[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 1/2] libxl: do not assume Dom0 backend while listing disks and nics

On 01.05.2013 13:43, Ian Campbell wrote:
> On Wed, 2013-05-01 at 11:29 +0100, Ian Jackson wrote:
>> Marek Marczykowski writes ("[PATCH 1/2] libxl: do not assume Dom0 backend 
>> while listing disks and nics"):
>>> One more place where code assumed that all backends are in dom0. List
>>> devices in domain device/ tree, instead of backend/ of dom0.
>>> Additionally fix libxl_devid_to_device_{nic,disk} to fill backend_domid
>>> properly.
>> After this change, can a guest cause a backend to be leaked when the
>> domain is destroyed ?  If it deletes the contents of the frontend
>> directory in xenstore, I think the device will no longer show up in
>> the lists and so won't be deleted when the guest goes away.
> I would have hoped that XS perms on key nodes, like the backend link
> would prevent this, but since the actual frontend directory is guest
> writeable I rather expect we can't make this so.
>> Would iterating over all domains looking for backends for a particular
>> frontend domain work ?  That would allow a rogue guest to cause
>> entries to appear in the list of course, by pretending to be a
>> backend domain...
> Or should libxl keep a shadow list of devices for the domain in its
> private xs directory?

IMHO listing frontend "device/$TYPE" entries is sufficient compromise.
1. rogue frontend domain will be able to make leak backend xenstore entries
1. all devices will be listed/cleaned up on destroy, not only those
dom0-backed (assuming no downside "1" occurred)
2. will not introduce additional complexity (either scanning all backends, or
keeping *in sync* additional shadow copy of devices)

The current state (without this patch) will always miss all non-dom0 backed
devices, not only in case of rogue domain. Additionally IMHO possible leak
(downside 1) is bearable b/c backend driver watches frontend "state" entry and
if it disappear - will clean up the device. So the leak is only xenstore
entries, not any real device.

Best Regards,
Marek Marczykowski
Invisible Things Lab

Attachment: signature.asc
Description: OpenPGP digital signature

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.