From: "Roger Pau Monné" <roger.pau@citrix.com>
To: Ian Campbell <Ian.Campbell@citrix.com>
Cc: xen-devel@lists.xenproject.org, Ian Jackson <Ian.Jackson@eu.citrix.com>
Subject: Re: [PATCH 1/2] libxl: correctly list disks served by driver domains in block-list
Date: Tue, 10 Sep 2013 15:55:32 +0200 [thread overview]
Message-ID: <522F24D4.5010306@citrix.com> (raw)
In-Reply-To: <1378817692.21748.114.camel@kazak.uk.xensource.com>
On 10/09/13 14:54, Ian Campbell wrote:
> On Tue, 2013-09-10 at 14:06 +0200, Roger Pau Monné wrote:
>> On 10/09/13 12:11, Ian Campbell wrote:
>>> On Fri, 2013-09-06 at 12:36 +0200, Roger Pau Monne wrote:
>>>> The block-list command was not able to lists disks with backends
>>>> running on domains different than Dom0, because it was only looking on
>>>> the backend xenstore path of Dom0. Fix this by instead fetching the
>>>> disks from the DomU xenstore entries.
>>>
>>> Need to be a bit careful here about reading from potentially guest
>>> controllable keys. This should mostly be a question of permissions.
>>>
>>>> + fe_path = libxl__sprintf(gc, "/local/domain/%d/device/vbd", domid);
>>>
>>> Are guests able to create new subdirectories under here?
>>
>> Yes
>>
>>>
>>>> + devs = libxl__xs_directory(gc, XBT_NULL, fe_path, &xs_num);
>>>> + if (!devs)
>>>> + /* Domain has no disks */
>>>> + goto out;
>>>> + disks = libxl__calloc(NOGC, xs_num, sizeof(*disks));
>>>> + if (!disks)
>>>> + goto out_err;
>>>> + for (i = 0; i < xs_num; i++) {
>>>> + fe_path = GCSPRINTF("/local/domain/%d/device/vbd/%s/backend",
>>>> + domid, devs[i]);
>>>
>>> Is this path writeable by the guest? The containing directory is I
>>> think, so this needs to include delete and recreate type situations
>>> (although ISTR xenstore not having the posix like semantics here).
>>
>> Yes, the whole directory including the backend entry is writeable by the
>> guest.
>>
>>>
>>> If the guest can remove and recreate then we should check the current
>>> owner of the key is e.g. the toolstack domain or whoever should be
>>> trusted to won the key, within the same transaction as the read itself.
>>
>> I'm sorry but I'm not following you here, I assume you are speaking
>> about the frontend node that points to the backend ie:
>>
>> /local/domain/<domid>/device/vbd/<devid>/backend
>>
>> Permissions on this node are:
>>
>> domid: <domid> perms: 0
>> domid: 0 perms: 1
>
> What are perms 0 and 1? We normally use r/w/b in xenstore speak.
This is what xs_get_permissions reports, according to xenstore_lib.h:
0 = XS_PERM_NONE
1 = XS_PERM_READ
Which doesn't make sense IMHO, because the guest has XS_PERM_NONE and is
able to read/write on that path (I'm probably missing something here).
>
>> If the guest changes this node, or recreates it permissions will still
>> be the same.
>
> I was hoping we might be able to spot this case because the permissions
> would have changed.
>
> So the backend path in the frontend dir might point somewhere which is
> maliciously controlled by the guest, or by another guest, something
> which I don't think libxl_foo_from_xs_be is prepared to deal with. We
> need to mitigate this somehow. Can we tighten the permissions
> on /local/domain/<domid>/device/vbd/<devid>/backend such that only the
> toolstack domain can fiddle with it?
That was my first thought, I think we can safely make this
(/local/domain/<domid>/device/vbd/<devid>/backend) read-only for the
guest, no well-behaved frontend should ever try to change that.
libxl__devices_destroy logic already relies on
/local/domain/<domid>/device/vbd/<devid>/backend pointing to the backend
xenstore path.
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
next prev parent reply other threads:[~2013-09-10 13:55 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-06 10:36 [PATCH 0/2] libxl: fixes for driver domains Roger Pau Monne
2013-09-06 10:36 ` [PATCH 1/2] libxl: correctly list disks served by driver domains in block-list Roger Pau Monne
2013-09-10 10:11 ` Ian Campbell
2013-09-10 12:06 ` Roger Pau Monné
2013-09-10 12:54 ` Ian Campbell
2013-09-10 13:55 ` Roger Pau Monné [this message]
2013-09-10 14:23 ` Ian Campbell
2013-09-10 14:54 ` [PATCH] libxl: set permissions for xs frontend entry pointing to xs backend Roger Pau Monne
2013-09-10 15:02 ` Ian Campbell
2013-09-10 15:03 ` Roger Pau Monné
2013-09-10 15:06 ` Ian Campbell
2013-09-10 15:12 ` Ian Jackson
2013-09-10 15:16 ` Ian Campbell
2013-09-10 15:19 ` Ian Jackson
2013-09-10 15:23 ` Ian Campbell
2013-09-10 15:43 ` Ian Jackson
2013-09-10 15:19 ` Roger Pau Monné
2013-09-10 15:24 ` Ian Campbell
2013-09-06 10:36 ` [PATCH 2/2] libxl: fix libxl__device_disk_from_xs_be to parse backend domid Roger Pau Monne
2013-09-10 10:14 ` Ian Campbell
2013-09-10 12:08 ` Roger Pau Monné
2013-09-13 12:32 ` Ian Campbell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=522F24D4.5010306@citrix.com \
--to=roger.pau@citrix.com \
--cc=Ian.Campbell@citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.