From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Daniel P. Berrange" Subject: Re: PATCH: Actually make /local/domain/$DOMID readonly to the guest Date: Thu, 18 Dec 2008 17:49:51 +0000 Message-ID: <20081218174951.GZ23277@redhat.com> References: <20081218155306.GV23277@redhat.com> Reply-To: "Daniel P. Berrange" Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Content-Disposition: inline In-Reply-To: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: Keir Fraser Cc: xen-devel@lists.xensource.com List-Id: xen-devel@lists.xenproject.org On Thu, Dec 18, 2008 at 05:21:10PM +0000, Keir Fraser wrote: > On 18/12/2008 15:53, "Daniel P. Berrange" wrote: > > > Explicitly give Dom0 permissions on the /local/domain/$DOMID so it > > becomes the owner of the path. The guest is then granted read perm > > on the path. > > Thanks Daniel, that's a nasty one! > > However there are other places in xend that commit the same error, and this > interface weakness would doubtless bite us again in future. Hence the patch > I actually committed (c/s 18933) actually takes a different strategy: in the > bowels of the xend xenstore C package I check to see if the caller is try to > change permissions of the node owner, and if so I fudge in dom0 as the owner > instead. A bit grim, but I think probably a safer bet in this instance. I think that looks correct to me. The easy way to test is to try and write to '/local/domain/$DOMID/console/tty' from within the guest and see if it succeeds or not Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|