From: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
To: xen-devel@lists.xensource.com
Cc: wei.liu2@citrix.com, Ian.Jackson@eu.citrix.com,
Ian.Campbell@citrix.com,
Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Subject: [PATCH v3 1/6] libxl: allow /local/domain/$LIBXL_TOOLSTACK_DOMID/device-model/$DOMID to be written by $DOMID
Date: Wed, 10 Jun 2015 11:09:49 +0100 [thread overview]
Message-ID: <1433930994-32527-1-git-send-email-stefano.stabellini@eu.citrix.com> (raw)
In-Reply-To: <alpine.DEB.2.02.1506101107510.21829@kaball.uk.xensource.com>
The device model is going to restrict its xenstore connection to $DOMID
level. Let qemu-xen access
/local/domain/$LIBXL_TOOLSTACK_DOMID/device-model/$DOMID, as it is
required by QEMU to read/write the physmap. It doesn't contain any
information the guest is not already fully aware of.
Add a maximum limit of physmap entries to save, so that the guest cannot
DOS the toolstack.
Information under
/local/domain/$LIBXL_TOOLSTACK_DOMID/device-model/$DOMID include:
- the device model status, which is updated by the device model before
the guest is unpaused, then ignored by both QEMU and libxl
- the guest physmap, which contains the memory layout of the guest. The
guest is already in possession of this information. A malicious guest
could modify the physmap entries causing QEMU to read wrong information
at restore time. QEMU would populate its XenPhysmap list with wrong
entries that wouldn't match its own device emulation addresses, leading
to a failure in restoring the domain. But it could not compromise the
security of the system because the addresses are only used for checks
against QEMU's addresses.
In the case of qemu-traditional, the state node is used to issue
commands to the device model, so avoid to change permissions in that
case.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
---
In this version I added a limit to the number of xenstore entries to
save, because with this patch they become guest writeable. The guest
could fill xenstore with entries that libxl would need to save during
domain migration.
I didn't worry about the guest filling up xenstore itself, because the
guest could still do it under /local/domain/$DOMID/data or any of the
other nodes owned by the guest. Xenstore needs to protect itself against
this anyway.
---
Changes in v3:
- use LIBXL_TOOLSTACK_DOMID instead of 0 in the commit message
- update commit message with more info on why it is safe
- add a limit on the number of physmap entries to save and restore
Changes in v2:
- fix permissions to actually do what intended
- use LIBXL_TOOLSTACK_DOMID instead of 0
---
tools/libxl/libxl_dm.c | 11 ++++++++++-
tools/libxl/libxl_dom.c | 5 +++++
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c
index 79a9a22..2809ba0 100644
--- a/tools/libxl/libxl_dm.c
+++ b/tools/libxl/libxl_dm.c
@@ -1461,6 +1461,7 @@ void libxl__spawn_local_dm(libxl__egc *egc, libxl__dm_spawn_state *dmss)
char **pass_stuff;
const char *dm;
int dm_state_fd = -1;
+ struct xs_permissions rwperm[2];
if (libxl_defbool_val(b_info->device_model_stubdomain)) {
abort();
@@ -1503,7 +1504,15 @@ void libxl__spawn_local_dm(libxl__egc *egc, libxl__dm_spawn_state *dmss)
}
path = libxl__device_model_xs_path(gc, LIBXL_TOOLSTACK_DOMID, domid, "");
