[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Xenstore domains and XS_RESTRICT

To: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
From: Juergen Gross <jgross@xxxxxxxx>
Date: Wed, 7 Dec 2016 08:44:31 +0100
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, "George.Dunlap@xxxxxxxxxxxxx" <George.Dunlap@xxxxxxxxxxxxx>, Jennifer Herbert <Jennifer.Herbert@xxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Delivery-date: Wed, 07 Dec 2016 07:45:02 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

Hi,

today the XS_RESTRICT wire command of Xenstore is supported by
oxenstored only to drop the privilege of a connection to that of the
domid given as a parameter to the command.

Using this mechanism with Xenstore running in a stubdom will lead to
problems as instead of only a dom0 process dropping its privileges
the privileges of dom0 will be dropped (all dom0 Xenstore requests
share the same connection).

In order to solve the problem I suggest the following change to the
Xenstore wire protocol:

 struct xsd_sockmsg
 {
-    uint32_t type;  /* XS_??? */
+    uint16_t type;  /* XS_??? */
+    uint16_t domid; /* Use privileges of this domain */
     uint32_t req_id;/* Request identifier, echoed in daemon's response.  */
     uint32_t tx_id; /* Transaction id (0 if not related to a
transaction). */
     uint32_t len;   /* Length of data following this. */

     /* Generally followed by nul-terminated string(s). */
 };

domid will normally be zero having the same effect as today.

Using XS_RESTRICT via a socket connection will run as today by dropping
the privileges of that connection.

Using XS_RESTRICT via the kernel (Xenstore domain case) will save the
domid given as parameter in the connection specific private kernel
structure. All future Xenstore commands of the connection will have
this domid set in xsd_sockmsg. The kernel will never forward the
XS_RESTRICT command to Xenstore.

A domid other than 0 in xsd_sockmsg will be handled by Xenstore to use
the privileges of that domain. Specifying a domid in xsd_sockmsg is
allowed for privileged domain only, of course. XS_RESTRICT via a
non-socket connection will be rejected in all cases.

The needed modifications for Xenstore and the kernel are rather small.
As there is currently no Xenstore domain available supporting
XS_RESTRICT there are no compatibility issues to expect.

Thoughts?


Juergen

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] Xenstore domains and XS_RESTRICT
  - From: Ian Jackson
- Re: [Xen-devel] Xenstore domains and XS_RESTRICT
  - From: Konrad Rzeszutek Wilk

Prev by Date: Re: [Xen-devel] [PATCH 1/3] x86/HVM: introduce hvm_get_cpl() and respective hook
Next by Date: Re: [Xen-devel] [PATCH v4 08/15] pvh/acpi: Handle ACPI accesses for PVH guests
Previous by thread: Re: [Xen-devel] [Qemu-devel] [PATCH 0/3] Add new qmp commands to suppurt Xen COLO
Next by thread: Re: [Xen-devel] Xenstore domains and XS_RESTRICT
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.