[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Xenstore domains and XS_RESTRICT

To: Juergen Gross <jgross@xxxxxxxx>
From: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
Date: Wed, 4 Jan 2017 16:54:41 +0000
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, "George.Dunlap@xxxxxxxxxxxxx" <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Jennifer Herbert <Jennifer.Herbert@xxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
Delivery-date: Wed, 04 Jan 2017 16:55:25 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

Juergen Gross writes ("Re: Xenstore domains and XS_RESTRICT"):
> Rejecting XS_RESTRICT for a non-socket connection is mandatory to
> ensure a XS_RESTRICT user on an old kernel not knowing about it can't
> drop the privilege of all other user's on that system, too.

Kernels need to proxy all commands from their users, so they should
have a table (usually a switch statement) of supported commands.
New commands are therefore unavailable until the kernel is updated.

I haven't checked the Linux xenbus chardev driver to see if it is
correct ...

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] Xenstore domains and XS_RESTRICT
  - From: Juergen Gross

References:
- Re: [Xen-devel] Xenstore domains and XS_RESTRICT
  - From: Wei Liu
- Re: [Xen-devel] Xenstore domains and XS_RESTRICT
  - From: Juergen Gross

Prev by Date: Re: [Xen-devel] [PATCH RFC 59/59] tools/xenlight: Create interface for xenlight info
Next by Date: [Xen-devel] [ovmf baseline-only test] 68316: all pass
Previous by thread: Re: [Xen-devel] Xenstore domains and XS_RESTRICT
Next by thread: Re: [Xen-devel] Xenstore domains and XS_RESTRICT
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.