diff --git a/backport-CVE-2023-1668.patch b/backport-CVE-2023-1668.patch deleted file mode 100644 index 0b7f7d35de8b97bc5398fd6f90679933772f53fa..0000000000000000000000000000000000000000 --- a/backport-CVE-2023-1668.patch +++ /dev/null @@ -1,433 +0,0 @@ -From 27fb5db7f727ffc056f024f9ba4936facccb5f40 Mon Sep 17 00:00:00 2001 -From: Aaron Conole -Date: Fri, 31 Mar 2023 17:17:27 -0400 -Subject: [PATCH] ofproto-dpif-xlate: Always mask ip proto field. - -The ofproto layer currently treats nw_proto field as overloaded to mean -both that a proper nw layer exists, as well as the value contained in -the header for the nw proto. However, this is incorrect behavior as -relevant standards permit that any value, including '0' should be treated -as a valid value. - -Because of this overload, when the ofproto layer builds action list for -a packet with nw_proto of 0, it won't build the complete action list that -we expect to be built for the packet. That will cause a bad behavior -where all packets passing the datapath will fall into an incomplete -action set. - -The fix here is to unwildcard nw_proto, allowing us to preserve setting -actions for protocols which we know have support for the actions we -program. This means that a traffic which contains nw_proto == 0 cannot -cause connectivity breakage with other traffic on the link. - -Reported-by: David Marchand -Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2134873 -Acked-by: Ilya Maximets -Signed-off-by: Aaron Conole -Signed-off-by: Ilya Maximets ---- - include/openvswitch/meta-flow.h | 4 + - lib/meta-flow.c | 25 +++++ - ofproto/ofproto-dpif-xlate.c | 8 ++ - tests/ofproto-dpif.at | 18 ++-- - tests/ofproto.at | 182 ++++++++++++++++++++++++++++++++ - tests/packet-type-aware.at | 2 +- - 6 files changed, 229 insertions(+), 10 deletions(-) - -diff --git a/include/openvswitch/meta-flow.h b/include/openvswitch/meta-flow.h -index 045dce8f5fa..3b0220aaa25 100644 ---- a/include/openvswitch/meta-flow.h -+++ b/include/openvswitch/meta-flow.h -@@ -2366,6 +2366,10 @@ void mf_format_subvalue(const union mf_subvalue *subvalue, struct ds *s); - void field_array_set(enum mf_field_id id, const union mf_value *, - struct field_array *); - -+/* Mask the required l3 prerequisites if a 'set' action occurs. */ -+void mf_set_mask_l3_prereqs(const struct mf_field *, const struct flow *, -+ struct flow_wildcards *); -+ - #ifdef __cplusplus - } - #endif -diff --git a/lib/meta-flow.c b/lib/meta-flow.c -index c576ae6202a..474344194fa 100644 ---- a/lib/meta-flow.c -+++ b/lib/meta-flow.c -@@ -3676,3 +3676,28 @@ mf_bitmap_not(struct mf_bitmap x) - bitmap_not(x.bm, MFF_N_IDS); - return x; - } -+ -+void -+mf_set_mask_l3_prereqs(const struct mf_field *mf, const struct flow *fl, -+ struct flow_wildcards *wc) -+{ -+ if (is_ip_any(fl) && -+ ((mf->id == MFF_IPV4_SRC) || -+ (mf->id == MFF_IPV4_DST) || -+ (mf->id == MFF_IPV6_SRC) || -+ (mf->id == MFF_IPV6_DST) || -+ (mf->id == MFF_IPV6_LABEL) || -+ (mf->id == MFF_IP_DSCP) || -+ (mf->id == MFF_IP_ECN) || -+ (mf->id == MFF_IP_TTL))) { -+ WC_MASK_FIELD(wc, nw_proto); -+ } else if ((fl->dl_type == htons(ETH_TYPE_ARP)) && -+ ((mf->id == MFF_ARP_OP) || -+ (mf->id == MFF_ARP_SHA) || -+ (mf->id == MFF_ARP_THA) || -+ (mf->id == MFF_ARP_SPA) || -+ (mf->id == MFF_ARP_TPA))) { -+ /* mask only the lower 8 bits. */ -+ wc->masks.nw_proto = 0xff; -+ } -+} -diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c -index 8a28b29d4c2..c9bd075a90d 100644 ---- a/ofproto/ofproto-dpif-xlate.c -+++ b/ofproto/ofproto-dpif-xlate.c -@@ -5186,6 +5186,7 @@ compose_dec_ttl(struct xlate_ctx *ctx, struct ofpact_cnt_ids *ids) - } - - ctx->wc->masks.nw_ttl = 0xff; -+ WC_MASK_FIELD(ctx->wc, nw_proto); - if (flow->nw_ttl > 1) { - flow->nw_ttl--; - return false; -@@ -7094,6 +7095,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, - case OFPACT_SET_IPV4_SRC: - if (flow->dl_type == htons(ETH_TYPE_IP)) { - memset(&wc->masks.nw_src, 0xff, sizeof wc->masks.nw_src); -+ WC_MASK_FIELD(wc, nw_proto); - flow->nw_src = ofpact_get_SET_IPV4_SRC(a)->ipv4; - } - break; -@@ -7101,12 +7103,14 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, - case OFPACT_SET_IPV4_DST: - if (flow->dl_type == htons(ETH_TYPE_IP)) { - memset(&wc->masks.nw_dst, 0xff, sizeof wc->masks.nw_dst); -+ WC_MASK_FIELD(wc, nw_proto); - flow->nw_dst = ofpact_get_SET_IPV4_DST(a)->ipv4; - } - break; - - case OFPACT_SET_IP_DSCP: - if (is_ip_any(flow)) { -+ WC_MASK_FIELD(wc, nw_proto); - wc->masks.nw_tos |= IP_DSCP_MASK; - flow->nw_tos &= ~IP_DSCP_MASK; - flow->nw_tos |= ofpact_get_SET_IP_DSCP(a)->dscp; -@@ -7115,6 +7119,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, - - case OFPACT_SET_IP_ECN: - if (is_ip_any(flow)) { -+ WC_MASK_FIELD(wc, nw_proto); - wc->masks.nw_tos |= IP_ECN_MASK; - flow->nw_tos &= ~IP_ECN_MASK; - flow->nw_tos |= ofpact_get_SET_IP_ECN(a)->ecn; -@@ -7123,6 +7128,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, - - case OFPACT_SET_IP_TTL: - if (is_ip_any(flow)) { -+ WC_MASK_FIELD(wc, nw_proto); - wc->masks.nw_ttl = 0xff; - flow->nw_ttl = ofpact_get_SET_IP_TTL(a)->ttl; - } -@@ -7190,6 +7196,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, - - /* Set the field only if the packet actually has it. */ - if (mf_are_prereqs_ok(mf, flow, wc)) { -+ mf_set_mask_l3_prereqs(mf, flow, wc); - mf_mask_field_masked(mf, ofpact_set_field_mask(set_field), wc); - mf_set_flow_value_masked(mf, set_field->value, - ofpact_set_field_mask(set_field), -@@ -7246,6 +7253,7 @@ do_xlate_actions(const struct ofpact *ofpacts, size_t ofpacts_len, - - case OFPACT_DEC_TTL: - wc->masks.nw_ttl = 0xff; -+ WC_MASK_FIELD(wc, nw_proto); - if (compose_dec_ttl(ctx, ofpact_get_DEC_TTL(a))) { - return; - } -diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at -index bc981f8fc61..71c267b3adc 100644 ---- a/tests/ofproto-dpif.at -+++ b/tests/ofproto-dpif.at -@@ -720,7 +720,7 @@ table=2 ip actions=set_field:192.168.3.91->ip_src,output(11) - AT_CHECK([ovs-ofctl -O OpenFlow12 add-flows br0 flows.txt]) - AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,dl_type=0x0800,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=1,nw_tos=0,nw_ttl=128,nw_frag=no,icmp_type=8,icmp_code=0'], [0], [stdout]) - AT_CHECK([tail -2 stdout], [0], -- [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_src=192.168.0.1,nw_frag=no -+ [Megaflow: recirc_id=0,eth,icmp,in_port=1,nw_src=192.168.0.1,nw_frag=no - Datapath actions: 10,set(ipv4(src=192.168.3.91)),11,set(ipv4(src=192.168.3.90)),13 - ]) - OVS_VSWITCHD_STOP -@@ -783,7 +783,7 @@ AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_ds - # Must match on the source address to be able to restore it's value for - # the second bucket - AT_CHECK([tail -2 stdout], [0], -- [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_src=192.168.0.1,nw_frag=no -+ [Megaflow: recirc_id=0,eth,icmp,in_port=1,nw_src=192.168.0.1,nw_frag=no - Datapath actions: set(ipv4(src=192.168.3.90)),10,set(ipv4(src=192.168.0.1)),11 - ]) - OVS_VSWITCHD_STOP -@@ -815,7 +815,7 @@ done - AT_CHECK([ovs-appctl dpctl/dump-flows | sed 's/dp_hash(.*\/0xf)/dp_hash(0xXXXX\/0xf)/' | sed 's/packets.*actions:/actions:/' | strip_ufid | strip_used | sort], [0], [dnl - flow-dump from the main thread: - recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(frag=no), actions:hash(sym_l4(0)),recirc(0x1) --recirc_id(0x1),dp_hash(0xXXXX/0xf),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(src=192.168.0.1,frag=no), actions:set(ipv4(src=192.168.3.90)),10,set(ipv4(src=192.168.0.1)),10 -+recirc_id(0x1),dp_hash(0xXXXX/0xf),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(src=192.168.0.1,proto=1,frag=no), actions:set(ipv4(src=192.168.3.90)),10,set(ipv4(src=192.168.0.1)),10 - ]) - - OVS_VSWITCHD_STOP -@@ -830,7 +830,7 @@ AT_CHECK([ovs-appctl ofproto/trace br0 'in_port=1,dl_src=50:54:00:00:00:05,dl_ds - # Must match on the source address to be able to restore it's value for - # the third bucket - AT_CHECK([tail -2 stdout], [0], -- [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_src=192.168.0.1,nw_frag=no -+ [Megaflow: recirc_id=0,eth,icmp,in_port=1,nw_src=192.168.0.1,nw_frag=no - Datapath actions: set(ipv4(src=192.168.3.90)),10,set(ipv4(src=192.168.0.1)),11 - ]) - OVS_VSWITCHD_STOP -@@ -1407,17 +1407,17 @@ AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) - AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=111,tos=0,ttl=2,frag=no)' -generate], [0], [stdout]) - AT_CHECK([tail -4 stdout], [0], [ - Final flow: ip,in_port=1,vlan_tci=0x0000,dl_src=50:54:00:00:00:05,dl_dst=50:54:00:00:00:07,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=111,nw_tos=0,nw_ecn=0,nw_ttl=1,nw_frag=no --Megaflow: recirc_id=0,eth,ip,in_port=1,nw_ttl=2,nw_frag=no -+Megaflow: recirc_id=0,eth,ip,in_port=1,nw_proto=111,nw_ttl=2,nw_frag=no - Datapath actions: set(ipv4(ttl=1)),2,userspace(pid=0,controller(reason=2,dont_send=0,continuation=0,recirc_id=1,rule_cookie=0,controller_id=0,max_len=65535)),4 - ]) - AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=192.168.0.1,dst=192.168.0.2,proto=111,tos=0,ttl=3,frag=no)'], [0], [stdout]) - AT_CHECK([tail -2 stdout], [0], -- [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_ttl=3,nw_frag=no -+ [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_proto=111,nw_ttl=3,nw_frag=no - Datapath actions: set(ipv4(ttl=2)),2,set(ipv4(ttl=1)),3,4 - ]) - AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(1),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x86dd),ipv6(src=::1,dst=::2,label=0,proto=10,tclass=0x70,hlimit=128,frag=no)'], [0], [stdout]) - AT_CHECK([tail -2 stdout], [0], -- [Megaflow: recirc_id=0,eth,ipv6,in_port=1,nw_ttl=128,nw_frag=no -+ [Megaflow: recirc_id=0,eth,ipv6,in_port=1,nw_proto=10,nw_ttl=128,nw_frag=no - Datapath actions: set(ipv6(hlimit=127)),2,set(ipv6(hlimit=126)),3,4 - ]) - -@@ -1527,7 +1527,7 @@ AT_CHECK([ovs-vsctl -- \ - --id=@q2 create Queue