[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.6] libxl: Make copy of every xs backend in /libxl in _generic_add



commit 866bea560bdf66a780b4821c0a859bbcad132c34
Author:     Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
AuthorDate: Fri Apr 29 16:19:28 2016 +0100
Commit:     Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
CommitDate: Mon Jun 6 14:47:35 2016 +0100

    libxl: Make copy of every xs backend in /libxl in _generic_add
    
    We want to stop libxl trustingly reading information from the backend
    directory (since this is, of course, writeable by the backend, which
    might be a semi-trusted driver domain).
    
    In principle it is wrong in current libxl for anything to try to
    divine virtual device configuration from xenstore: the JSON domain
    config ought to supply that, and xenstore should only tell us which
    devices actually exist.
    
    However:
    
    Firstly, there are several existing places where configuration
    information is retrieved from xenstore rather than JSON.  We do not
    want to reen gineer this in a security patch.
    
    Secondly, we want to make a security patch which can be backported to
    versions of libxl without the JSON configuration machinery.
    
    So we take the expedient approach of keeping a copy of the
    configuration somewhere we trust, namely /libxl.  This is obviously
    fairly low-risk, although it does write significantly more keys in
    xenstore.
    
    In this patch we make this change in libxl__device_generic_add.  This
    is responsible for actually writing the vast majority of device
    information to xenstore.  There are a few loose ends which will be
    dealt with in a moment.
    
    Likewise, changes to readers to use the new location will appear in
    further patches.
    
    This is part of XSA-178.
    
    Signed-off-by: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
    Reviewed-by: Wei Liu <wei.liu2@xxxxxxxxxx>
---
 docs/misc/xenstore-paths.markdown |  4 ++++
 tools/libxl/libxl_device.c        | 23 +++++++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/docs/misc/xenstore-paths.markdown 
b/docs/misc/xenstore-paths.markdown
index 276273d..8c686ec 100644
--- a/docs/misc/xenstore-paths.markdown
+++ b/docs/misc/xenstore-paths.markdown
@@ -404,6 +404,10 @@ Path in xenstore to the frontend, normally
 Path in xenstore to the backend, normally
 /local/domain/$BACKEND_DOMID/backend/$KIND/$DOMID/$DEVID
 
+#### /libxl/$DOMID/device/$KIND/$DEVID/$NODE
+
+Trustworthy copy of /local/domain/$DOMID/backend/$KIND/$DEVID/$NODE.
+
 #### /libxl/$DOMID/dm-version ("qemu\_xen"|"qemu\_xen\_traditional") = 
[n,INTERNAL]
 
 The device model version for a domain.
diff --git a/tools/libxl/libxl_device.c b/tools/libxl/libxl_device.c
index f4e907f..2b7cd25 100644
--- a/tools/libxl/libxl_device.c
+++ b/tools/libxl/libxl_device.c
@@ -185,6 +185,29 @@ retry_transaction:
         xs_write(ctx->xsh, t, GCSPRINTF("%s/frontend", backend_path),
                  frontend_path, strlen(frontend_path));
         libxl__xs_writev(gc, t, backend_path, bents);
+
+        /*
+         * We make a copy of everything for the backend in the libxl
+         * path as well.  This means we don't need to trust the
+         * backend.  Ideally this information would not be used and we
+         * would use the information from the json configuration
+         * instead.  But there are still places in libxl that try to
+         * reconstruct a config from xenstore.
+         *
+         * This duplication will typically produces duplicate keys
+         * which will go out of date, but that's OK because nothing
+         * reads those.  For example, there is usually
+         *   /libxl/$guest/device/$kind/$devid/state
+         * which starts out containing XenbusStateInitialising ("1")
+         * just like the copy in
+         *  /local/domain/$driverdom/backend/$guest/$kind/$devid/state
+         * but which won't ever be updated.
+         *
+         * This duplication is superfluous and messy but as discussed
+         * the proper fix is more intrusive than we want to do now.
+         */
+        rc = libxl__xs_writev(gc, t, libxl_path, bents);
+        if (rc) goto out;
     }
 
     if (!create_transaction)
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.6

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.