From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Mike D. Day" Subject: Re: [PATCH][ACM] kernel enforcement of vbd policies via blkback driver Date: Wed, 26 Jul 2006 09:25:50 -0400 Message-ID: <44C76D5E.2040606@us.ibm.com> References: <2cc990ff2952dde0f8d12469f9417168@cl.cam.ac.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <2cc990ff2952dde0f8d12469f9417168@cl.cam.ac.uk> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: Keir Fraser Cc: xen-devel@lists.xensource.com, Bryan D Payne , Reiner Sailer List-Id: xen-devel@lists.xenproject.org Keir Fraser wrote: > > The tools hook is not just a usability/conformity check. The check > ensures that the tools will not set up entries in xenstore that would > allow blkback to create a non-conformant vbd. So there is no way for a > guest to trick blkback into creating a non-conformant vbd: it can only > connect to vbds specified in its config file or added later via the > vbd-add xm hotplug command. The tools stack should perform its compiance > checks on both 'xm create' and 'xm vbd-add', and that should be sufficient. Yes, but that relies on the tools being correct and invulnerable to attacks like buffer overflow. Further, it does not disallow an alternative tool from bypassing or corrupting the conformance and authorization policy. Any program with the ability to open a socket to xenstore can open the way. Allowing the checks within the hypervisor is much safer against these types of attacks or errors. Mike