From mboxrd@z Thu Jan  1 00:00:00 1970
From: =?UTF-8?B?Um9nZXIgUGF1IE1vbm7DqQ==?= <roger.pau@citrix.com>
Subject: Re: [PATCH] libxl: set permissions for xs frontend
 entry pointing to xs backend
Date: Tue, 10 Sep 2013 17:03:27 +0200
Message-ID: <522F34BF.5080304@citrix.com>
References: <1378823007.10928.12.camel@kazak.uk.xensource.com>
	<1378824892-20789-1-git-send-email-roger.pau@citrix.com>
	<1378825334.10928.16.camel@kazak.uk.xensource.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
Received: from mail6.bemta4.messagelabs.com ([85.158.143.247])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <roger.pau@citrix.com>) id 1VJPTZ-0001iR-Mj
	for xen-devel@lists.xenproject.org; Tue, 10 Sep 2013 15:03:33 +0000
In-Reply-To: <1378825334.10928.16.camel@kazak.uk.xensource.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Ian Campbell <Ian.Campbell@citrix.com>
Cc: xen-devel@lists.xenproject.org, Ian Jackson <Ian.Jackson@eu.citrix.com>
List-Id: xen-devel@lists.xenproject.org

On 10/09/13 17:02, Ian Campbell wrote:
> On Tue, 2013-09-10 at 16:54 +0200, Roger Pau Monne wrote:
>> libxl doesn't currently set the permissions of entries like:
>>
>> /local/domain/<domid>/device/<dev_type>/<devid>/backend
>>
>> This allows the guest to change this xenstore entries to point to a
>> different backend path, or to malicious xenstore path forged by the
>> guest itself. libxl currently relies on this path being valid in order
>> to perform the unplug of devices in libxl__devices_destroy, so we
>> should prevent the guest from modifying this xenstore entry.
>>
>> This patch sets the permisions of said path to be the same as a
>> backend xenstore entry (owned by the toolstack domain, readable by the
>> guest).
> 
> and just to confirm: despite having r/w access to the containing
> directory, the guest cannot remove this node and recreate it?

No, it can't (I've tried it):

root@debian:~# xenstore-rm /local/domain/54/device/vbd/51712/backend
xenstore-rm: could not remove path /local/domain/54/device/vbd/51712/backend