[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH RFC 06/12] libxl: set correct permissions for the full backend path



On Mon, 2013-09-23 at 12:30 +0200, Roger Pau Monne wrote:
> The backend path should be fully owned by the domain where it resides.

I can see why /local/domain/<domid>backends/<type>/<id> would need to be
owned by the backend dom, but why
do /local/domain/<domid>backends/<type>/, /local/domain/<domid>backends/, etc 
need to be?

The backend should be writing only to the one directory associated with
the device I think.

> 
> Signed-off-by: Roger Pau Monnà <roger.pau@xxxxxxxxxx>
> Cc: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
> Cc: Ian Campbell <ian.campbell@xxxxxxxxxx>
> ---
>  tools/libxl/libxl_device.c   |   45 +++++++++++++++++++++++++++++++++++++++--
>  tools/libxl/libxl_internal.h |    2 +
>  2 files changed, 44 insertions(+), 3 deletions(-)
> 
> diff --git a/tools/libxl/libxl_device.c b/tools/libxl/libxl_device.c
> index 082bd2a..f39b7b1 100644
> --- a/tools/libxl/libxl_device.c
> +++ b/tools/libxl/libxl_device.c
> @@ -83,6 +83,47 @@ out:
>      return rc;
>  }
>  
> +int libxl__create_backend_path(libxl__gc *gc, xs_transaction_t t,
> +                               libxl__device *device)
> +{
> +    char *dom_backend_path;
> +    char *be_path = libxl__device_backend_path(gc, device);
> +    char *p;
> +    struct xs_permissions backend_dir_perms[2];
> +    struct xs_permissions backend_path_perms[1];
> +    int rc;
> +
> +    backend_path_perms[0].id = device->backend_domid;
> +    backend_path_perms[0].perms = XS_PERM_NONE;
> +
> +    backend_dir_perms[0].id = device->backend_domid;
> +    backend_dir_perms[0].perms = XS_PERM_NONE;
> +    backend_dir_perms[1].id = device->domid;
> +    backend_dir_perms[1].perms = XS_PERM_READ;
> +
> +    rc = libxl__xs_rm_checked(gc, t, be_path);
> +    if (rc) goto error;
> +    if (!libxl__xs_mkdir(gc, t, be_path, backend_dir_perms,
> +        ARRAY_SIZE(backend_dir_perms)))
> +        goto error;
> +
> +    dom_backend_path = GCSPRINTF("%s/backend",
> +                            libxl__xs_get_dompath(gc, 
> device->backend_domid));
> +    while (strcmp(be_path, dom_backend_path) != 0) {
> +        p = strrchr(be_path, '/');
> +        if (!p) goto error;
> +        *p = '\0';
> +
> +        xs_set_permissions(CTX->xsh, t, be_path, backend_path_perms,
> +                           ARRAY_SIZE(backend_path_perms));
> +    }
> +
> +    return 0;
> +
> +error:
> +    return ERROR_FAIL;
> +}
> +
>  int libxl__device_generic_add(libxl__gc *gc, xs_transaction_t t,
>          libxl__device *device, char **bents, char **fents, char **ro_fents)
>  {
> @@ -135,9 +176,7 @@ retry_transaction:
>      }
>  
>      if (bents) {
> -        xs_rm(ctx->xsh, t, backend_path);
> -        xs_mkdir(ctx->xsh, t, backend_path);
> -        xs_set_permissions(ctx->xsh, t, backend_path, backend_perms, 
> ARRAY_SIZE(backend_perms));
> +        libxl__create_backend_path(gc, t, device);
>          xs_write(ctx->xsh, t, libxl__sprintf(gc, "%s/frontend", 
> backend_path), frontend_path, strlen(frontend_path));
>          libxl__xs_writev(gc, t, backend_path, bents);
>      }
> diff --git a/tools/libxl/libxl_internal.h b/tools/libxl/libxl_internal.h
> index 3b74726..1746b7d 100644
> --- a/tools/libxl/libxl_internal.h
> +++ b/tools/libxl/libxl_internal.h
> @@ -929,6 +929,8 @@ _hidden int libxl__domain_pvcontrol_write(libxl__gc *gc, 
> xs_transaction_t t,
>  _hidden char *libxl__device_disk_string_of_backend(libxl_disk_backend 
> backend);
>  _hidden char *libxl__device_disk_string_of_format(libxl_disk_format format);
>  _hidden int libxl__device_disk_set_backend(libxl__gc*, libxl_device_disk*);
> +_hidden int libxl__create_backend_path(libxl__gc *gc, xs_transaction_t t,
> +                                       libxl__device *device);
>  
>  _hidden int libxl__device_physdisk_major_minor(const char *physpath, int 
> *major, int *minor);
>  _hidden int libxl__device_disk_dev_number(const char *virtpath,



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.