Re: [Xen-devel] [PATCH] /sys/hypervisor/uuid

[Keir Fraser <Keir.Fraser@xxxxxxxxxxxx>]

On 19 May 2006, at 18:21, Markus Armbruster wrote:

> >                                                    Alternatively, you
> > could add some code to the xenstore dev driver to only allow read-only
> > access for non-root users.
> Does the dev driver enforce root?  Isn't that policy in the kernel?
It's enforced only by the device file permissions and owner/group right 
now.
> Is it safe to allow unpriveleged read-only access to *all* of xenstore
> in domU?
Not naively, I'm pretty sure. Not because I think that the 
guest-accessible portions of xenstore contain big secrets, but simply 
because I don't particularly trust the xenstore dev driver (for 
example, a process that starts a transaction and never finishes it will 
prevent save/restore from working). If we allowed a non-root process to 
execute only XS_READ, I think that would be okay.
I'm personally not against the sysfs solution though, if we agree that 
seeing your own uuid is useful at all. At least it is small and 
self-contained and, in the face of VM fork, I can imagine supporting 
poll/select/sigio on that sysfs file or some other to notify processes 
when platform/guest details have changed due to virtualisation-specific 
events. It's maybe possible to support that kind of thing in other 
ways, but it sounds like a pita to me.
 -- Keir


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel