[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen staging] tools/xenstore: check privilege for XS_IS_DOMAIN_INTRODUCED

To: xen-changelog@xxxxxxxxxxxxxxxxxxxx
From: patchbot@xxxxxxx
Date: Tue, 15 Dec 2020 12:55:55 +0000
Delivery-date: Tue, 15 Dec 2020 12:55:57 +0000
List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xenproject.org>

commit fa2307be61df52970e7ee47a6c55124155c173c6
Author:     Juergen Gross <jgross@xxxxxxxx>
AuthorDate: Tue Dec 15 13:34:45 2020 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Dec 15 13:34:45 2020 +0100

    tools/xenstore: check privilege for XS_IS_DOMAIN_INTRODUCED
    
    The Xenstore command XS_IS_DOMAIN_INTRODUCED should be possible for
    privileged domains only (the only user in the tree is the xenpaging
    daemon).
    
    Instead of having the privilege test for each command introduce a
    per-command flag for that purpose.
    
    This is part of XSA-115.
    
    Signed-off-by: Juergen Gross <jgross@xxxxxxxx>
    Reviewed-by: Julien Grall <jgrall@xxxxxxxxxx>
    Reviewed-by: Paul Durrant <paul@xxxxxxx>
---
 tools/xenstore/xenstored_core.c   | 24 ++++++++++++++++++------
 tools/xenstore/xenstored_domain.c |  9 ---------
 2 files changed, 18 insertions(+), 15 deletions(-)

diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c
index 476e69d658..3d0e7b3917 100644
--- a/tools/xenstore/xenstored_core.c
+++ b/tools/xenstore/xenstored_core.c
@@ -1276,8 +1276,10 @@ static struct {
        int (*func)(struct connection *conn, struct buffered_data *in);
        unsigned int flags;
 #define XS_FLAG_NOTID          (1U << 0)       /* Ignore transaction id. */
+#define XS_FLAG_PRIV           (1U << 1)       /* Privileged domain only. */
 } const wire_funcs[XS_TYPE_COUNT] = {
-       [XS_CONTROL]           = { "CONTROL",           do_control },
+       [XS_CONTROL]           =
+           { "CONTROL",       do_control,      XS_FLAG_PRIV },
        [XS_DIRECTORY]         = { "DIRECTORY",         send_directory },
        [XS_READ]              = { "READ",              do_read },
        [XS_GET_PERMS]         = { "GET_PERMS",         do_get_perms },
@@ -1287,8 +1289,10 @@ static struct {
            { "UNWATCH",       do_unwatch,      XS_FLAG_NOTID },
        [XS_TRANSACTION_START] = { "TRANSACTION_START", do_transaction_start },
        [XS_TRANSACTION_END]   = { "TRANSACTION_END",   do_transaction_end },
-       [XS_INTRODUCE]         = { "INTRODUCE",         do_introduce },
-       [XS_RELEASE]           = { "RELEASE",           do_release },
+       [XS_INTRODUCE]         =
+           { "INTRODUCE",     do_introduce,    XS_FLAG_PRIV },
+       [XS_RELEASE]           =
+           { "RELEASE",       do_release,      XS_FLAG_PRIV },
        [XS_GET_DOMAIN_PATH]   = { "GET_DOMAIN_PATH",   do_get_domain_path },
        [XS_WRITE]             = { "WRITE",             do_write },
        [XS_MKDIR]             = { "MKDIR",             do_mkdir },
@@ -1297,9 +1301,11 @@ static struct {
        [XS_WATCH_EVENT]       = { "WATCH_EVENT",       NULL },
        [XS_ERROR]             = { "ERROR",             NULL },
        [XS_IS_DOMAIN_INTRODUCED] =
-                       { "IS_DOMAIN_INTRODUCED", do_is_domain_introduced },
-       [XS_RESUME]            = { "RESUME",            do_resume },
-       [XS_SET_TARGET]        = { "SET_TARGET",        do_set_target },
+           { "IS_DOMAIN_INTRODUCED", do_is_domain_introduced, XS_FLAG_PRIV },
+       [XS_RESUME]            =
+           { "RESUME",        do_resume,       XS_FLAG_PRIV },
+       [XS_SET_TARGET]        =
+           { "SET_TARGET",    do_set_target,   XS_FLAG_PRIV },
        [XS_RESET_WATCHES]     = { "RESET_WATCHES",     do_reset_watches },
        [XS_DIRECTORY_PART]    = { "DIRECTORY_PART",    send_directory_part },
 };
@@ -1327,6 +1333,12 @@ static void process_message(struct connection *conn, 
struct buffered_data *in)
                return;
        }
 
+       if ((wire_funcs[type].flags & XS_FLAG_PRIV) &&
+           domain_is_unprivileged(conn)) {
+               send_error(conn, EACCES);
+               return;
+       }
+
        trans = (wire_funcs[type].flags & XS_FLAG_NOTID)
                ? NULL : transaction_lookup(conn, in->hdr.msg.tx_id);
        if (IS_ERR(trans)) {
diff --git a/tools/xenstore/xenstored_domain.c 
b/tools/xenstore/xenstored_domain.c
index a2f144f6dd..364ad8ea63 100644
--- a/tools/xenstore/xenstored_domain.c
+++ b/tools/xenstore/xenstored_domain.c
@@ -372,9 +372,6 @@ int do_introduce(struct connection *conn, struct 
buffered_data *in)
        if (get_strings(in, vec, ARRAY_SIZE(vec)) < ARRAY_SIZE(vec))
                return EINVAL;
 
-       if (domain_is_unprivileged(conn))
-               return EACCES;
-
        domid = atoi(vec[0]);
        /* Ignore the gfn, we don't need it. */
        port = atoi(vec[2]);
@@ -438,9 +435,6 @@ int do_set_target(struct connection *conn, struct 
buffered_data *in)
        if (get_strings(in, vec, ARRAY_SIZE(vec)) < ARRAY_SIZE(vec))
                return EINVAL;
 
-       if (domain_is_unprivileged(conn))
-               return EACCES;
-
        domid = atoi(vec[0]);
        tdomid = atoi(vec[1]);
 
@@ -473,9 +467,6 @@ static struct domain *onearg_domain(struct connection *conn,
        if (!domid)
                return ERR_PTR(-EINVAL);
 
-       if (domain_is_unprivileged(conn))
-               return ERR_PTR(-EACCES);
-
        return find_connected_domain(domid);
 }
 
--
generated by git-patchbot for /home/xen/git/xen.git#staging

Prev by Date: [xen staging] tools/xenstore: simplify and rename check_event_node()
Next by Date: [xen staging] tools/xenstore: rework node removal
Previous by thread: [xen staging] tools/xenstore: simplify and rename check_event_node()
Next by thread: [xen staging] tools/xenstore: rework node removal
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.