From: Juergen Gross <jgross@suse.com>
To: Wei Liu <wei.liu2@citrix.com>
Cc: Stefano Stabellini <sstabellini@kernel.org>,
"George.Dunlap@eu.citrix.com" <George.Dunlap@eu.citrix.com>,
Ian Jackson <ian.jackson@eu.citrix.com>,
Jennifer Herbert <Jennifer.Herbert@citrix.com>,
Tim Deegan <tim@xen.org>, Jan Beulich <JBeulich@suse.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
xen-devel <xen-devel@lists.xenproject.org>
Subject: Re: Xenstore domains and XS_RESTRICT
Date: Thu, 5 Jan 2017 08:20:52 +0100 [thread overview]
Message-ID: <60ccad8d-e65b-47be-cb0d-e42a8d736b6f@suse.com> (raw)
In-Reply-To: <20170104152134.GR13806@citrix.com>
On 04/01/17 16:21, Wei Liu wrote:
> On Wed, Jan 04, 2017 at 04:05:03PM +0100, Juergen Gross wrote:
>> On 04/01/17 15:59, Wei Liu wrote:
>>> On Wed, Dec 07, 2016 at 08:44:31AM +0100, Juergen Gross wrote:
>>>> Hi,
>>>>
>>>> today the XS_RESTRICT wire command of Xenstore is supported by
>>>> oxenstored only to drop the privilege of a connection to that of the
>>>> domid given as a parameter to the command.
>>>>
>>>> Using this mechanism with Xenstore running in a stubdom will lead to
>>>> problems as instead of only a dom0 process dropping its privileges
>>>> the privileges of dom0 will be dropped (all dom0 Xenstore requests
>>>> share the same connection).
>>>>
>>>> In order to solve the problem I suggest the following change to the
>>>> Xenstore wire protocol:
>>>>
>>>> struct xsd_sockmsg
>>>> {
>>>> - uint32_t type; /* XS_??? */
>>>> + uint16_t type; /* XS_??? */
>>>> + uint16_t domid; /* Use privileges of this domain */
>>>> uint32_t req_id;/* Request identifier, echoed in daemon's response. */
>>>> uint32_t tx_id; /* Transaction id (0 if not related to a
>>>> transaction). */
>>>> uint32_t len; /* Length of data following this. */
>>>>
>>>> /* Generally followed by nul-terminated string(s). */
>>>> };
>>>>
>>>> domid will normally be zero having the same effect as today.
>>>>
>>>> Using XS_RESTRICT via a socket connection will run as today by dropping
>>>> the privileges of that connection.
>>>>
>>>> Using XS_RESTRICT via the kernel (Xenstore domain case) will save the
>>>> domid given as parameter in the connection specific private kernel
>>>> structure. All future Xenstore commands of the connection will have
>>>> this domid set in xsd_sockmsg. The kernel will never forward the
>>>> XS_RESTRICT command to Xenstore.
>>>>
>>>> A domid other than 0 in xsd_sockmsg will be handled by Xenstore to use
>>>> the privileges of that domain. Specifying a domid in xsd_sockmsg is
>>>> allowed for privileged domain only, of course. XS_RESTRICT via a
>>>> non-socket connection will be rejected in all cases.
>>>>
>>>
>>> I'm slightly concerned about this non-unified model -- I would rather
>>> xenstored only needs to deal with "virtual connection", regardless of
>>> the interface (socket or kernel) they use.
>>
>> Rejecting XS_RESTRICT for a non-socket connection is mandatory to
>> ensure a XS_RESTRICT user on an old kernel not knowing about it can't
>> drop the privilege of all other user's on that system, too.
>>
>
> This highlights the flaw in this command. IMHO it would make sense to
> invent something new other than extending something that is already
> deemed inadequate.
I think this "flaw" is present for any new Xenstore command modifying
the state of a connection for all or some following commands: kernel
and Xen versions are not in sync and so you'd need such mechanisms.
> There is no documentation about the semantics of XS_RESTRICT, which
> is another reason to not touch it.
Yes. See https://lists.xen.org/archives/html/xen-devel/2016-06/msg03487.html
Juergen
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2017-01-05 7:20 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-07 7:44 Xenstore domains and XS_RESTRICT Juergen Gross
2016-12-07 14:15 ` Konrad Rzeszutek Wilk
2016-12-07 14:26 ` Juergen Gross
2016-12-07 15:40 ` Konrad Rzeszutek Wilk
2016-12-07 15:55 ` Juergen Gross
2016-12-07 17:00 ` Ian Jackson
2016-12-08 7:11 ` Juergen Gross
2016-12-07 17:10 ` Ian Jackson
2016-12-08 7:55 ` Juergen Gross
2017-01-02 6:04 ` Juergen Gross
2017-01-04 14:59 ` Wei Liu
2017-01-04 15:05 ` Juergen Gross
2017-01-04 15:21 ` Wei Liu
2017-01-05 7:20 ` Juergen Gross [this message]
2017-01-04 16:54 ` Ian Jackson
2017-01-05 6:56 ` Juergen Gross
2017-01-16 16:47 ` Juergen Gross
2017-01-18 11:03 ` Wei Liu
2017-01-18 11:21 ` Juergen Gross
2017-01-18 11:39 ` Wei Liu
2017-01-18 12:08 ` Juergen Gross
2017-01-18 12:37 ` Andrew Cooper
2017-01-18 12:39 ` George Dunlap
2017-01-18 12:42 ` Juergen Gross
2017-01-18 12:44 ` Wei Liu
2017-01-18 18:26 ` Stefano Stabellini
2017-01-18 18:31 ` Juergen Gross
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=60ccad8d-e65b-47be-cb0d-e42a8d736b6f@suse.com \
--to=jgross@suse.com \
--cc=George.Dunlap@eu.citrix.com \
--cc=JBeulich@suse.com \
--cc=Jennifer.Herbert@citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=ian.jackson@eu.citrix.com \
--cc=sstabellini@kernel.org \
--cc=tim@xen.org \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.