[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] PATCH: Actually make /local/domain/$DOMID readonly to the guest

  • To: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
  • From: Keir Fraser <keir.fraser@xxxxxxxxxxxxx>
  • Date: Thu, 18 Dec 2008 17:53:49 +0000
  • Cc: xen-devel@xxxxxxxxxxxxxxxxxxx
  • Delivery-date: Thu, 18 Dec 2008 09:53:58 -0800
  • List-id: Xen developer discussion <xen-devel.lists.xensource.com>
  • Thread-index: AclhOZSLUDC1Veoldk6O5/dr823FDg==
  • Thread-topic: [Xen-devel] PATCH: Actually make /local/domain/$DOMID readonly to the guest

On 18/12/2008 17:49, "Daniel P. Berrange" <berrange@xxxxxxxxxx> wrote:

>> However there are other places in xend that commit the same error, and this
>> interface weakness would doubtless bite us again in future. Hence the patch
>> I actually committed (c/s 18933) actually takes a different strategy: in the
>> bowels of the xend xenstore C package I check to see if the caller is try to
>> change permissions of the node owner, and if so I fudge in dom0 as the owner
>> instead. A bit grim, but I think probably a safer bet in this instance.
> I think that looks correct to me. The easy way to test is to try and
> write to '/local/domain/$DOMID/console/tty' from within the guest and
> see if it succeeds or not

Yes, I actually tested that, and it was no longer writeable. Same for a few
susceptible nodes under /vm too.

 -- Keir

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.