[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v5.1 2/8] xen: restrict: use xentoolcore_restrict_all

To: Stefano Stabellini <sstabellini@xxxxxxxxxx>
From: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
Date: Fri, 27 Oct 2017 11:30:38 +0100
Cc: Anthony PERARD <anthony.perard@xxxxxxxxxx>, Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, qemu-devel@xxxxxxxxxx, Juergen Gross <jgross@xxxxxxxx>
Delivery-date: Fri, 27 Oct 2017 10:30:54 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

Stefano Stabellini writes ("Re: [PATCH v5.1 2/8] xen: restrict: use 
xentoolcore_restrict_all"):
> On Fri, 20 Oct 2017, Ian Jackson wrote:
...
> > Drop individual use of xendevicemodel_restrict and
> > xenforeignmemory_restrict.  These are not actually effective in this
> > version of qemu, because qemu has a large number of fds open onto
> > various Xen control devices.
...
> Wait, if the compat stub returns error, and this patch removed the code
> to check for ENOTTY, doesn't it prevent any QEMU compiled against older
> Xen from working?
> 
> Or am I missing something?

You are right, but this is intended.  The paragraph I quote in the
commit message above is intended to explain.

That is: without xentoolcore_restrict_all, -xen-domid-restrict is a
booby-trap.  It does not actually prevent a compromised qemu from
doing anything.  So there is no reason to pass it in such a
configuration.  If you do pass it it is better for the domain startup
to fail, than for it to carry on without the restriction.

The only reason I am not saying someone should be issuing an advisory
is that this feature was never supported by any of the Xen toolstacks.

Thanks,
Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH v5.1 2/8] xen: restrict: use xentoolcore_restrict_all
  - From: Stefano Stabellini

References:
- Re: [Xen-devel] [PATCH v5 0/8] xen: xen-domid-restrict improvements
  - From: Ian Jackson
- [Xen-devel] [PATCH v5.1 1/8] xen: link against xentoolcore
  - From: Ian Jackson
- [Xen-devel] [PATCH v5.1 2/8] xen: restrict: use xentoolcore_restrict_all
  - From: Ian Jackson
- Re: [Xen-devel] [PATCH v5.1 2/8] xen: restrict: use xentoolcore_restrict_all
  - From: Stefano Stabellini

Prev by Date: Re: [Xen-devel] [PATCH v5.1 6/8] xen: destroy_hvm_domain: Try xendevicemodel_shutdown
Next by Date: Re: [Xen-devel] [PATCH v5.1 7/8] os-posix: Provide new -runas <uid>:<gid> facility
Previous by thread: Re: [Xen-devel] [PATCH v5.1 2/8] xen: restrict: use xentoolcore_restrict_all
Next by thread: Re: [Xen-devel] [PATCH v5.1 2/8] xen: restrict: use xentoolcore_restrict_all
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.