[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Xenstore domains and XS_RESTRICT
On 07/12/16 15:15, Konrad Rzeszutek Wilk wrote: > On Wed, Dec 07, 2016 at 08:44:31AM +0100, Juergen Gross wrote: >> Hi, >> >> today the XS_RESTRICT wire command of Xenstore is supported by >> oxenstored only to drop the privilege of a connection to that of the >> domid given as a parameter to the command. >> >> Using this mechanism with Xenstore running in a stubdom will lead to >> problems as instead of only a dom0 process dropping its privileges >> the privileges of dom0 will be dropped (all dom0 Xenstore requests >> share the same connection). > > .. which means we can't create new XenStore entries or save > off all the XenStore entries? Example: qemu for domid 4 is dropping its privilege to that of domid 4 with xenstore running as domain (in contrast to xenstored). If we don't do anything about it dom0 will only be capable to access xenstore with the privileges domid 4 has (e.g. creation of entries outside of /local/domain/4/ will be impossible). >> >> In order to solve the problem I suggest the following change to the >> Xenstore wire protocol: >> >> struct xsd_sockmsg >> { >> - uint32_t type; /* XS_??? */ >> + uint16_t type; /* XS_??? */ >> + uint16_t domid; /* Use privileges of this domain */ >> uint32_t req_id;/* Request identifier, echoed in daemon's response. */ >> uint32_t tx_id; /* Transaction id (0 if not related to a >> transaction). */ >> uint32_t len; /* Length of data following this. */ >> >> /* Generally followed by nul-terminated string(s). */ >> }; >> >> domid will normally be zero having the same effect as today. >> >> Using XS_RESTRICT via a socket connection will run as today by dropping >> the privileges of that connection. >> >> Using XS_RESTRICT via the kernel (Xenstore domain case) will save the > > Xenstore domain case? As in Linux kernel running the XenStore as > an stubdomain? Xenstore is running in a stubdom and thus dom0 is issuing xenstore commands via the kernel (xenbus driver) to the xenstore domain. > No, that can't be it. I think you mean that the kernel will have > an priviligied connection all the time? No. the kernel will have just one connection. Privilege is derived from domid (dom0 -> 0). >> domid given as parameter in the connection specific private kernel >> structure. All future Xenstore commands of the connection will have >> this domid set in xsd_sockmsg. The kernel will never forward the >> XS_RESTRICT command to Xenstore. > > >> >> A domid other than 0 in xsd_sockmsg will be handled by Xenstore to use >> the privileges of that domain. Specifying a domid in xsd_sockmsg is >> allowed for privileged domain only, of course. XS_RESTRICT via a >> non-socket connection will be rejected in all cases. > > Um, but couldn't a malicious guest decide to craft such packet? There is no socket connection to xenstore domain. >> >> The needed modifications for Xenstore and the kernel are rather small. >> As there is currently no Xenstore domain available supporting >> XS_RESTRICT there are no compatibility issues to expect. >> >> Thoughts? > > I think I need to wrap my head about your use-case? Could you enumerate > what it is? Xenstore isn't running as a daemon in dom0, but as a domain. All domains including dom0 have to connect via xenbus. This means all agents in dom0 accessing xenstore share one connection. In case xenstore is a daemon in dom0 each agent in dom0 accessing xenstore will open an own socket connection to the daemon, so they can drop their privileges independent from each other. Juergen _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel
|
![]() |
Lists.xenproject.org is hosted with RackSpace, monitoring our |