From: Wei Liu <wei.liu2@citrix.com>
To: George Dunlap <george.dunlap@citrix.com>
Cc: "xen-devel@lists.xen.org" <xen-devel@lists.xen.org>,
Wei Liu <wei.liu2@citrix.com>,
"Xen.org security team" <security@xen.org>
Subject: Re: Xen Security Advisory 180 (CVE-2014-3672) - Unrestricted qemu logging
Date: Wed, 25 May 2016 16:43:36 +0100 [thread overview]
Message-ID: <20160525154336.GS22076@citrix.com> (raw)
In-Reply-To: <20160525145123.GC18213@citrix.com>
On Wed, May 25, 2016 at 03:51:23PM +0100, Wei Liu wrote:
> On Wed, May 25, 2016 at 03:04:40PM +0100, George Dunlap wrote:
> > On Mon, May 23, 2016 at 6:09 PM, Xen.org security team <security@xen.org> wrote:
> > > RESOLUTION
> > > ==========
> > >
> > > Applying the appropriate attached patch resolves this issue.
> > >
> > > The patches adopt a simple and rather crude approach which is
> > > effective at resolving the security issue in the context of a Xen
> > > device model. They may not be appropriate for adoption upstream or in
> > > other contexts.
> >
> > This is indeed a rather crude approach; but for our upcoming 4.7
> > release, what's the plan? Do we have time to generalize xenconsoled
> > to handle this sort of logging, and if so, who is going to do that
> > work?
> >
>
> I this it's going to be a bit intrusive at this point to change
> xenconsoled to do that. However it should be too hard to test.
> We also need people to test and review it. All in all it seems time is
> very tight.
>
I just read the code of virtlogd and xenconsoled.
I think xenconsoled is missing at least things.
From a higher level:
1. Abstraction of rotating file.
2. Abstraction of client.
3. IPC interface to libxl -- presumably we need to create a socket.
Then we need to write code in libxl to use it. That then involves
inventing a protocol to pass the file name to xenconsoled (assuming we
still want one file per qemu).
Wei.
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
prev parent reply other threads:[~2016-05-25 15:43 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-23 17:09 Xen Security Advisory 180 (CVE-2014-3672) - Unrestricted qemu logging Xen.org security team
2016-05-25 14:04 ` George Dunlap
2016-05-25 14:51 ` Wei Liu
2016-05-25 15:43 ` Wei Liu [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160525154336.GS22076@citrix.com \
--to=wei.liu2@citrix.com \
--cc=george.dunlap@citrix.com \
--cc=security@xen.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).