dscp=2], [0], [ignore]) - AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(9),eth(src=50:54:00:00:00:05,dst=50:54:00:00:00:07),eth_type(0x0800),ipv4(src=1.1.1.1,dst=2.2.2.2,proto=1,tos=0xff,ttl=128,frag=no),icmp(type=8,code=0)'], [0], [stdout]) - AT_CHECK([tail -2 stdout], [0], -- [Megaflow: recirc_id=0,skb_priority=0,eth,ip,in_port=9,nw_tos=252,nw_frag=no -+ [Megaflow: recirc_id=0,skb_priority=0,eth,icmp,in_port=9,nw_tos=252,nw_frag=no - Datapath actions: dnl - 100,dnl - set(ipv4(tos=0x4/0xfc)),set(skb_priority(0x1)),1,dnl -@@ -11703,7 +11703,7 @@ ovs-ofctl dump-flows br0 - - AT_CHECK([ovs-appctl ofproto/trace ovs-dummy 'in_port(1),eth(src=50:54:00:00:00:09,dst=50:54:00:00:00:0a),eth_type(0x0800),ipv4(src=10.10.10.2,dst=10.10.10.1,proto=1,tos=1,ttl=128,frag=no),icmp(type=8,code=0)'], [0], [stdout]) - AT_CHECK([tail -3 stdout], [0], [dnl --Megaflow: recirc_id=0,eth,ip,reg0=0/0x1,in_port=1,nw_src=10.10.10.2,nw_frag=no -+Megaflow: recirc_id=0,eth,icmp,reg0=0/0x1,in_port=1,nw_src=10.10.10.2,nw_frag=no - Datapath actions: drop - Translation failed (Recursion too deep), packet is dropped. - ]) -diff --git a/tests/ofproto.at b/tests/ofproto.at -index 39c3b047045..32bde5b5a28 100644 ---- a/tests/ofproto.at -+++ b/tests/ofproto.at -@@ -6448,3 +6448,185 @@ verify_deleted - - OVS_VSWITCHD_STOP(["/nw_dst,output=2 -+table=0 in_port=1 priority=83,ip,nw_dst=192.168.1.15,actions=set_field:192.168.21.26->nw_src,output=2 -+table=0 in_port=1 priority=82,ip,nw_dst=192.168.1.14,actions=set_field:0x40->nw_tos,output=2 -+table=0 in_port=1 priority=0,actions=drop -+]) -+AT_CHECK([ovs-ofctl del-flows br0]) -+AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) -+ -+dnl send a proto 0 packet to try and poison the DP flow path -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 \ -+ '5054000000075054000000050800450000548de140004000289fc0a801c4c0a8011408003bf60002001bbf080a640000000032ad010000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637']) -+ -+AT_CHECK([ovs-appctl dpctl/dump-flows], [0], [dnl -+flow-dump from the main thread: -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.20,proto=0,frag=no), packets:0, bytes:0, used:never, actions:2 -+]) -+ -+dnl Send ICMP for mod nw_src and mod nw_dst -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.21,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.20,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+ -+dnl send ICMP that will dec TTL -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.10,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+ -+dnl send ICMP that will mod TTL -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.19,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+ -+dnl send ICMP that will mod ECN -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.18,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+ -+dnl send ICMP that will mod TOS -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.17,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+ -+dnl send ICMP that will set DST -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.16,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+ -+dnl send ICMP that will set SRC -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.15,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+ -+dnl send ICMP that will set TOS -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.14,proto=1,tos=0,ttl=64,frag=no),icmp(type=8,code=0)']) -+ -+AT_CHECK([ovs-appctl dpctl/dump-flows | sort], [0], [dnl -+flow-dump from the main thread: -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.10,proto=1,ttl=64,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(ttl=63)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.14,proto=1,tos=0/0xfc,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(tos=0x40/0xfc)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.16,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(dst=192.168.20.26)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.17,proto=1,tos=0/0xfc,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(tos=0x40/0xfc)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.18,proto=1,tos=0/0x3,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(tos=0x2/0x3)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.19,proto=1,ttl=64,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(ttl=8)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.20,proto=0,frag=no), packets:0, bytes:0, used:never, actions:2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(dst=192.168.1.20,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(dst=192.168.20.20)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.15,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(src=192.168.21.26)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(src=192.168.1.1,dst=192.168.1.21,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv4(src=192.168.20.21)),2 -+]) -+ -+OVS_VSWITCHD_STOP -+AT_CLEANUP -+ -+AT_SETUP([ofproto - implicit mask of ipv6 proto with HOPOPT field]) -+OVS_VSWITCHD_START -+add_of_ports br0 1 2 -+ -+AT_DATA([flows.txt], [dnl -+table=0 in_port=1 priority=77,ip6,ipv6_dst=111:db8::3,actions=dec_ttl,output=2 -+table=0 in_port=1 priority=76,ip6,ipv6_dst=111:db8::4,actions=mod_nw_ttl:8,output=2 -+table=0 in_port=1 priority=75,ip6,ipv6_dst=111:db8::5,actions=mod_nw_ecn:2,output=2 -+table=0 in_port=1 priority=74,ip6,ipv6_dst=111:db8::6,actions=mod_nw_tos:0x40,output=2 -+table=0 in_port=1 priority=73,ip6,ipv6_dst=111:db8::7,actions=set_field:2112:db8::2->ipv6_dst,output=2 -+table=0 in_port=1 priority=72,ip6,ipv6_dst=111:db8::8,actions=set_field:2112:db8::3->ipv6_src,output=2 -+table=0 in_port=1 priority=72,ip6,ipv6_dst=111:db8::9,actions=set_field:44->ipv6_label,output=2 -+table=0 in_port=1 priority=0,actions=drop -+]) -+AT_CHECK([ovs-ofctl del-flows br0]) -+AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) -+ -+dnl send a proto 0 packet to try and poison the DP flow path -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::3,proto=0,tclass=0,hlimit=64,frag=no)']) -+ -+AT_CHECK([ovs-appctl dpctl/dump-flows], [0], [dnl -+flow-dump from the main thread: -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::3,proto=0,hlimit=0,frag=no), packets:0, bytes:0, used:never, actions:userspace(pid=0,controller(reason=2,dont_send=0,continuation=0,recirc_id=1,rule_cookie=0,controller_id=0,max_len=65535)) -+]) -+ -+dnl Send ICMP for mod nw_src and mod nw_dst -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::3,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::4,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) -+ -+dnl send ICMP that will dec TTL -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::5,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) -+ -+dnl send ICMP that will mod TTL -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::6,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) -+ -+dnl send ICMP that will mod ECN -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::7,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) -+ -+dnl send ICMP that will mod TOS -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::8,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) -+ -+dnl send ICMP that will set LABEL -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::9,proto=1,tclass=0,hlimit=64,frag=no),icmpv6(type=0,code=8)']) -+ -+AT_CHECK([ovs-appctl dpctl/dump-flows | sort], [0], [dnl -+flow-dump from the main thread: -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::3,proto=0,hlimit=0,frag=no), packets:0, bytes:0, used:never, actions:userspace(pid=0,controller(reason=2,dont_send=0,continuation=0,recirc_id=1,rule_cookie=0,controller_id=0,max_len=65535)) -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::3,proto=1,hlimit=64,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(hlimit=63)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::4,proto=1,hlimit=64,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(hlimit=8)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::5,proto=1,tclass=0/0x3,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(tclass=0x2/0x3)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::6,proto=1,tclass=0/0xfc,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(tclass=0x40/0xfc)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::7,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(dst=2112:db8::2)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(dst=111:db8::9,label=0,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(label=0x2c)),2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x86dd),ipv6(src=2001:db8::1,dst=111:db8::8,proto=1,frag=no), packets:0, bytes:0, used:never, actions:set(ipv6(src=2112:db8::3)),2 -+]) -+ -+OVS_VSWITCHD_STOP -+AT_CLEANUP -+ -+AT_SETUP([ofproto - implicit mask of ARP OPer field]) -+OVS_VSWITCHD_START -+add_of_ports br0 1 2 -+ -+AT_DATA([flows.txt], [dnl -+table=0 in_port=1 priority=77,arp,arp_sha=00:01:02:03:04:06,actions=set_field:0x1->arp_op,2 -+table=0 in_port=1 priority=76,arp,arp_sha=00:01:02:03:04:07,actions=set_field:00:02:03:04:05:06->arp_sha,2 -+table=0 in_port=1 priority=75,arp,arp_sha=00:01:02:03:04:08,actions=set_field:ff:00:00:00:00:ff->arp_tha,2 -+table=0 in_port=1 priority=74,arp,arp_sha=00:01:02:03:04:09,actions=set_field:172.31.110.26->arp_spa,2 -+table=0 in_port=1 priority=73,arp,arp_sha=00:01:02:03:04:0a,actions=set_field:172.31.110.10->arp_tpa,2 -+table=0 in_port=1 priority=1,actions=drop -+]) -+ -+AT_CHECK([ovs-ofctl del-flows br0]) -+AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) -+ -+dnl Send op == 0 packet -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 \ -+ 'ffffffffffffaa55aa550000080600010800060400000001020304070c0a00010000000000000c0a0002']) -+ -+AT_CHECK([ovs-appctl dpctl/dump-flows], [0], [dnl -+flow-dump from the main thread: -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=0,sha=00:01:02:03:04:07), packets:0, bytes:0, used:never, actions:2 -+]) -+ -+dnl Send op 2 -> set op -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=2,sha=00:01:02:03:04:06,tha=ff:ff:ff:ff:ff:ff)']) -+ -+dnl Send op 1 -> set SHA -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=1,sha=00:01:02:03:04:07,tha=ff:ff:ff:ff:ff:ff)']) -+ -+dnl Send op 1 -> set THA -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=1,sha=00:01:02:03:04:08,tha=ff:ff:ff:ff:ff:ff)']) -+ -+dnl Send op 1 -> set SIP -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=1,sha=00:01:02:03:04:09,tha=ff:ff:ff:ff:ff:ff)']) -+ -+dnl Send op 1 -> set TIP -+AT_CHECK([ovs-appctl netdev-dummy/receive p1 'in_port(1),eth(src=50:54:00:00:00:0b,dst=50:54:00:00:00:0c),eth_type(0x0806),arp(sip=172.31.110.1,tip=172.31.110.25,op=1,sha=00:01:02:03:04:0a,tha=ff:ff:ff:ff:ff:ff)']) -+ -+AT_CHECK([ovs-appctl dpctl/dump-flows | sort], [0], [dnl -+flow-dump from the main thread: -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=0,sha=00:01:02:03:04:07), packets:0, bytes:0, used:never, actions:2 -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=1,sha=00:01:02:03:04:07), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=1,sha=00:01:02:03:04:08,tha=ff:ff:ff:ff:ff:ff), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(op=2,sha=00:01:02:03:04:06), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(sip=172.31.110.1,op=1,sha=00:01:02:03:04:09), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) -+recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth_type(0x0806),arp(tip=172.31.110.25,op=1,sha=00:01:02:03:04:0a), packets:0, bytes:0, used:never, actions:userspace(pid=0,slow_path(action)) -+]) -+ -+OVS_VSWITCHD_STOP -+AT_CLEANUP -diff --git a/tests/packet-type-aware.at b/tests/packet-type-aware.at -index 054dcc9ccf6..38d839e85ce 100644 ---- a/tests/packet-type-aware.at -+++ b/tests/packet-type-aware.at -@@ -1021,7 +1021,7 @@ AT_CHECK([ - ], [0], [flow-dump from the main thread: - recirc_id(0),in_port(p0),packet_type(ns=0,id=0),eth(src=aa:bb:cc:00:00:02,dst=aa:bb:cc:00:00:01),eth_type(0x0800),ipv4(dst=20.0.0.1,proto=47,frag=no), packets:3, bytes:378, used:0.0s, actions:tnl_pop(gre_sys) - tunnel(src=20.0.0.2,dst=20.0.0.1,flags(-df-csum)),recirc_id(0),in_port(gre_sys),packet_type(ns=1,id=0x8847),eth_type(0x8847),mpls(label=999/0x0,tc=0/0,ttl=64/0x0,bos=1/1), packets:3, bytes:264, used:0.0s, actions:push_eth(src=00:00:00:00:00:00,dst=00:00:00:00:00:00),pop_mpls(eth_type=0x800),recirc(0x1) --tunnel(src=20.0.0.2,dst=20.0.0.1,flags(-df-csum)),recirc_id(0x1),in_port(gre_sys),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(ttl=64,frag=no), packets:3, bytes:294, used:0.0s, actions:set(ipv4(ttl=63)),int-br -+tunnel(src=20.0.0.2,dst=20.0.0.1,flags(-df-csum)),recirc_id(0x1),in_port(gre_sys),packet_type(ns=0,id=0),eth_type(0x0800),ipv4(proto=1,ttl=64,frag=no), packets:3, bytes:294, used:0.0s, actions:set(ipv4(ttl=63)),int-br - ]) - - ovs-appctl time/warp 1000 diff --git a/backport-CVE-2023-3966.patch b/backport-CVE-2023-3966.patch new file mode 100644 index 0000000000000000000000000000000000000000..e45a3fb608b9e501ccb2cc7498f1fabb3d1d33b3 --- /dev/null +++ b/backport-CVE-2023-3966.patch @@ -0,0 +1,144 @@ +From 2cfbcd5247ed0fd941c1ebb9f4adb952b67fe13a Mon Sep 17 00:00:00 2001 +From: Timothy Redaelli +Date: Thu, 23 Nov 2023 19:47:54 +0100 +Subject: [PATCH] netdev-offload-tc: Check geneve metadata length. + +Currently ovs-vswitchd crashes, with hw offloading enabled, if a geneve +packet with corrupted metadata is received, because the metadata header +is not verified correctly. + +This commit adds a check for geneve metadata length and, if the header +is wrong, the packet is not sent to flower. + +It also includes a system-traffic test for geneve packets with corrupted +metadata. + +Fixes: a468645c6d33 ("lib/tc: add geneve with option match offload") +Reported-by: Haresh Khandelwal +Signed-off-by: Timothy Redaelli +Signed-off-by: Ilya Maximets +--- + lib/netdev-offload-tc.c | 25 ++++++++++++++++++++----- + tests/system-traffic.at | 33 +++++++++++++++++++++++++++++++++ + 2 files changed, 53 insertions(+), 5 deletions(-) + +diff --git a/lib/netdev-offload-tc.c b/lib/netdev-offload-tc.c +index 164c7eef63e..921d5231777 100644 +--- a/lib/netdev-offload-tc.c ++++ b/lib/netdev-offload-tc.c +@@ -1785,12 +1785,12 @@ test_key_and_mask(struct match *match) + return 0; + } + +-static void ++static int + flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl, + struct flow_tnl *tnl_mask) + { + struct geneve_opt *opt, *opt_mask; +- int len, cnt = 0; ++ int tot_opt_len, len, cnt = 0; + + /* 'flower' always has an exact match on tunnel metadata length, so having + * it in a wrong format is not acceptable unless it is empty. */ +@@ -1806,7 +1806,7 @@ flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl, + memset(&tnl_mask->metadata.present.map, 0, + sizeof tnl_mask->metadata.present.map); + } +- return; ++ return 0; + } + + tnl_mask->flags &= ~FLOW_TNL_F_UDPIF; +@@ -1820,7 +1820,7 @@ flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl, + sizeof tnl_mask->metadata.present.len); + + if (!tnl->metadata.present.len) { +- return; ++ return 0; + } + + memcpy(flower->key.tunnel.metadata.opts.gnv, tnl->metadata.opts.gnv, +@@ -1834,7 +1834,16 @@ flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl, + * also not masks, but actual lengths in the 'flower' structure. */ + len = flower->key.tunnel.metadata.present.len; + while (len) { ++ if (len < sizeof *opt) { ++ return EOPNOTSUPP; ++ } ++ + opt = &flower->key.tunnel.metadata.opts.gnv[cnt]; ++ tot_opt_len = sizeof *opt + opt->length * 4; ++ if (len < tot_opt_len) { ++ return EOPNOTSUPP; ++ } ++ + opt_mask = &flower->mask.tunnel.metadata.opts.gnv[cnt]; + + opt_mask->length = opt->length; +@@ -1842,6 +1851,8 @@ flower_match_to_tun_opt(struct tc_flower *flower, const struct flow_tnl *tnl, + cnt += sizeof(struct geneve_opt) / 4 + opt->length; + len -= sizeof(struct geneve_opt) + opt->length * 4; + } ++ ++ return 0; + } + + static void +@@ -2287,7 +2298,11 @@ netdev_tc_flow_put(struct netdev *netdev, struct match *match, + tnl_mask->flags &= ~(FLOW_TNL_F_DONT_FRAGMENT | FLOW_TNL_F_CSUM); + + if (!strcmp(netdev_get_type(netdev), "geneve")) { +- flower_match_to_tun_opt(&flower, tnl, tnl_mask); ++ err = flower_match_to_tun_opt(&flower, tnl, tnl_mask); ++ if (err) { ++ VLOG_WARN_RL(&warn_rl, "Unable to parse geneve options"); ++ return err; ++ } + } + flower.tunnel = true; + } else { +diff --git a/tests/system-traffic.at b/tests/system-traffic.at +index 418cd32..4c40580 100644 +--- a/tests/system-traffic.at ++++ b/tests/system-traffic.at +@@ -903,6 +903,39 @@ ovs-pcap p0.pcap + AT_CHECK([ovs-pcap p0.pcap | grep -Eq "^[[[:xdigit:]]]{24}86dd60000000003a1140fc000000000000000000000000000100fc000000000000000000000000000001[[[:xdigit:]]]{4}17c1003a[[[:xdigit:]]]{4}0000655800000000fffffffffffffa163e949d8008060001080006040001[[[:xdigit:]]]{12}0a0000f40000000000000a0000fe$"]) + AT_CLEANUP + ++AT_SETUP([datapath - handling of geneve corrupted metadata]) ++OVS_CHECK_TUNNEL_TSO() ++OVS_CHECK_GENEVE() ++ ++OVS_TRAFFIC_VSWITCHD_START( ++ [_ADD_BR([br-underlay]) -- \ ++ set bridge br0 other-config:hwaddr=f2:ff:00:00:00:01 -- \ ++ set bridge br-underlay other-config:hwaddr=f2:ff:00:00:00:02]) ++ ++AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"]) ++AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"]) ++ ++ADD_NAMESPACES(at_ns0) ++ ++dnl Set up underlay link from host into the namespace using veth pair. ++ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24", f2:ff:00:00:00:03) ++AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"]) ++AT_CHECK([ip link set dev br-underlay up]) ++ ++dnl Set up tunnel endpoints on OVS outside the namespace and with a native ++dnl linux device inside the namespace. ++ADD_OVS_TUNNEL([geneve], [br0], [at_gnv0], [172.31.1.1], [10.1.1.100/24]) ++ADD_NATIVE_TUNNEL([geneve], [ns_gnv0], [at_ns0], [172.31.1.100], [10.1.1.1/24], ++ [vni 0], [address f2:ff:00:00:00:04]) ++ ++NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 f2 ff 00 00 00 02 f2 ff 00 00 00 03 08 00 45 00 00 52 00 01 00 00 40 11 1f f7 ac 1f 01 01 ac 1f 01 64 de c1 17 c1 00 3e 59 e9 01 00 65 58 00 00 00 00 00 03 00 02 f2 ff 00 00 00 01 f2 ff 00 00 00 04 08 00 45 00 00 1c 00 01 00 00 40 01 64 7a 0a 01 01 01 0a 01 01 64 08 00 f7 ff 00 00 00 00 > /dev/null]) ++ ++OVS_WAIT_UNTIL([grep -q 'Invalid Geneve tunnel metadata' ovs-vswitchd.log]) ++ ++OVS_TRAFFIC_VSWITCHD_STOP(["/Invalid Geneve tunnel metadata on bridge br0 while processing icmp,in_port=1,vlan_tci=0x0000,dl_src=f2:ff:00:00:00:04,dl_dst=f2:ff:00:00:00:01,nw_src=10.1.1.1,nw_dst=10.1.1.100,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,icmp_type=8,icmp_code=0/d ++/Unable to parse geneve options/d"]) ++AT_CLEANUP ++ + AT_SETUP([datapath - ping over gre tunnel by simulated packets]) + OVS_CHECK_TUNNEL_TSO() + OVS_CHECK_MIN_KERNEL(3, 10) diff --git a/fix-selinux-err.patch b/fix-selinux-err.patch index 7d2948e3ee49a0de2ba41e605f906f7b5c895057..e626c65aa384f0dc8650186273ce3cbb72466771 100644 --- a/fix-selinux-err.patch +++ b/fix-selinux-err.patch @@ -1,16 +1,97 @@ +From 5ab25718492e83565e4376577510a151541714ee Mon Sep 17 00:00:00 2001 +From: zhangpan +Date: Fri, 29 Mar 2024 15:26:06 +0800 +Subject: [PATCH] fix selinux err + +add openvswitch-ipsec.service policy + +--- + selinux/openvswitch-custom.te.in | 42 ++++++++++++++++++++++++++++---- + 1 file changed, 37 insertions(+), 5 deletions(-) + diff --git a/selinux/openvswitch-custom.te.in b/selinux/openvswitch-custom.te.in -index 9f51f604e..77b0bd98f 100644 +index 9f51f60..1b34147 100644 --- a/selinux/openvswitch-custom.te.in +++ b/selinux/openvswitch-custom.te.in -@@ -15,6 +15,7 @@ require { +@@ -12,11 +12,22 @@ require { + type openvswitch_var_run_t; + + type bin_t; ++ type etc_t; type ifconfig_exec_t; ++ type ipsec_t; ++ type ipsec_conf_file_t; ++ type ipsec_exec_t; ++ type ipsec_key_file_t; ++ type ipsec_mgmt_exec_t; ++ type ipsec_mgmt_unit_file_t; ++ type ipsec_var_run_t; type init_t; type init_var_run_t; -+ type initrc_t; ++ type initrc_t; type insmod_exec_t; type kernel_t; ++ type ldconfig_exec_t; ++ type systemd_systemctl_exec_t; type hostname_exec_t; -@@ -118,6 +119,7 @@ allow openvswitch_t openvswitch_load_module_t:process transition; + type modules_conf_t; + type modules_dep_t; +@@ -45,7 +56,7 @@ require { + class chr_file { write getattr read open ioctl map }; + class dir { write remove_name add_name lock read getattr search open }; + class fd { use }; +- class file { map write getattr read open execute execute_no_trans create unlink map entrypoint lock ioctl }; ++ class file { setattr map write getattr read open execute execute_no_trans create unlink map entrypoint lock ioctl }; + class fifo_file { getattr read write append ioctl lock open }; + class filesystem getattr; + class lnk_file { read open }; +@@ -55,11 +66,12 @@ require { + class netlink_rdma_socket { setopt bind create }; + @end_dpdk@ + class netlink_socket { setopt getopt create connect getattr write read }; +- class sock_file { write }; ++ class sock_file { read write }; + class system { module_load module_request }; + class process { sigchld signull transition noatsecure siginh rlimitinh }; + class unix_stream_socket { write getattr read connectto connect setopt getopt sendto accept bind recvfrom acceptfrom ioctl }; + ++ class service { start status }; + @begin_dpdk@ + class sock_file { read append getattr open }; + class tun_socket { relabelfrom relabelto create }; +@@ -78,9 +90,28 @@ domain_entry_file(openvswitch_load_module_t, openvswitch_load_module_exec_t); + domtrans_pattern(openvswitch_t, openvswitch_load_module_exec_t, openvswitch_load_module_t); + + #============= openvswitch_t ============== +-allow openvswitch_t self:capability { dac_override audit_write net_broadcast net_raw }; +-allow openvswitch_t self:netlink_audit_socket { create nlmsg_relay audit_write read write }; +-allow openvswitch_t self:netlink_netfilter_socket { create nlmsg_relay audit_write read write }; ++allow openvswitch_t etc_t:dir { write }; ++allow openvswitch_t ifconfig_exec_t:file map; ++allow openvswitch_t init_t:file { getattr open read }; ++allow openvswitch_t init_t:lnk_file read; ++allow openvswitch_t init_t:unix_stream_socket connectto; ++allow openvswitch_t ipsec_t:unix_stream_socket connectto; ++allow openvswitch_t ipsec_conf_file_t:file { getattr ioctl open read write }; ++allow openvswitch_t ipsec_exec_t:file { execute execute_no_trans map open read }; ++allow openvswitch_t ipsec_key_file_t:dir { search add_name remove_name write }; ++allow openvswitch_t ipsec_key_file_t:file { create getattr setattr ioctl lock open read write unlink }; ++allow openvswitch_t ipsec_mgmt_exec_t:file { execute execute_no_trans getattr ioctl open read }; ++allow openvswitch_t ipsec_mgmt_unit_file_t:service { start status }; ++allow openvswitch_t ipsec_var_run_t:sock_file { read write }; ++allow openvswitch_t ldconfig_exec_t:file execute; ++allow openvswitch_t ldconfig_exec_t:file map; ++allow openvswitch_t ldconfig_exec_t:file { execute execute_no_trans open read }; ++allow openvswitch_t systemd_systemctl_exec_t:file map; ++allow openvswitch_t systemd_systemctl_exec_t:file { execute execute_no_trans getattr open read }; ++ ++allow openvswitch_t self:capability { dac_override net_broadcast net_raw }; ++allow openvswitch_t self:netlink_audit_socket { create read write }; ++allow openvswitch_t self:netlink_netfilter_socket { create read write }; + @begin_dpdk@ + allow openvswitch_t self:netlink_rdma_socket { setopt bind create }; + @end_dpdk@ +@@ -118,6 +149,7 @@ allow openvswitch_t openvswitch_load_module_t:process transition; allow openvswitch_load_module_t bin_t:file { execute execute_no_trans map }; allow openvswitch_load_module_t init_t:unix_stream_socket { getattr ioctl read write }; allow openvswitch_load_module_t init_var_run_t:dir { getattr read open search }; @@ -18,3 +99,6 @@ index 9f51f604e..77b0bd98f 100644 allow openvswitch_load_module_t insmod_exec_t:file { execute execute_no_trans getattr map open read }; allow openvswitch_load_module_t kernel_t:system module_request; allow openvswitch_load_module_t modules_conf_t:dir { getattr open read search }; +-- +2.27.0 + diff --git a/fix-the-problem-that-openvswitch-ipsec.service-causes-ipsec.service-to-fail-to-start.patch b/fix-the-problem-that-openvswitch-ipsec.service-causes-ipsec.service-to-fail-to-start.patch new file mode 100644 index 0000000000000000000000000000000000000000..8d272a32957189fcc4b96ea523264181cabd0f86 --- /dev/null +++ b/fix-the-problem-that-openvswitch-ipsec.service-causes-ipsec.service-to-fail-to-start.patch @@ -0,0 +1,24 @@ +From 5e2e60e2f05195f506ea68fe17e72a2a6fe4bdbe Mon Sep 17 00:00:00 2001 +From: zhangpan +Date: Fri, 29 Mar 2024 15:26:47 +0800 +Subject: [PATCH] Fix the problem that openvswitch-ipsec.service causes ipsec.service to fail to start + +--- + ipsec/ovs-monitor-ipsec.