From: Wei Liu <wei.liu2@citrix.com>
To: Juergen Gross <jgross@suse.com>
Cc: Stefano Stabellini <sstabellini@kernel.org>,
Wei Liu <wei.liu2@citrix.com>,
"George.Dunlap@eu.citrix.com" <George.Dunlap@eu.citrix.com>,
Ian Jackson <ian.jackson@eu.citrix.com>,
Jennifer Herbert <Jennifer.Herbert@citrix.com>,
Tim Deegan <tim@xen.org>, Jan Beulich <JBeulich@suse.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
xen-devel <xen-devel@lists.xenproject.org>
Subject: Re: Xenstore domains and XS_RESTRICT
Date: Wed, 4 Jan 2017 14:59:39 +0000 [thread overview]
Message-ID: <20170104145939.GO13806@citrix.com> (raw)
In-Reply-To: <8537f8bf-2e57-11da-468d-bbc363027134@suse.com>
On Wed, Dec 07, 2016 at 08:44:31AM +0100, Juergen Gross wrote:
> Hi,
>
> today the XS_RESTRICT wire command of Xenstore is supported by
> oxenstored only to drop the privilege of a connection to that of the
> domid given as a parameter to the command.
>
> Using this mechanism with Xenstore running in a stubdom will lead to
> problems as instead of only a dom0 process dropping its privileges
> the privileges of dom0 will be dropped (all dom0 Xenstore requests
> share the same connection).
>
> In order to solve the problem I suggest the following change to the
> Xenstore wire protocol:
>
> struct xsd_sockmsg
> {
> - uint32_t type; /* XS_??? */
> + uint16_t type; /* XS_??? */
> + uint16_t domid; /* Use privileges of this domain */
> uint32_t req_id;/* Request identifier, echoed in daemon's response. */
> uint32_t tx_id; /* Transaction id (0 if not related to a
> transaction). */
> uint32_t len; /* Length of data following this. */
>
> /* Generally followed by nul-terminated string(s). */
> };
>
> domid will normally be zero having the same effect as today.
>
> Using XS_RESTRICT via a socket connection will run as today by dropping
> the privileges of that connection.
>
> Using XS_RESTRICT via the kernel (Xenstore domain case) will save the
> domid given as parameter in the connection specific private kernel
> structure. All future Xenstore commands of the connection will have
> this domid set in xsd_sockmsg. The kernel will never forward the
> XS_RESTRICT command to Xenstore.
>
> A domid other than 0 in xsd_sockmsg will be handled by Xenstore to use
> the privileges of that domain. Specifying a domid in xsd_sockmsg is
> allowed for privileged domain only, of course. XS_RESTRICT via a
> non-socket connection will be rejected in all cases.
>
I'm slightly concerned about this non-unified model -- I would rather
xenstored only needs to deal with "virtual connection", regardless of
the interface (socket or kernel) they use.
I'm not convinced that socket-based distinction is good enough -- what
if some program tries to multiplex the socket? Is that not possible at
the moment?
(I can't find XS_RESTRICT in xenstore.txt, so I'm not sure if I'm
talking nonsense)
> The needed modifications for Xenstore and the kernel are rather small.
> As there is currently no Xenstore domain available supporting
> XS_RESTRICT there are no compatibility issues to expect.
>
> Thoughts?
>
>
> Juergen
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2017-01-04 14:59 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-07 7:44 Xenstore domains and XS_RESTRICT Juergen Gross
2016-12-07 14:15 ` Konrad Rzeszutek Wilk
2016-12-07 14:26 ` Juergen Gross
2016-12-07 15:40 ` Konrad Rzeszutek Wilk
2016-12-07 15:55 ` Juergen Gross
2016-12-07 17:00 ` Ian Jackson
2016-12-08 7:11 ` Juergen Gross
2016-12-07 17:10 ` Ian Jackson
2016-12-08 7:55 ` Juergen Gross
2017-01-02 6:04 ` Juergen Gross
2017-01-04 14:59 ` Wei Liu [this message]
2017-01-04 15:05 ` Juergen Gross
2017-01-04 15:21 ` Wei Liu
2017-01-05 7:20 ` Juergen Gross
2017-01-04 16:54 ` Ian Jackson
2017-01-05 6:56 ` Juergen Gross
2017-01-16 16:47 ` Juergen Gross
2017-01-18 11:03 ` Wei Liu
2017-01-18 11:21 ` Juergen Gross
2017-01-18 11:39 ` Wei Liu
2017-01-18 12:08 ` Juergen Gross
2017-01-18 12:37 ` Andrew Cooper
2017-01-18 12:39 ` George Dunlap
2017-01-18 12:42 ` Juergen Gross
2017-01-18 12:44 ` Wei Liu
2017-01-18 18:26 ` Stefano Stabellini
2017-01-18 18:31 ` Juergen Gross
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170104145939.GO13806@citrix.com \
--to=wei.liu2@citrix.com \
--cc=George.Dunlap@eu.citrix.com \
--cc=JBeulich@suse.com \
--cc=Jennifer.Herbert@citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=ian.jackson@eu.citrix.com \
--cc=jgross@suse.com \
--cc=sstabellini@kernel.org \
--cc=tim@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).