From: "Roger Pau Monné" <roger.pau@citrix.com>
To: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: xen-devel@lists.xenproject.org,
Ian Campbell <ian.campbell@citrix.com>,
security@xen.org
Subject: Re: [PATCH] libxl: set permissions for xs frontend entry pointing to xs backend
Date: Tue, 10 Sep 2013 17:19:27 +0200 [thread overview]
Message-ID: <522F387F.4010200@citrix.com> (raw)
In-Reply-To: <21039.14046.599923.505120@mariner.uk.xensource.com>
On 10/09/13 17:12, Ian Jackson wrote:
> Roger Pau Monne writes ("[PATCH] libxl: set permissions for xs frontend entry pointing to xs backend"):
>> libxl doesn't currently set the permissions of entries like:
>>
>> /local/domain/<domid>/device/<dev_type>/<devid>/backend
>>
>> This allows the guest to change this xenstore entries to point to a
>> different backend path, or to malicious xenstore path forged by the
>> guest itself. libxl currently relies on this path being valid in order
>> to perform the unplug of devices in libxl__devices_destroy, so we
>> should prevent the guest from modifying this xenstore entry.
>
> Is it sufficient to set the permissions on "backend" - does that
> prevent the guest deleting the whole subtree ?
No, the guest can still delete the whole subtree, but it can not
recreate it (because the parent directory
/local/domain/<domid>/device/<dev_type>/ is not writeable by the guest).
> Really it would be better to make the unplug not depend on this path.
>
> This is a security issue, so CCing security@. It appears to have
> been discovered in public on xen-devel, so shouldn't be embargoed.
>
> Ian.
>
next prev parent reply other threads:[~2013-09-10 15:19 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-06 10:36 [PATCH 0/2] libxl: fixes for driver domains Roger Pau Monne
2013-09-06 10:36 ` [PATCH 1/2] libxl: correctly list disks served by driver domains in block-list Roger Pau Monne
2013-09-10 10:11 ` Ian Campbell
2013-09-10 12:06 ` Roger Pau Monné
2013-09-10 12:54 ` Ian Campbell
2013-09-10 13:55 ` Roger Pau Monné
2013-09-10 14:23 ` Ian Campbell
2013-09-10 14:54 ` [PATCH] libxl: set permissions for xs frontend entry pointing to xs backend Roger Pau Monne
2013-09-10 15:02 ` Ian Campbell
2013-09-10 15:03 ` Roger Pau Monné
2013-09-10 15:06 ` Ian Campbell
2013-09-10 15:12 ` Ian Jackson
2013-09-10 15:16 ` Ian Campbell
2013-09-10 15:19 ` Ian Jackson
2013-09-10 15:23 ` Ian Campbell
2013-09-10 15:43 ` Ian Jackson
2013-09-10 15:19 ` Roger Pau Monné [this message]
2013-09-10 15:24 ` Ian Campbell
2013-09-06 10:36 ` [PATCH 2/2] libxl: fix libxl__device_disk_from_xs_be to parse backend domid Roger Pau Monne
2013-09-10 10:14 ` Ian Campbell
2013-09-10 12:08 ` Roger Pau Monné
2013-09-13 12:32 ` Ian Campbell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=522F387F.4010200@citrix.com \
--to=roger.pau@citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=ian.campbell@citrix.com \
--cc=security@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).