From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
To: Juergen Gross <jgross@suse.com>
Cc: Stefano Stabellini <sstabellini@kernel.org>,
Wei Liu <wei.liu2@citrix.com>,
"George.Dunlap@eu.citrix.com" <George.Dunlap@eu.citrix.com>,
Ian Jackson <ian.jackson@eu.citrix.com>,
Jennifer Herbert <Jennifer.Herbert@citrix.com>,
Tim Deegan <tim@xen.org>, Jan Beulich <JBeulich@suse.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
xen-devel <xen-devel@lists.xenproject.org>
Subject: Re: Xenstore domains and XS_RESTRICT
Date: Wed, 7 Dec 2016 09:15:33 -0500 [thread overview]
Message-ID: <20161207141533.GA22961@x230.dumpdata.com> (raw)
In-Reply-To: <8537f8bf-2e57-11da-468d-bbc363027134@suse.com>
On Wed, Dec 07, 2016 at 08:44:31AM +0100, Juergen Gross wrote:
> Hi,
>
> today the XS_RESTRICT wire command of Xenstore is supported by
> oxenstored only to drop the privilege of a connection to that of the
> domid given as a parameter to the command.
>
> Using this mechanism with Xenstore running in a stubdom will lead to
> problems as instead of only a dom0 process dropping its privileges
> the privileges of dom0 will be dropped (all dom0 Xenstore requests
> share the same connection).
.. which means we can't create new XenStore entries or save
off all the XenStore entries?
>
> In order to solve the problem I suggest the following change to the
> Xenstore wire protocol:
>
> struct xsd_sockmsg
> {
> - uint32_t type; /* XS_??? */
> + uint16_t type; /* XS_??? */
> + uint16_t domid; /* Use privileges of this domain */
> uint32_t req_id;/* Request identifier, echoed in daemon's response. */
> uint32_t tx_id; /* Transaction id (0 if not related to a
> transaction). */
> uint32_t len; /* Length of data following this. */
>
> /* Generally followed by nul-terminated string(s). */
> };
>
> domid will normally be zero having the same effect as today.
>
> Using XS_RESTRICT via a socket connection will run as today by dropping
> the privileges of that connection.
>
> Using XS_RESTRICT via the kernel (Xenstore domain case) will save the
Xenstore domain case? As in Linux kernel running the XenStore as
an stubdomain?
No, that can't be it. I think you mean that the kernel will have
an priviligied connection all the time?
> domid given as parameter in the connection specific private kernel
> structure. All future Xenstore commands of the connection will have
> this domid set in xsd_sockmsg. The kernel will never forward the
> XS_RESTRICT command to Xenstore.
>
> A domid other than 0 in xsd_sockmsg will be handled by Xenstore to use
> the privileges of that domain. Specifying a domid in xsd_sockmsg is
> allowed for privileged domain only, of course. XS_RESTRICT via a
> non-socket connection will be rejected in all cases.
Um, but couldn't a malicious guest decide to craft such packet?
>
> The needed modifications for Xenstore and the kernel are rather small.
> As there is currently no Xenstore domain available supporting
> XS_RESTRICT there are no compatibility issues to expect.
>
> Thoughts?
I think I need to wrap my head about your use-case? Could you enumerate
what it is?
Thanks.
>
>
> Juergen
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2016-12-07 14:15 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-07 7:44 Xenstore domains and XS_RESTRICT Juergen Gross
2016-12-07 14:15 ` Konrad Rzeszutek Wilk [this message]
2016-12-07 14:26 ` Juergen Gross
2016-12-07 15:40 ` Konrad Rzeszutek Wilk
2016-12-07 15:55 ` Juergen Gross
2016-12-07 17:00 ` Ian Jackson
2016-12-08 7:11 ` Juergen Gross
2016-12-07 17:10 ` Ian Jackson
2016-12-08 7:55 ` Juergen Gross
2017-01-02 6:04 ` Juergen Gross
2017-01-04 14:59 ` Wei Liu
2017-01-04 15:05 ` Juergen Gross
2017-01-04 15:21 ` Wei Liu
2017-01-05 7:20 ` Juergen Gross
2017-01-04 16:54 ` Ian Jackson
2017-01-05 6:56 ` Juergen Gross
2017-01-16 16:47 ` Juergen Gross
2017-01-18 11:03 ` Wei Liu
2017-01-18 11:21 ` Juergen Gross
2017-01-18 11:39 ` Wei Liu
2017-01-18 12:08 ` Juergen Gross
2017-01-18 12:37 ` Andrew Cooper
2017-01-18 12:39 ` George Dunlap
2017-01-18 12:42 ` Juergen Gross
2017-01-18 12:44 ` Wei Liu
2017-01-18 18:26 ` Stefano Stabellini
2017-01-18 18:31 ` Juergen Gross
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161207141533.GA22961@x230.dumpdata.com \
--to=konrad.wilk@oracle.com \
--cc=George.Dunlap@eu.citrix.com \
--cc=JBeulich@suse.com \
--cc=Jennifer.Herbert@citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=ian.jackson@eu.citrix.com \
--cc=jgross@suse.com \
--cc=sstabellini@kernel.org \
--cc=tim@xen.org \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.