From mboxrd@z Thu Jan  1 00:00:00 1970
From: =?ISO-8859-1?Q?Roger_Pau_Monn=E9?= <roger.pau@citrix.com>
Subject: Re: [PATCH] libxl: set permissions for xs frontend
 entry pointing to xs backend
Date: Tue, 10 Sep 2013 17:19:27 +0200
Message-ID: <522F387F.4010200@citrix.com>
References: <1378823007.10928.12.camel@kazak.uk.xensource.com>
	<1378824892-20789-1-git-send-email-roger.pau@citrix.com>
	<21039.14046.599923.505120@mariner.uk.xensource.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
Received: from mail6.bemta14.messagelabs.com ([193.109.254.103])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <roger.pau@citrix.com>) id 1VJPj4-00051Z-21
	for xen-devel@lists.xenproject.org; Tue, 10 Sep 2013 15:19:34 +0000
In-Reply-To: <21039.14046.599923.505120@mariner.uk.xensource.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: xen-devel@lists.xenproject.org, Ian Campbell <ian.campbell@citrix.com>, security@xen.org
List-Id: xen-devel@lists.xenproject.org

On 10/09/13 17:12, Ian Jackson wrote:
> Roger Pau Monne writes ("[PATCH] libxl: set permissions for xs frontend entry pointing to xs backend"):
>> libxl doesn't currently set the permissions of entries like:
>>
>> /local/domain/<domid>/device/<dev_type>/<devid>/backend
>>
>> This allows the guest to change this xenstore entries to point to a
>> different backend path, or to malicious xenstore path forged by the
>> guest itself. libxl currently relies on this path being valid in order
>> to perform the unplug of devices in libxl__devices_destroy, so we
>> should prevent the guest from modifying this xenstore entry.
> 
> Is it sufficient to set the permissions on "backend" - does that
> prevent the guest deleting the whole subtree ?

No, the guest can still delete the whole subtree, but it can not
recreate it (because the parent directory
/local/domain/<domid>/device/<dev_type>/ is not writeable by the guest).

> Really it would be better to make the unplug not depend on this path.
> 
> This is a security issue, so CCing security@.  It appears to have
> been discovered in public on xen-devel, so shouldn't be embargoed.
> 
> Ian.
>