Re: [Xen-devel] [PATCH][ACM] kernel enforcement of vbd policies via blkback driver

[Steven Hand <Steven.Hand@xxxxxxxxxxxx>]

>> The tools hook is not just a usability/conformity check. The check
>> ensures that the tools will not set up entries in xenstore that would
>> allow blkback to create a non-conformant vbd. So there is no way for a
>> guest to trick blkback into creating a non-conformant vbd: it can only
>> connect to vbds specified in its config file or added later via the
>> vbd-add xm hotplug command. The tools stack should perform its
>> compiance checks on both 'xm create' and 'xm vbd-add', and that should
>> be sufficient.
>
>My concern is that security is now relying on the correctness of all code
>that can write to the xenstore.  The quantity of code that does this will
>likely continue to grow, and even include third party tools.  If any of
>this code attachs a vbd to a domain without performing a security check,
>then the security would be bypassed.

There still a major dependency on xenstore; it's pretty much part of the 
TCB at present. I know some folks have been thinking about how to 'secure' 
it more comprehensively while allowing integration with whatever ACM 
policy is in force. I think this is a more promising approach than an ad 
hoc extra check in blkback. 


cheers,

S.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel