|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH v2] xenstore: remove XS_RESTRICT support
On 23/01/17 13:14, Wei Liu wrote: > On Mon, Jan 23, 2017 at 12:32:55PM +0100, Juergen Gross wrote: >> XS_RESTRICT and the xenstore library function xs_restrict() have never >> been usable in all configurations and there are no known users. >> >> This functionality was thought to limit access rights of device models >> to xenstore in order to avoid affecting other domains in case of a >> security breech. Unfortunately XS_RESTRICT won't help as current >> qemu is requiring access to dom0 only accessible xenstore paths to >> work correctly. So this command is useless and should be removed. >> >> In order to avoid problems in the future remove all support for >> XS_RESTRICT from xenstore. >> >> Signed-off-by: Juergen Gross <jgross@xxxxxxxx> >> --- >> I'm rather sure I didn't delete anything from oxenstored not related >> to XS_RESTRICT, but I could have missed something. I'd appreciate a >> thorough review of the ocaml changes I did as my knowledge is rather >> limited here. > [...] >> in >> if domid = Define.domid_self || Domains.exist domains domid then >> "T\000" else "F\000" >> >> -(* [restrict] is in the patch queue since xen3.2 *) >> -let do_restrict con t domains cons data = >> - if not (Connection.is_dom0 con) >> - then raise Define.Permission_denied; >> - let domid = >> - match (split None '\000' data) with >> - | [ domid; "" ] -> c_int_of_string domid >> - | _ -> raise Invalid_Cmd_Args >> - in >> - Connection.restrict con domid > > You haven't removed the restrict function in connection.ml and perms.ml. I wasn't sure whether they are needed for "normal" permission checks. Will remove them in V3. Juergen _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |