Xen project Mailing List

Re: [Xen-devel] [PATCH 1/2] libxl: do not assume Dom0 backend while listing disks and nics

To: Ian Campbell <Ian.Campbell@xxxxxxxxxx>

From: Marek Marczykowski <marmarek@xxxxxxxxxxxxxxxxxxxxxx>

Date: Wed, 08 May 2013 01:13:28 +0200

Cc: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>

Delivery-date: Tue, 07 May 2013 23:14:12 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 01.05.2013 13:43, Ian Campbell wrote: > On Wed, 2013-05-01 at 11:29 +0100, Ian Jackson wrote: >> Marek Marczykowski writes ("[PATCH 1/2] libxl: do not assume Dom0 backend >> while listing disks and nics"): >>> One more place where code assumed that all backends are in dom0. List >>> devices in domain device/ tree, instead of backend/ of dom0. >>> Additionally fix libxl_devid_to_device_{nic,disk} to fill backend_domid >>> properly. >> >> After this change, can a guest cause a backend to be leaked when the >> domain is destroyed ? If it deletes the contents of the frontend >> directory in xenstore, I think the device will no longer show up in >> the lists and so won't be deleted when the guest goes away. > > I would have hoped that XS perms on key nodes, like the backend link > would prevent this, but since the actual frontend directory is guest > writeable I rather expect we can't make this so. > >> Would iterating over all domains looking for backends for a particular >> frontend domain work ? That would allow a rogue guest to cause >> entries to appear in the list of course, by pretending to be a >> backend domain... > > Or should libxl keep a shadow list of devices for the domain in its > private xs directory? IMHO listing frontend "device/$TYPE" entries is sufficient compromise. Downsides: 1. rogue frontend domain will be able to make leak backend xenstore entries Upsides: 1. all devices will be listed/cleaned up on destroy, not only those dom0-backed (assuming no downside "1" occurred) 2. will not introduce additional complexity (either scanning all backends, or keeping *in sync* additional shadow copy of devices) The current state (without this patch) will always miss all non-dom0 backed devices, not only in case of rogue domain. Additionally IMHO possible leak (downside 1) is bearable b/c backend driver watches frontend "state" entry and if it disappear - will clean up the device. So the leak is only xenstore entries, not any real device. -- Best Regards, Marek Marczykowski Invisible Things Lab

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.