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ipsec/ovs-monitor-ipsec.in b/ipsec/ovs-monitor-ipsec.in +index 7945162..c4f48e9 100755 +--- a/ipsec/ovs-monitor-ipsec.in ++++ b/ipsec/ovs-monitor-ipsec.in +@@ -389,6 +389,7 @@ class LibreSwanHelper(object): + """This class does LibreSwan specific configurations.""" + CONF_HEADER = """%s + config setup ++ nssdir=/etc/ipsec.d + uniqueids=yes + + conn %%default +-- +2.27.0 + diff --git a/openvswitch-2.17.5.tar.gz b/openvswitch-3.2.1.tar.gz similarity index 50% rename from openvswitch-2.17.5.tar.gz rename to openvswitch-3.2.1.tar.gz index bebe967830130ae36a7b794be89ee5fa6c133c63..531ba92d56ed0a775e3617fc82de00078396e742 100644 Binary files a/openvswitch-2.17.5.tar.gz and b/openvswitch-3.2.1.tar.gz differ diff --git a/openvswitch.spec b/openvswitch.spec index c3d2967c2ac187cfa51fbccc6ef2a62bb4f4134d..bc7a0fa4abc25adad57d957a5ccd3b2fa404ce75 100644 --- a/openvswitch.spec +++ b/openvswitch.spec @@ -12,8 +12,8 @@ Name: openvswitch Summary: Open vSwitch daemon/database/utilities URL: https://www.openvswitch.org/ -Version: 2.17.5 -Release: 4 +Version: 3.2.1 +Release: 1 License: ASL 2.0 and LGPLv2+ and SISSL Source0: https://www.openvswitch.org/releases/%{name}-%{version}.tar.gz @@ -21,7 +21,9 @@ Source0: https://www.openvswitch.org/releases/%{name}-%{version}.tar.gz Patch0000: 0000-openvswitch-add-stack-protector-strong.patch Patch0002: 0002-Remove-unsupported-permission-names.patch Patch0003: fix-selinux-err.patch -Patch6000: backport-CVE-2023-1668.patch +Patch0004: fix-the-problem-that-openvswitch-ipsec.service-causes-ipsec.service-to-fail-to-start.patch + +Patch6000: backport-CVE-2023-3966.patch BuildRequires: gcc gcc-c++ make BuildRequires: autoconf automake libtool @@ -30,9 +32,11 @@ BuildRequires: python3-devel python3-six python3-setuptools BuildRequires: python3-sphinx BuildRequires: desktop-file-utils BuildRequires: groff-base graphviz -BuildRequires: unbound-devel +BuildRequires: unbound-devel groff # make check dependencies BuildRequires: procps-ng +BuildRequires: checkpolicy selinux-policy-devel +BuildRequires: chrpath %if %{with check_datapath_kernel} BuildRequires: nmap-ncat @@ -47,6 +51,7 @@ BuildRequires: dpdk-devel libpcap-devel numactl-devel %endif Requires: openssl iproute module-init-tools +Requires: selinux-policy-targeted Requires(post): /bin/sed Requires(post): %{_sbindir}/update-alternatives @@ -144,6 +149,9 @@ ln -s ../configure --enable-ssl \ --with-pkidir=%{_sharedstatedir}/openvswitch/pki make %{?_smp_mflags} +sed -i "s#selinux/openvswitch-custom.te selinux/openvswitch-custom.fc#../selinux/openvswitch-custom.te ../selinux/openvswitch-custom.fc#g" Makefile +sed -i "s#-C selinux/ -f#-C ../selinux/ -f#g" Makefile +make selinux-policy popd %if %{with dpdk} pushd build-dpdk @@ -186,6 +194,9 @@ install -d -m 0755 $RPM_BUILD_ROOT/run/openvswitch install -d -m 0750 $RPM_BUILD_ROOT%{_localstatedir}/log/openvswitch install -d -m 0755 $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch +install -p -m 644 -D selinux/openvswitch-custom.pp \ + $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp + install -p -D -m 0644 rhel/usr_lib_udev_rules.d_91-vfio.rules \ $RPM_BUILD_ROOT%{_udevrulesdir}/91-vfio.rules @@ -243,6 +254,9 @@ install -p -D -m 0755 \ rhel/usr_share_openvswitch_scripts_ovs-systemd-reload \ $RPM_BUILD_ROOT%{_datadir}/openvswitch/scripts/ovs-systemd-reload +chrpath -d $RPM_BUILD_ROOT%{_sbindir}/ovs-vswitchd.dpdk +chrpath -d $RPM_BUILD_ROOT%{_libdir}/openvswitch-dpdk/libofproto*.so.* + touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/conf.db touch $RPM_BUILD_ROOT%{_sysconfdir}/openvswitch/system-id.conf @@ -289,6 +303,9 @@ pushd $dir %endif popd done + +%pre +%selinux_relabel_pre -s targeted %preun %if 0%{?systemd_preun:1} @@ -310,6 +327,7 @@ done /bin/systemctl daemon-reload >dev/null || : fi %endif +%selinux_modules_install -s targeted /usr/share/selinux/packages/%{name}/openvswitch-custom.pp %postun %if 0%{?systemd_postun:1} @@ -318,9 +336,16 @@ done /bin/systemctl daemon-reload >/dev/null 2>&1 || : %endif +if [ $1 -eq 0 ] ; then + %selinux_modules_uninstall -s targeted openvswitch-custom +fi + +%posttrans +%selinux_relabel_post -s targeted + %if %{with dpdk} %post dpdk -if fgrep -qw sse4_1 /proc/cpuinfo; then +if grep -Fqw sse4_1 /proc/cpuinfo; then priority=20 else echo "Warning: the CPU doesn't support SSE 4.1, dpdk support is not enabled." >&2 @@ -353,6 +378,7 @@ fi %{_bindir}/ovs-test %{_bindir}/ovs-vlan-test %{_bindir}/ovs-l3ping +%{_datadir}/openvswitch/scripts/usdt/* %{python3_sitelib}/ovstest %files testcontroller @@ -420,11 +446,15 @@ fi %doc LICENSE NOTICE README.rst NEWS rhel/README.RHEL.rst /var/lib/openvswitch /var/log/openvswitch +%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp %ghost %attr(755,root,root) %verify(not owner group) /run/openvswitch %{_sysconfdir}/sysconfig/network-scripts/ifup-ovs %{_sysconfdir}/sysconfig/network-scripts/ifdown-ovs %changelog +* Mon Oct 21 2024 tzing_t - 3.2.1-1 +- Upgrade to version + * Thu Jun 15 2023 wangxiyuan - 2.17.5-4 - Clean up openvswitch group and user