cat pid`])
AT_CLEANUP

AT_SETUP([JSON-RPC notification])
OVS_RUNDIR=`pwd`; export OVS_RUNDIR
AT_CHECK([test-jsonrpc --detach --no-chdir --pidfile="`pwd`"/pid listen punix:socket])
AT_CHECK([test -s pid])
# When a daemon dies it deletes its pidfile, so make a copy.
1 change: 1 addition & 0 deletions tests/ovsdb-execution.at
Original file line number Diff line number Diff line change
@@ -138,6 +138,7 @@ m4_divert_pop([PREPARE_TESTS])
m4_define([OVSDB_CHECK_EXECUTION],
[AT_SETUP([$1])
AT_KEYWORDS([ovsdb execute execution positive $5])
OVS_RUNDIR=`pwd`; export OVS_RUNDIR
AT_CHECK([test-ovsdb execute "`$2`" m4_foreach([txn], [$3], [ 'txn'])],
[0], [stdout], [])
AT_CHECK([perl $srcdir/uuidfilt.pl stdout], [0], [$4])
4 changes: 4 additions & 0 deletions tests/ovsdb-idl.at
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
AT_BANNER([OVSDB -- interface description language (IDL)])

OVS_RUNDIR=`pwd`; export OVS_RUNDIR
# OVSDB_CHECK_IDL_C(TITLE, [PRE-IDL-TXN], TRANSACTIONS, OUTPUT, [KEYWORDS],
# [FILTER])
#
@@ -19,6 +20,7 @@ AT_BANNER([OVSDB -- interface description language (IDL)])
m4_define([OVSDB_CHECK_IDL_C],
[AT_SETUP([$1 - C])
AT_KEYWORDS([ovsdb server idl positive $5])
OVS_RUNDIR=`pwd`; export OVS_RUNDIR
AT_CHECK([ovsdb-tool create db $abs_srcdir/idltest.ovsschema],
[0], [stdout], [ignore])
AT_CHECK([ovsdb-server '-vPATTERN:console:ovsdb-server|%c|%m' --detach --no-chdir --pidfile="`pwd`"/pid --remote=punix:socket --unixctl="`pwd`"/unixctl db], [0], [ignore], [ignore])
@@ -36,6 +38,7 @@ m4_define([OVSDB_CHECK_IDL_PY],
[AT_SETUP([$1 - Python])
AT_SKIP_IF([test $HAVE_PYTHON = no])
AT_KEYWORDS([ovsdb server idl positive Python $5])
OVS_RUNDIR=`pwd`; export OVS_RUNDIR
AT_CHECK([ovsdb-tool create db $abs_srcdir/idltest.ovsschema],
[0], [stdout], [ignore])
AT_CHECK([ovsdb-server '-vPATTERN:console:ovsdb-server|%c|%m' --detach --no-chdir --pidfile="`pwd`"/pid --remote=punix:socket --unixctl="`pwd`"/unixctl db], [0], [ignore], [ignore])
@@ -53,6 +56,7 @@ m4_define([OVSDB_CHECK_IDL_TCP_PY],
[AT_SETUP([$1 - Python tcp])
AT_SKIP_IF([test $HAVE_PYTHON = no])
AT_KEYWORDS([ovsdb server idl positive Python with tcp socket $5])
OVS_RUNDIR=`pwd`; export OVS_RUNDIR
AT_CHECK([ovsdb-tool create db $abs_srcdir/idltest.ovsschema],
[0], [stdout], [ignore])
AT_CHECK([perl $srcdir/choose-port.pl], [0], [stdout])
3 changes: 2 additions & 1 deletion tests/ovsdb-macros.at
Original file line number Diff line number Diff line change
@@ -2,7 +2,8 @@ dnl OVSDB_INIT([$1])
dnl
dnl Creates an empty database named $1.
m4_define([OVSDB_INIT],
[AT_CHECK(
[OVS_RUNDIR=`pwd`; export OVS_RUNDIR
AT_CHECK(
[ovsdb-tool create $1 $abs_top_srcdir/vswitchd/vswitch.ovsschema],
[0], [stdout], [ignore])
AT_CHECK(
1 change: 1 addition & 0 deletions tests/ovsdb-monitor.at
Original file line number Diff line number Diff line change
@@ -19,6 +19,7 @@ AT_BANNER([OVSDB -- ovsdb-server monitors])
m4_define([OVSDB_CHECK_MONITOR],
[AT_SETUP([$1])
AT_KEYWORDS([ovsdb server monitor positive $9])
OVS_RUNDIR=`pwd`; export OVS_RUNDIR
$2 > schema
AT_CHECK([ovsdb-tool create db schema], [0], [stdout], [ignore])
m4_foreach([txn], [$3],
9 changes: 9 additions & 0 deletions tests/ovsdb-server.at
Original file line number Diff line number Diff line change
@@ -21,6 +21,7 @@ m4_define([OVSDB_SERVER_SHUTDOWN],
# TITLE is provided to AT_SETUP and KEYWORDS to AT_KEYWORDS.
m4_define([OVSDB_CHECK_EXECUTION],
[AT_SETUP([$1])
OVS_RUNDIR=`pwd`; export OVS_RUNDIR
AT_KEYWORDS([ovsdb server positive unix $5])
$2 > schema
AT_CHECK([ovsdb-tool create db schema], [0], [stdout], [ignore])
@@ -39,6 +40,7 @@ EXECUTION_EXAMPLES

AT_SETUP([truncating corrupted database log])
AT_KEYWORDS([ovsdb server positive unix])
OVS_RUNDIR=`pwd`; export OVS_RUNDIR
ordinal_schema > schema
AT_CHECK([ovsdb-tool create db schema], [0], [stdout], [ignore])
dnl Do one transaction and save the output.
@@ -85,6 +87,7 @@ AT_CLEANUP

AT_SETUP([truncating database log with bad transaction])
AT_KEYWORDS([ovsdb server positive unix])
OVS_RUNDIR=`pwd`; export OVS_RUNDIR
ordinal_schema > schema
AT_CHECK([ovsdb-tool create db schema], [0], [stdout], [ignore])
dnl Do one transaction and save the output.
@@ -132,6 +135,7 @@ AT_CLEANUP

AT_SETUP([ovsdb-client get-schema-version])
AT_KEYWORDS([ovsdb server positive])
OVS_RUNDIR=`pwd`; export OVS_RUNDIR
ordinal_schema > schema
AT_CHECK([ovsdb-tool create db schema], [0], [ignore], [ignore])
AT_CHECK([ovsdb-server --detach --no-chdir --pidfile="`pwd`"/pid --unixctl="`pwd`"/unixctl --remote=punix:socket db], [0], [ignore], [ignore])
@@ -142,6 +146,7 @@ AT_CLEANUP

AT_SETUP([database multiplexing implementation])
AT_KEYWORDS([ovsdb server positive])
OVS_RUNDIR=`pwd`; export OVS_RUNDIR
ordinal_schema > schema1
constraint_schema > schema2
AT_CHECK([ovsdb-tool create db1 schema1], [0], [ignore], [ignore])
@@ -280,6 +285,7 @@ AT_CLEANUP

