[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Testing ocaml-vchan

To: <cl-mirage@xxxxxxxxxxxxxxx>
From: David Scott <dave.scott@xxxxxxxxxxxxx>
Date: Mon, 19 Aug 2013 11:52:51 +0100
List-id: MirageOS development <cl-mirage.lists.cam.ac.uk>

On 16/08/13 17:35, Vincent Bernardoff wrote:
...

You should observe, randomly, either the kernel crashing with EACCESS,
or blocking forever.

I don't see any crashes on my CentOS 6.4. I was only patient enough torun it 10 times though. Perhaps the crashes are just early EACCESSexceptions which are thrown before libxl finishes it's work?


Please let me know if you have any problem following those instructions,
or if the result of the experiment is different from what I have.

The EACCESS is because of the default permissions of the xenstore nodes.If you do this:


xl create foo.cfg -cp
xl list
 -- look for the domain id
xenstore-write /local/domain/$ID/vchan ""
xenstore-chmod /local/domain/$ID/vchan n$ID,r0
xl unpause foo

then it won't crash. I get:
>>>>
Initializing Server domid=0 xs_path=vchan
Server: right_order = 13, left_order = 13
allocate_buffer_locations: gntref = 9
allocate_buffer_locations: gntref = 10
allocate_buffer_locations: gntref = 11
allocate_buffer_locations: gntref = 12
Writing config into the XenStore
Inside Xs.immediate: writing to vchan
domid = 7
domid = 7
domid = 7
domid = 7
domid = 7
domid = 7
domid = 7
domid = 7
domid = 7
domid = 7
domid = 7
Created directory vchan
Created key vchan/ring-ref
Shared page is:

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0d 00 0d 00 02 01 01 00 09 00 00 00 0a 00 00 00
0b 00 00 00 0c 00 00 00
Initialization done!
<<<<

The default permissions are:

>>>>
[root@st30 ~]# xenstore-ls /local/domain/7 -p
...
7 = "" . . . . . . . . . . . . . . . . . . . . . . . . . . .  (n0,r7)
...

[root@st30 ~]# xenstore-ls /local/domain/7 -p
vm = "/vm/cc27def4-5e8c-4f82-bcb8-945869d7536e"  . . . . . .  (n0,r7)
name = "vchan" . . . . . . . . . . . . . . . . . . . . . . .  (n0,r7)
cpu = "" . . . . . . . . . . . . . . . . . . . . . . . . . .  (n0,r7)
 0 = ""  . . . . . . . . . . . . . . . . . . . . . . . . . .  (n0,r7)
  availability = "online"  . . . . . . . . . . . . . . . . .  (n0,r7)
memory = ""  . . . . . . . . . . . . . . . . . . . . . . . .  (n0,r7)
 static-max = "262144" . . . . . . . . . . . . . . . . . . .  (n0,r7)
 target = "262145" . . . . . . . . . . . . . . . . . . . . .  (n0,r7)
 videoram = "-1" . . . . . . . . . . . . . . . . . . . . . .  (n0,r7)
device = ""  . . . . . . . . . . . . . . . . . . . . . . . .  (n0,r7)
 suspend = ""  . . . . . . . . . . . . . . . . . . . . . . .  (n0,r7)
  event-channel = "" . . . . . . . . . . . . . . . . . . . .  (n7)
control = "" . . . . . . . . . . . . . . . . . . . . . . . .  (n0,r7)
 shutdown = "" . . . . . . . . . . . . . . . . . . . . . . .  (n7)
 platform-feature-multiprocessor-suspend = "1" . . . . . . .  (n0,r7)
 platform-feature-xs_reset_watches = "1" . . . . . . . . . .  (n0,r7)
data = ""  . . . . . . . . . . . . . . . . . . . . . . . . .  (n7)
domid = "7"  . . . . . . . . . . . . . . . . . . . . . . . .  (n0,r7)
store = "" . . . . . . . . . . . . . . . . . . . . . . . . .  (n0,r7)
 port = "1"  . . . . . . . . . . . . . . . . . . . . . . . .  (n0,r7)
 ring-ref = "1167408"  . . . . . . . . . . . . . . . . . . .  (n0,r7)
console = "" . . . . . . . . . . . . . . . . . . . . . . . .  (n7,r0)
 backend = "/local/domain/0/backend/console/7/0" . . . . . .  (n7,r0)
 backend-id = "0"  . . . . . . . . . . . . . . . . . . . . .  (n7,r0)
 limit = "1048576" . . . . . . . . . . . . . . . . . . . . .  (n7,r0)
 type = "xenconsoled"  . . . . . . . . . . . . . . . . . . .  (n7,r0)
 output = "pty"  . . . . . . . . . . . . . . . . . . . . . .  (n7,r0)
 port = "2"  . . . . . . . . . . . . . . . . . . . . . . . .  (n7,r0)
 ring-ref = "1167407"  . . . . . . . . . . . . . . . . . . .  (n7,r0)
 tty = "/dev/pts/3"  . . . . . . . . . . . . . . . . . . . .  (n7,r0)
<<<<

