Re: [Xen-devel] [PATCH v3 1/6] libxl: allow /local/domain/$LIBXL_TOOLSTACK_DOMID/device-model/$DOMID to be written by $DOMID

[Ian Campbell <ian.campbell@xxxxxxxxxx>]

On Tue, 2015-06-30 at 14:49 +0100, Stefano Stabellini wrote:
> > > The reason why I feel comfortable having such an high limit compared to
> > > the actual usage, is that it is only meant to prevent the guest from
> > > filling up dom0's disk, as this information is saved to file. As
> > > xenstore entries have a size limit themselves, we should be pretty safe.
> > 
> > I'm not bothered by how high or low the limit is, just the mechanisms
> > which we intend to use in order to cope when it changes, which are much
> > easier to put in place now than trying to retrofit such a thing while
> > retaining support for existing released versions of qemu. 
> > 
> > > > There is an interesting general issue here which is that we have
> > > > XS_RESTRICT which changes a connection to be treated as having the
> > > > permissions of a given target domain instead of the originating
> > > > privileged domain.
> > > > 
> > > > This means that in order to reduce the privileges of one thing we have
> > > > to increase the privilege of the guest itself (by granting access to
> > > > those paths), which seems rather counter-intuitive.
> > > > 
> > > > What we really want is a new privilege type which is "read/write to
> > > > connections which are _privileged_ over $domid, but not $domid itself"
> > > > and for XS_RESTRICT to imply that.
> > > > 
> > > > Retrofitting something like that to xenstored would be tricky I suspect.
> > > > 
> > > > When the physmap stuff was added doing it via xenstore was convenient
> > > > because we weren't concerning ourselves with this deprivileging. How
> > > > that we are though perhaps we should think about whether this is still
> > > > appropriate and consider using a QMP command to request the list instead
> > > > for example.
> > > 
> > > That is true, however this doesn't mean we cannot also add a QMP command
> > > in the future too, especially if we follow Wei's suggestion and we only
> > > change the permissions if xs_restrict. We could also implemented a
> > > different XS_RESTRICT. In other words, I don't think we have to come up
> > > with the best possible solution right now, we just need to improve over
> > > what we already have. I think that this is an improvement.
> > 
> > It's not a strict improvement though, it trading off giving the guest
> > access to stuff which it never previously had a need to and which the
> > toolstack consumes.
> 
> I understand that strictly speaking what you wrote is true, however I
> would like to point out that the information under device-model on
> xenstore is already exposed to the guest by other means (pci config
> space, etc.).

It's the ability of the guest to change this info into fakery that the
restorer will consume which is new here and possibly dangerous. Has the
reader of this data (both on the save side moving it into the stream and
on the restore side taking it back out) been audited for safety now that
this data is untrusted?

> > Doing something via qmp now would turn this into a no-brainer strict
> > improvement rather than something which requires careful consideration
> > of trade offs.
> 
> Unfortunately QMP is not available early enough at restore time.  That's
> why we went for storing the physmap on xenstore in the first place.

That's a shame.

> Also it would certainly push the series past the code freeze.

It seems like its not an option, but if it were I wouldn't be inclined
to let that stop us doing the right technical thing in general. There's
always another release.

Ian.


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel