[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Xenstore domains and XS_RESTRICT

To: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
From: Juergen Gross <jgross@xxxxxxxx>
Date: Thu, 8 Dec 2016 08:11:04 +0100
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, "George.Dunlap@xxxxxxxxxxxxx" <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Jennifer Herbert <Jennifer.Herbert@xxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
Delivery-date: Thu, 08 Dec 2016 07:11:20 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 07/12/16 18:00, Ian Jackson wrote:
> Konrad Rzeszutek Wilk writes ("Re: Xenstore domains and XS_RESTRICT"):
>> On Wed, Dec 07, 2016 at 03:26:38PM +0100, Juergen Gross wrote:
>>> There is no socket connection to xenstore domain.
>>
>> Right but it creates its own XenStore ring. Can it send this xsd_sockmsg
>> with domid_id of zero? Or are you saying this is irrelevant becasue
>> what you are interested is for the Linux kernel to filter certain
>> xsd_sockmsg so it won't do something silly?
> 
> The latter.
> 
>> OK, so this all sounds like the OS needs to mediate access? Sorry for
>> being so dense this morning.
> 
> The OS already needs to mediate access for all xenstore commands.  The
> kernel xenbus driver has a list of the commands.  Some of them it will
> "simply" proxy, translating request id and transaction fields, as
> applicable.  Some of them it does something special for.  Unknown
> commands are rejected.

Sorry, this isn't true. There is special handling for watch/unwatch and
transaction start/end. There is no other command filtering involved,
especially no rejection of unknown commands.

> 
>> This would imply that the kernel driver would need to understand
>> the format and disallow the XS_RESTRICT under certain conditions?
> 
> There should be a way to tell the kernel driver that the connection
> should be restricted.  XS_RESTRICT is as good as any.
> 
> But the XS_RESTRICT command must not be forwarded by the kernel proxy
> to the real xenstore.  Rather, the driver must make an annotation in
> its client struct instead.
> 
> That annotation should result in _every_ proxied xenstore command,
> from that client, being decorated so as to specify the restriction
> domain.
> 
> There needs to be an extension to the xenstore protocol to support
> this.

Right.


Juergen


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

References:
- [Xen-devel] Xenstore domains and XS_RESTRICT
  - From: Juergen Gross
- Re: [Xen-devel] Xenstore domains and XS_RESTRICT
  - From: Konrad Rzeszutek Wilk
- Re: [Xen-devel] Xenstore domains and XS_RESTRICT
  - From: Juergen Gross
- Re: [Xen-devel] Xenstore domains and XS_RESTRICT
  - From: Konrad Rzeszutek Wilk
- Re: [Xen-devel] Xenstore domains and XS_RESTRICT
  - From: Ian Jackson

Prev by Date: [Xen-devel] [xen-unstable-smoke test] 103062: tolerable all pass - PUSHED
Next by Date: [Xen-devel] prebuilt binaries for arm-cortex a15 dom0 modules for xen
Previous by thread: Re: [Xen-devel] Xenstore domains and XS_RESTRICT
Next by thread: Re: [Xen-devel] Xenstore domains and XS_RESTRICT
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.