From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marek Marczykowski Subject: Re: [PATCH 1/2] libxl: do not assume Dom0 backend while listing disks and nics Date: Wed, 01 May 2013 22:52:09 +0200 Message-ID: <51818079.6060601@invisiblethingslab.com> References: <20864.61051.771893.780433@mariner.uk.xensource.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0154868470280132084==" Return-path: In-Reply-To: <20864.61051.771893.780433@mariner.uk.xensource.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Ian Jackson Cc: Ian Campbell , "xen-devel@lists.xen.org" List-Id: xen-devel@lists.xenproject.org This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --===============0154868470280132084== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="----enig2GQPLRPDPBPBPDJUTLIPR" This is an OpenPGP/MIME signed message (RFC 4880 and 3156) ------enig2GQPLRPDPBPBPDJUTLIPR Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 01.05.2013 12:29, Ian Jackson wrote: > Marek Marczykowski writes ("[PATCH 1/2] libxl: do not assume Dom0 backe= nd while listing disks and nics"): >> One more place where code assumed that all backends are in dom0. List >> devices in domain device/ tree, instead of backend/ of dom0. >> Additionally fix libxl_devid_to_device_{nic,disk} to fill backend_domi= d >> properly. >=20 > After this change, can a guest cause a backend to be leaked when the > domain is destroyed ? If it deletes the contents of the frontend > directory in xenstore, I think the device will no longer show up in > the lists and so won't be deleted when the guest goes away. Which is currently the problem for every non-dom0 backend, even without malicious domain action. Currently I've some python script which watch xenstore and remove leftove= r backends... > Would iterating over all domains looking for backends for a particular > frontend domain work ? That would allow a rogue guest to cause > entries to appear in the list of course, by pretending to be a > backend domain... Perhaps frontend domain shouldn't have permissions to remove device direc= tory, only modify some of entries, like state, feature-* etc. Does xenstore sup= port something like: 1. allow creating new entries and modify some existing 2. disallow modify and/or remove some entries, in the same directory ? --=20 Best Regards / Pozdrawiam, Marek Marczykowski Invisible Things Lab ------enig2GQPLRPDPBPBPDJUTLIPR Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJRgYB5AAoJENuP0xzK19csEBsH/0Kvwo9+XtIeQEXGXBQXrSHR vr+EMzupzjr/gNZrmMH3nlo3twDnDnERRLk9BRH7Q4ZGYBabxD5L1RiDrpSIAtND oNTo+4oBWs92YJU74PzRnCMQZSPSDMLFntLFU/AXYk2qvyencQhiqJQO5Ko5XLxi Cm+AGV1khiD1GjhUmmQNk2/rbMBECJ38ySOBuVuMdXPFnt8e+jfwMEueBSpl84j3 Qkt20Leox/toUwoDIspBh7FGSMVEuHZt5gRpXcqUV0VDr6cPQBi6+smS45B7Qze1 w2Qph4cgxyPIySO0L92y0/8azWHvqqfzfGkOag9ZyAt4bXm7EJnPUvAeJH+mmFc= =kE2L -----END PGP SIGNATURE----- ------enig2GQPLRPDPBPBPDJUTLIPR-- --===============0154868470280132084== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --===============0154868470280132084==--