From: Marek Marczykowski <marmarek@invisiblethingslab.com>
To: Ian Campbell <Ian.Campbell@citrix.com>
Cc: Ian Jackson <Ian.Jackson@eu.citrix.com>,
"xen-devel@lists.xen.org" <xen-devel@lists.xen.org>
Subject: Re: [PATCH 1/2] libxl: do not assume Dom0 backend while listing disks and nics
Date: Wed, 08 May 2013 01:13:28 +0200 [thread overview]
Message-ID: <51898A98.4070001@invisiblethingslab.com> (raw)
In-Reply-To: <1367408595.3142.711.camel@zakaz.uk.xensource.com>
[-- Attachment #1.1: Type: text/plain, Size: 2091 bytes --]
On 01.05.2013 13:43, Ian Campbell wrote:
> On Wed, 2013-05-01 at 11:29 +0100, Ian Jackson wrote:
>> Marek Marczykowski writes ("[PATCH 1/2] libxl: do not assume Dom0 backend while listing disks and nics"):
>>> One more place where code assumed that all backends are in dom0. List
>>> devices in domain device/ tree, instead of backend/ of dom0.
>>> Additionally fix libxl_devid_to_device_{nic,disk} to fill backend_domid
>>> properly.
>>
>> After this change, can a guest cause a backend to be leaked when the
>> domain is destroyed ? If it deletes the contents of the frontend
>> directory in xenstore, I think the device will no longer show up in
>> the lists and so won't be deleted when the guest goes away.
>
> I would have hoped that XS perms on key nodes, like the backend link
> would prevent this, but since the actual frontend directory is guest
> writeable I rather expect we can't make this so.
>
>> Would iterating over all domains looking for backends for a particular
>> frontend domain work ? That would allow a rogue guest to cause
>> entries to appear in the list of course, by pretending to be a
>> backend domain...
>
> Or should libxl keep a shadow list of devices for the domain in its
> private xs directory?
IMHO listing frontend "device/$TYPE" entries is sufficient compromise.
Downsides:
1. rogue frontend domain will be able to make leak backend xenstore entries
Upsides:
1. all devices will be listed/cleaned up on destroy, not only those
dom0-backed (assuming no downside "1" occurred)
2. will not introduce additional complexity (either scanning all backends, or
keeping *in sync* additional shadow copy of devices)
The current state (without this patch) will always miss all non-dom0 backed
devices, not only in case of rogue domain. Additionally IMHO possible leak
(downside 1) is bearable b/c backend driver watches frontend "state" entry and
if it disappear - will clean up the device. So the leak is only xenstore
entries, not any real device.
--
Best Regards,
Marek Marczykowski
Invisible Things Lab
[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 555 bytes --]
[-- Attachment #2: Type: text/plain, Size: 126 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
next prev parent reply other threads:[~2013-05-07 23:13 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-28 1:46 [PATCH 0/2] Two unrelated fixes to libxl Marek Marczykowski
2013-04-27 23:12 ` [PATCH 1/2] libxl: do not assume Dom0 backend while listing disks and nics Marek Marczykowski
2013-04-29 8:48 ` Ian Campbell
2013-05-07 23:56 ` Marek Marczykowski
2013-05-08 9:27 ` Ian Campbell
2013-04-29 8:56 ` Roger Pau Monné
2013-05-01 10:29 ` Ian Jackson
2013-05-01 11:43 ` Ian Campbell
2013-05-07 23:13 ` Marek Marczykowski [this message]
2013-05-01 20:52 ` Marek Marczykowski
2013-05-02 8:30 ` Ian Campbell
2013-04-27 23:17 ` [PATCH 2/2] libxl: fix spelling of "backend-id" for vtpm Marek Marczykowski
2013-04-29 8:40 ` Ian Campbell
2013-04-29 13:26 ` Daniel De Graaf
2013-04-29 13:51 ` Ian Campbell
2013-04-30 10:58 ` Ian Campbell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51898A98.4070001@invisiblethingslab.com \
--to=marmarek@invisiblethingslab.com \
--cc=Ian.Campbell@citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.