where "nX" means "owned by domid X which has read/write access) and "rX"means "read permission for domid X". So you can't make newsubdirectories and you can only write to a few miscellaneous places.

The permissions have been set this way because it's normally thetoolstack's job to create devices (backends and frontends) and introducethem to each other. Backend software running in privileged domains has(unfortunately) trusted the values in xenstore to have come from thetoolstack -- rather than the untrusted frontend -- and this has led tosome security vulnerabilities when the permissions were accidentallyrelaxed, and the frontend was able to change them. There's a generalmove towards trusting xenstore less and imposing security policies inthe hypervisor via XSM.


I think there are 3 options:

1. architect the application such that there is a toolstack (ie dom0)component which creates the directories to introduce client to server.This is what happens with the block and net protocols but may not beappropriate for vchan?

2. propose a canonical place where "vchan" endpoints should beadvertised (/local/domain/$ID/vchan or /local/domain/$ID/device/vchan),and modify the toolstack to make the directory and 'setperm' it.

3. use one of the places you can already write to. Looking at thedefault permissions above the only options are:


>>>>
...
  event-channel = "" . . . . . . . . . . . . . . . . . . . .  (n7)
...
 shutdown = "" . . . . . . . . . . . . . . . . . . . . . . .  (n7)
...
data = ""  . . . . . . . . . . . . . . . . . . . . . . . . .  (n7)
console = "" . . . . . . . . . . . . . . . . . . . . . . . .  (n7,r0)
 backend = "/local/domain/0/backend/console/7/0" . . . . . .  (n7,r0)
 backend-id = "0"  . . . . . . . . . . . . . . . . . . . . .  (n7,r0)
 limit = "1048576" . . . . . . . . . . . . . . . . . . . . .  (n7,r0)
 type = "xenconsoled"  . . . . . . . . . . . . . . . . . . .  (n7,r0)
 output = "pty"  . . . . . . . . . . . . . . . . . . . . . .  (n7,r0)
 port = "2"  . . . . . . . . . . . . . . . . . . . . . . . .  (n7,r0)
 ring-ref = "1167407"  . . . . . . . . . . . . . . . . . . .  (n7,r0)
 tty = "/dev/pts/3"  . . . . . . . . . . . . . . . . . . . .  (n7,r0)
<<<<

I think the only place which isn't horrifically ugly in the list aboveis "data". Perhaps you could use /local/domain/$ID/data/vchan bydefault? This patch works for me:


--- a/test/node_mirage.ml
+++ b/test/node_mirage.ml
@@ -20,4 +20,4 @@ let main () =
   Xs.make () >>= fun c ->
   Xs.immediate c (fun h -> Xs.read h "domid") >>=
   fun domid ->
-  Node.with_vchan clisrv (Eventchn.init ()) remote_domid "vchan" echo
+  Node.with_vchan clisrv (Eventchn.init ()) remote_domid "data/vchan" echo


Cheers,
Dave

References:
- Testing ocaml-vchan
  - From: Vincent Bernardoff

Prev by Date: Re: Building mirage-www
Next by Date: Re: [Xen-devel] INPUT REQUESTED: Moving August Xen Docs Day to September 6?
Previous by thread: Testing ocaml-vchan
Next by thread: Fwd: Re: Testing ocaml-vchan
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.