|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen staging-4.11] tools/ocaml/xenstored: add xenstored.conf flag to turn off watch permission checks
commit 7791d2ed24daa1cc108139790e6fc0bcc927794f
Author: Edwin Török <edvin.torok@xxxxxxxxxx>
AuthorDate: Tue Dec 15 14:37:15 2020 +0100
Commit: Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Dec 15 14:37:15 2020 +0100
tools/ocaml/xenstored: add xenstored.conf flag to turn off watch permission
checks
There are flags to turn off quotas and the permission system, so add one
that turns off the newly introduced watch permission checks as well.
This is part of XSA-115.
Signed-off-by: Edwin Török <edvin.torok@xxxxxxxxxx>
Acked-by: Christian Lindig <christian.lindig@xxxxxxxxxx>
Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
tools/ocaml/xenstored/connection.ml | 2 +-
tools/ocaml/xenstored/oxenstored.conf.in | 10 ++++++++++
tools/ocaml/xenstored/perms.ml | 5 +++++
tools/ocaml/xenstored/xenstored.ml | 1 +
4 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/tools/ocaml/xenstored/connection.ml
b/tools/ocaml/xenstored/connection.ml
index 1389d971c2..698f721345 100644
--- a/tools/ocaml/xenstored/connection.ml
+++ b/tools/ocaml/xenstored/connection.ml
@@ -218,7 +218,7 @@ let fire_single_watch_unchecked watch =
let fire_single_watch (oldroot, root) watch =
let abspath = get_watch_path watch.con watch.path |>
Store.Path.of_string in
let perms = lookup_watch_perms oldroot root abspath in
- if List.exists (Perms.has watch.con.perm READ) perms then
+ if Perms.can_fire_watch watch.con.perm perms then
fire_single_watch_unchecked watch
else
let perms = perms |> List.map (Perms.Node.to_string ~sep:" ")
|> String.concat ", " in
diff --git a/tools/ocaml/xenstored/oxenstored.conf.in
b/tools/ocaml/xenstored/oxenstored.conf.in
index 6579b84448..d5d4f00de8 100644
--- a/tools/ocaml/xenstored/oxenstored.conf.in
+++ b/tools/ocaml/xenstored/oxenstored.conf.in
@@ -44,6 +44,16 @@ conflict-rate-limit-is-aggregate = true
# Activate node permission system
perms-activate = true
+# Activate the watch permission system
+# When this is enabled unprivileged guests can only get watch events
+# for xenstore entries that they would've been able to read.
+#
+# When this is disabled unprivileged guests may get watch events
+# for xenstore entries that they cannot read. The watch event contains
+# only the entry name, not the value.
+# This restores behaviour prior to XSA-115.
+perms-watch-activate = true
+
# Activate quota
quota-activate = true
quota-maxentity = 1000
diff --git a/tools/ocaml/xenstored/perms.ml b/tools/ocaml/xenstored/perms.ml
index 23b80aba3d..ee7fee6bda 100644
--- a/tools/ocaml/xenstored/perms.ml
+++ b/tools/ocaml/xenstored/perms.ml
@@ -20,6 +20,7 @@ let info fmt = Logging.info "perms" fmt
open Stdext
let activate = ref true
+let watch_activate = ref true
type permty = READ | WRITE | RDWR | NONE
@@ -168,5 +169,9 @@ let check connection request node =
(* check if the current connection has the requested perm on the current node
*)
let has connection request node = not (lacks connection request node)
+let can_fire_watch connection perms =
+ not !watch_activate
+ || List.exists (has connection READ) perms
+
let equiv perm1 perm2 =
(Node.to_string perm1) = (Node.to_string perm2)
diff --git a/tools/ocaml/xenstored/xenstored.ml
b/tools/ocaml/xenstored/xenstored.ml
index e9f471846f..30fc874327 100644
--- a/tools/ocaml/xenstored/xenstored.ml
+++ b/tools/ocaml/xenstored/xenstored.ml
@@ -95,6 +95,7 @@ let parse_config filename =
("conflict-max-history-seconds", Config.Set_float
Define.conflict_max_history_seconds);
("conflict-rate-limit-is-aggregate", Config.Set_bool
Define.conflict_rate_limit_is_aggregate);
("perms-activate", Config.Set_bool Perms.activate);
+ ("perms-watch-activate", Config.Set_bool Perms.watch_activate);
("quota-activate", Config.Set_bool Quota.activate);
("quota-maxwatch", Config.Set_int Define.maxwatch);
("quota-transaction", Config.Set_int Define.maxtransaction);
--
generated by git-patchbot for /home/xen/git/xen.git#staging-4.11
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |