From: "Roger Pau Monné" <roger.pau@citrix.com>
To: Ian Campbell <Ian.Campbell@citrix.com>
Cc: xen-devel@lists.xenproject.org, Ian Jackson <Ian.Jackson@eu.citrix.com>
Subject: Re: [PATCH 1/2] libxl: correctly list disks served by driver domains in block-list
Date: Tue, 10 Sep 2013 15:55:32 +0200 [thread overview]
Message-ID: <522F24D4.5010306@citrix.com> (raw)
In-Reply-To: <1378817692.21748.114.camel@kazak.uk.xensource.com>
On 10/09/13 14:54, Ian Campbell wrote:
> On Tue, 2013-09-10 at 14:06 +0200, Roger Pau Monné wrote:
>> On 10/09/13 12:11, Ian Campbell wrote:
>>> On Fri, 2013-09-06 at 12:36 +0200, Roger Pau Monne wrote:
>>>> The block-list command was not able to lists disks with backends
>>>> running on domains different than Dom0, because it was only looking on
>>>> the backend xenstore path of Dom0. Fix this by instead fetching the
>>>> disks from the DomU xenstore entries.
>>>
>>> Need to be a bit careful here about reading from potentially guest
>>> controllable keys. This should mostly be a question of permissions.
>>>
>>>> + fe_path = libxl__sprintf(gc, "/local/domain/%d/device/vbd", domid);
>>>
>>> Are guests able to create new subdirectories under here?
>>
>> Yes
>>
>>>
>>>> + devs = libxl__xs_directory(gc, XBT_NULL, fe_path, &xs_num);
>>>> + if (!devs)
>>>> + /* Domain has no disks */
>>>> + goto out;
>>>> + disks = libxl__calloc(NOGC, xs_num, sizeof(*disks));
>>>> + if (!disks)
>>>> + goto out_err;
>>>> + for (i = 0; i < xs_num; i++) {
>>>> + fe_path = GCSPRINTF("/local/domain/%d/device/vbd/%s/backend",
>>>> + domid, devs[i]);
>>>
>>> Is this path writeable by the guest? The containing directory is I
>>> think, so this needs to include delete and recreate type situations
>>> (although ISTR xenstore not having the posix like semantics here).
>>
>> Yes, the whole directory including the backend entry is writeable by the
>> guest.
>>
>>>
>>> If the guest can remove and recreate then we should check the current
>>> owner of the key is e.g. the toolstack domain or whoever should be
>>> trusted to won the key, within the same transaction as the read itself.
>>
>> I'm sorry but I'm not following you here, I assume you are speaking
>> about the frontend node that points to the backend ie:
>>
>> /local/domain/<domid>/device/vbd/<devid>/backend
>>
>> Permissions on this node are:
>>
>> domid: <domid> perms: 0
>> domid: 0 perms: 1
>
> What are perms 0 and 1? We normally use r/w/b in xenstore speak.
This is what xs_get_permissions reports, according to xenstore_lib.h:
0 = XS_PERM_NONE
1 = XS_PERM_READ
Which doesn't make sense IMHO, because the guest has XS_PERM_NONE and is
able to read/write on that path (I'm probably missing something here).
>
>> If the guest changes this node, or recreates it permissions will still
>> be the same.
>
> I was hoping we might be able to spot this case because the permissions
> would have changed.
>
> So the backend path in the frontend dir might point somewhere which is
> maliciously controlled by the guest, or by another guest, something
> which I don't think libxl_foo_from_xs_be is prepared to deal with. We
> need to mitigate this somehow. Can we tighten the permissions
> on /local/domain/<domid>/device/vbd/<devid>/backend such that only the
> toolstack domain can fiddle with it?
That was my first thought, I think we can safely make this
(/local/domain/<domid>/device/vbd/<devid>/backend) read-only for the
guest, no well-behaved frontend should ever try to change that.
libxl__devices_destroy logic already relies on
/local/domain/<domid>/device/vbd/<devid>/backend pointing to the backend
xenstore path.
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
next prev parent reply other threads:[~2013-09-10 13:55 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-06 10:36 [PATCH 0/2] libxl: fixes for driver domains Roger Pau Monne
2013-09-06 10:36 ` [PATCH 1/2] libxl: correctly list disks served by driver domains in block-list Roger Pau Monne
2013-09-10 10:11 ` Ian Campbell
2013-09-10 12:06 ` Roger Pau Monné
2013-09-10 12:54 ` Ian Campbell
2013-09-10 13:55 ` Roger Pau Monné [this message]
2013-09-10 14:23 ` Ian Campbell
2013-09-10 14:54 ` [PATCH] libxl: set permissions for xs frontend entry pointing to xs backend Roger Pau Monne
2013-09-10 15:02 ` Ian Campbell
2013-09-10 15:03 ` Roger Pau Monné
2013-09-10 15:06 ` Ian Campbell
2013-09-10 15:12 ` Ian Jackson
2013-09-10 15:16 ` Ian Campbell
2013-09-10 15:19 ` Ian Jackson
2013-09-10 15:23 ` Ian Campbell
2013-09-10 15:43 ` Ian Jackson
2013-09-10 15:19 ` Roger Pau Monné
2013-09-10 15:24 ` Ian Campbell
2013-09-06 10:36 ` [PATCH 2/2] libxl: fix libxl__device_disk_from_xs_be to parse backend domid Roger Pau Monne
2013-09-10 10:14 ` Ian Campbell
2013-09-10 12:08 ` Roger Pau Monné
2013-09-13 12:32 ` Ian Campbell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=522F24D4.5010306@citrix.com \
--to=roger.pau@citrix.com \
--cc=Ian.Campbell@citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).