[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Mini-OS Xenstore Permissions





On Mon, Jul 2, 2012 at 4:56 PM, Ian Campbell <Ian.Campbell@xxxxxxxxxx> wrote:
On Mon, 2012-07-02 at 16:45 +0100, Adrian Shaw wrote:
> Good evening to you all,
>
>
> Apologies if this is a naive question.
> I am currently working on the Mini-OS stubdomain and trying to access
> the Xenstore.
> Mini-OS has its own implementation for accessing the Xenstore
> (xs_wire.h) with functions such as xs_write, xs_read etc
> However when the stubdomain is run it doesn't even have permission to
> access its own local area in the Xenstore,

access == write or read as well?

Yes, both reading and writing.
 
> e.g. /local/domain/16

Where are you getting this path from at runtime?

Using xs_get_domain_path
 
Is it just /local/domain/<domid> or subkeys under it too e.g. can you
read /local/domain/<domid>/vm or /local/domain/<domid>/name?

I have tried to write subkeys too, however I'm not sure whether I was doing so correctly. It yields the same error code.
There is no xs_mkdir implementation in Mini-OS, strangely. 
 
>
> (I get an EACESS error code)
>
>
> I have tried reading the wiki but it isn't clear when permissions need
> to be set.


> Are they meant to be set before the stubdomain is launched?
> Is it like this by default?

The toolstack should do this for you, before launching the domain.

How are you loading the domain?

Using xm create mystub.config -c, unless you mean something more specific?
Is there anything about permissions I should be placing in the configuration file?
 
"xenstore-ls -fp" should give you some insight into the permissions
which are being set.

I have tried that already, but couldn't find anything that explains what n0 or r0 mean?
 
I wouldn't be surprised if a domain could not write
to /local/domain/<domid> itself but there should be accessible keys
under there.

How can I browse these available keys at runtime?
 
> Furthermore, is Mini-OS capable of setting permissions for other
> guests to access a particular path in the Xenstore, using a C call?
> So far I have not seen anything that does this.

Usually only the toolstack can control permissions in this way.

Makes sense. I'll have to assign permissions before creation then.
 
This is relaxed slightly for a qemu-stubdomain which does have some
additional XS privileges over the domain for which it is the device
model (but only that domain).

> I'd be grateful if you can clear up this confusion I'm having.
>
>
> Regards,
>
>
> Adrian



I am new to Xen so you'll have to forgive me!

Thanks,

Adrian
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.