[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen staging-4.12] tools/ocaml/xenstored: check privilege for XS_IS_DOMAIN_INTRODUCED



commit 5e1bac4a10d25a71a868fda7f4c12f9665d694db
Author:     Edwin Török <edvin.torok@xxxxxxxxxx>
AuthorDate: Tue Dec 15 14:29:04 2020 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Dec 15 14:29:04 2020 +0100

    tools/ocaml/xenstored: check privilege for XS_IS_DOMAIN_INTRODUCED
    
    The Xenstore command XS_IS_DOMAIN_INTRODUCED should be possible for 
privileged
    domains only (the only user in the tree is the xenpaging daemon).
    
    This is part of XSA-115.
    
    Signed-off-by: Edwin Török <edvin.torok@xxxxxxxxxx>
    Acked-by: Christian Lindig <christian.lindig@xxxxxxxxxx>
    Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
 tools/ocaml/xenstored/process.ml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/tools/ocaml/xenstored/process.ml b/tools/ocaml/xenstored/process.ml
index fb0a6d47c3..56aea4ce30 100644
--- a/tools/ocaml/xenstored/process.ml
+++ b/tools/ocaml/xenstored/process.ml
@@ -166,7 +166,9 @@ let do_setperms con t _domains _cons data =
 let do_error _con _t _domains _cons _data =
        raise Define.Unknown_operation
 
-let do_isintroduced _con _t domains _cons data =
+let do_isintroduced con _t domains _cons data =
+       if not (Connection.is_dom0 con)
+       then raise Define.Permission_denied;
        let domid =
                match (split None '\000' data) with
                | domid :: _ -> int_of_string domid
--
generated by git-patchbot for /home/xen/git/xen.git#staging-4.12



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.