use privsep for IPVPN linuxbridge dataplane driver
Bug #1719592 reported by
Thomas Morin
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| BaGPipe |
Confirmed
|
Medium
|
Unassigned | ||
Bug Description
The "linuxbridge" implementation for IPVPN uses pyroute2 to make netlink exchanges with the kernel.
This requires bagpipe-bgp to be run with CAP_NET_ADMIN privileges, which are there of course by default if bagpipe-bgp is run as root.
For improved security, we want bagpipe-bgp to start as root but drop all privileges, and keep only CAP_NET_ADMIN for pyroute2 calls.
For this purpose we want to reuse oslo.privsep , neutron code is a good place to take inspiration from.
| Changed in networking-bagpipe: | |
| importance: | Undecided → Medium |
To post a comment you must log in.