AT_SETUP([compacting online])
AT_KEYWORDS([ovsdb server compact])
OVS_RUNDIR=`pwd`; export OVS_RUNDIR
ordinal_schema > schema
dnl Make sure that "ovsdb-tool create" works with a dangling symlink for
dnl the database and the lockfile, creating the target of each symlink rather
@@ -430,6 +436,7 @@ m4_define([OVSDB_CHECK_EXECUTION],
[AT_SETUP([$1])
AT_KEYWORDS([ovsdb server positive ssl $5])
AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
OVS_RUNDIR=`pwd`; export OVS_RUNDIR
$2 > schema
AT_CHECK([perl $srcdir/choose-port.pl], [0], [stdout])
SSL_PORT=`cat stdout`
@@ -479,6 +486,7 @@ AT_CLEANUP])
m4_define([OVSDB_CHECK_EXECUTION],
[AT_SETUP([$1])
AT_KEYWORDS([ovsdb server positive tcp $5])
OVS_RUNDIR=`pwd`; export OVS_RUNDIR
$2 > schema
AT_CHECK([perl $srcdir/choose-port.pl], [0], [stdout])
TCP_PORT=`cat stdout`
@@ -519,6 +527,7 @@ AT_BANNER([OVSDB -- transactions on transient ovsdb-server])
m4_define([OVSDB_CHECK_EXECUTION],
[AT_SETUP([$1])
AT_KEYWORDS([ovsdb server positive transient $5])
OVS_RUNDIR=`pwd`; export OVS_RUNDIR
$2 > schema
AT_CHECK([ovsdb-tool create db schema], [0], [stdout], [ignore])
m4_foreach([txn], [$3],
4 changes: 4 additions & 0 deletions tests/ovsdb-tool.at
Original file line number Diff line number Diff line change
@@ -16,6 +16,7 @@ AT_BANNER([OVSDB -- ovsdb-tool])
m4_define([OVSDB_CHECK_EXECUTION],
[AT_SETUP([$1])
AT_KEYWORDS([ovsdb file positive $5])
OVS_RUNDIR=`pwd`; export OVS_RUNDIR
$2 > schema
touch .db.~lock~
AT_CHECK([ovsdb-tool create db schema], [0], [stdout], [ignore])
@@ -48,6 +49,7 @@ AT_CLEANUP

AT_SETUP([ovsdb-tool compact])
AT_KEYWORDS([ovsdb file positive])
OVS_RUNDIR=`pwd`; export OVS_RUNDIR
ordinal_schema > schema
dnl Make sure that "ovsdb-tool create" works with a dangling symlink,
dnl creating the target of the symlink rather than replacing the symlink
@@ -155,6 +157,7 @@ AT_CLEANUP

AT_SETUP([ovsdb-tool convert -- removing a column])
AT_KEYWORDS([ovsdb file positive])
OVS_RUNDIR=`pwd`; export OVS_RUNDIR
ordinal_schema > schema
AT_DATA([new-schema],
[[{"name": "ordinals",
@@ -218,6 +221,7 @@ AT_CLEANUP

AT_SETUP([ovsdb-tool convert -- adding a column])
AT_KEYWORDS([ovsdb file positive])
OVS_RUNDIR=`pwd`; export OVS_RUNDIR
AT_DATA([schema],
[[{"name": "ordinals",
"tables": {
1 change: 1 addition & 0 deletions tests/vconn.at
Original file line number Diff line number Diff line change
@@ -11,6 +11,7 @@ m4_define([TEST_VCONN_CLASS],
[send-short-hello],
[send-invalid-version-hello]],
[AT_SETUP([$1 vconn - m4_bpatsubst(testname, [-], [ ])])
OVS_RUNDIR=`pwd`; export OVS_RUNDIR
m4_if([$1], [ssl], [
AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
AT_CHECK([cp $abs_top_builddir/tests/testpki*.pem .])])
6 changes: 4 additions & 2 deletions vswitchd/bridge.c
Original file line number Diff line number Diff line change
@@ -2799,8 +2799,10 @@ bridge_configure_remotes(struct bridge *br,
if (!strncmp(c->target, "unix:", 5)) {
/* Connect to a listening socket */
whitelist = xasprintf("unix:%s/", ovs_rundir());
if (!equal_pathnames(c->target, whitelist,
strlen(whitelist))) {
if (strchr(c->target, '/') &&
!equal_pathnames(c->target, whitelist,
strlen(whitelist))) {
/* Absolute path specified, but not in ovs_rundir */
VLOG_ERR_RL(&rl, "bridge %s: Not connecting to socket "
"controller \"%s\" due to possibility for "
"remote exploit. Instead, specify socket "

0 comments on commit 2c487bc

Please sign in to comment.