Re: [PATCH 1/3] util: use AF_UNIX family (not AF_PACKET) for ioctl sockets

[Michal Privoznik <mprivozn@xxxxxxxxxx>]

On 03/21/2017 04:23 PM, Laine Stump wrote:
> The exact family of the socket created for the fd used by ioctl(7)
> doesn't matter, it just needs to be a socket and not a file. But for
> some reason when macvtap support was added, it used
> AF_PACKET/SOCK_DGRAM sockets for its ioctls; we later used the same
> AF_PACKET/SOCK_DGRAM socket for new ioctls we added, and eventually
> modified the other pre-existing ioctl sockets (for creating/deleting
> bridges) to also use AF_PACKET/SOCK_DGRAM (that code originally used
> AF_UNIX/SOCK_STREAM).
>
> The problem with using AF_PACKET (intended for sending/receiving "raw"
> packets, i.e. packets that can be some protocol other than TCP or UDP)
> is that it requires root privileges. This meant that none of the
> ioctls in virnetdev.c or virnetdevip.c would work when running
> libvirtd unprivileged.
>
> This patch solves that problem by changing the family to AF_UNIX when
> creating the socket used for any ioctl().
> ---
>
> (Cc'ing Stefan Berger, since he originally added the code using
> AF_PACKET, and I want to make sure this was just a random choice, and
> not for some important reason I'm overlooking)
>
>
>  src/util/virnetdev.c   | 2 +-
>  src/util/virnetdevip.c | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/src/util/virnetdev.c b/src/util/virnetdev.c
> index d9f716b..b0159b2 100644
> --- a/src/util/virnetdev.c
> +++ b/src/util/virnetdev.c
> @@ -41,7 +41,7 @@
>  #ifdef __linux__
>  # include <linux/sockios.h>
>  # include <linux/if_vlan.h>
> -# define VIR_NETDEV_FAMILY AF_PACKET
> +# define VIR_NETDEV_FAMILY AF_UNIX
>  #elif defined(HAVE_STRUCT_IFREQ) && defined(AF_LOCAL)
>  # define VIR_NETDEV_FAMILY AF_LOCAL
>  #else
> diff --git a/src/util/virnetdevip.c b/src/util/virnetdevip.c
> index 42fbba1..c82b8a5 100644
> --- a/src/util/virnetdevip.c
> +++ b/src/util/virnetdevip.c
> @@ -44,7 +44,7 @@
>  #ifdef __linux__
>  # include <linux/sockios.h>
>  # include <linux/if_vlan.h>
> -# define VIR_NETDEV_FAMILY AF_PACKET
> +# define VIR_NETDEV_FAMILY AF_UNIX
>  #elif defined(HAVE_STRUCT_IFREQ) && defined(AF_LOCAL)
>  # define VIR_NETDEV_FAMILY AF_LOCAL
>  #else

ACK if you also remove the comment in virNetDevGetFeatures that mentions 
AF_PACKET.

Michal

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list