- xs_mkdir(ctx->xsh, XBT_NULL, path);
+ if (b_info->device_model_version == LIBXL_DEVICE_MODEL_VERSION_QEMU_XEN) {
+ rwperm[0].id = LIBXL_TOOLSTACK_DOMID;
+ rwperm[0].perms = XS_PERM_NONE;
+ rwperm[1].id = domid;
+ rwperm[1].perms = XS_PERM_WRITE;
+ libxl__xs_mkdir(gc, XBT_NULL, path, rwperm, 2);
+ } else {
+ xs_mkdir(ctx->xsh, XBT_NULL, path);
+ }
if (b_info->type == LIBXL_DOMAIN_TYPE_HVM &&
b_info->device_model_version
diff --git a/tools/libxl/libxl_dom.c b/tools/libxl/libxl_dom.c
index f408646..34b3c54 100644
--- a/tools/libxl/libxl_dom.c
+++ b/tools/libxl/libxl_dom.c
@@ -1677,6 +1677,8 @@ static inline char *physmap_path(libxl__gc *gc, uint32_t dm_domid,
phys_offset, node);
}
+#define MAX_PHYSMAP_ENTRIES 12
+
int libxl__toolstack_save(uint32_t domid, uint8_t **buf,
uint32_t *len, void *dss_void)
{
@@ -1698,6 +1700,9 @@ int libxl__toolstack_save(uint32_t domid, uint8_t **buf,
&num);
count = num;
+ if (count > MAX_PHYSMAP_ENTRIES)
+ return -1;
+
*len = sizeof(version) + sizeof(count);
*buf = calloc(1, *len);
ptr = *buf;
--
1.7.10.4
next prev parent reply other threads:[~2015-06-10 10:09 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-10 10:07 [PATCH v3 0/6] libxl: xs_restrict QEMU Stefano Stabellini
2015-06-10 10:09 ` Stefano Stabellini [this message]
2015-06-16 14:52 ` [PATCH v3 1/6] libxl: allow /local/domain/$LIBXL_TOOLSTACK_DOMID/device-model/$DOMID to be written by $DOMID Wei Liu
2015-06-29 17:50 ` Stefano Stabellini
2015-06-25 16:16 ` Ian Campbell
2015-06-29 17:52 ` Stefano Stabellini
2015-06-30 8:49 ` Ian Campbell
2015-06-30 13:49 ` Stefano Stabellini
2015-06-30 14:04 ` Ian Campbell
2015-06-30 15:00 ` Stefano Stabellini
2015-07-03 14:37 ` Ian Campbell
2015-07-23 17:13 ` Stefano Stabellini
2015-06-30 9:06 ` Ian Jackson
2015-06-10 10:09 ` [PATCH v3 2/6] libxl: do not add a vkb backend to hvm guests Stefano Stabellini
2015-06-16 14:57 ` Wei Liu
2015-06-16 15:39 ` Stefano Stabellini
2015-06-25 16:19 ` Ian Campbell
2015-06-29 17:59 ` Stefano Stabellini
2015-06-30 8:51 ` Ian Campbell
2015-06-30 11:21 ` Stefano Stabellini
2015-06-30 13:32 ` Ian Campbell
2015-06-30 14:02 ` Stefano Stabellini
2015-06-30 14:13 ` Ian Campbell
2015-06-30 20:38 ` Konrad Rzeszutek Wilk
2015-07-01 10:29 ` Stefano Stabellini
2015-07-01 10:55 ` Roger Pau Monné
2015-07-01 10:56 ` Stefano Stabellini
2015-07-01 11:14 ` Roger Pau Monné
2015-07-01 11:10 ` Fabio Fantoni
2015-07-01 18:41 ` Konrad Rzeszutek Wilk
2015-07-02 11:04 ` Stefano Stabellini
2015-07-02 14:31 ` Konrad Rzeszutek Wilk
2015-06-10 10:09 ` [PATCH v3 3/6] [WIP] libxl: xsrestrict QEMU Stefano Stabellini
2015-06-25 16:24 ` Ian Campbell
2015-06-29 18:07 ` Stefano Stabellini
2015-06-30 8:53 ` Ian Campbell
2015-06-30 13:53 ` Stefano Stabellini
2015-06-10 10:09 ` [PATCH v3 4/6] libxl: change xs path for QEMU Stefano Stabellini
2015-06-25 16:21 ` Ian Campbell
2015-06-29 18:26 ` Stefano Stabellini
2015-06-10 10:09 ` [PATCH v3 5/6] libxl: change qdisk-backend-pid path on xenstore Stefano Stabellini
2015-06-10 10:09 ` [PATCH v3 6/6] libxl: spawns two QEMUs for HVM guests Stefano Stabellini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1433930994-32527-1-git-send-email-stefano.stabellini@eu.citrix.com \
--to=stefano.stabellini@eu.citrix.com \
--cc=Ian.Campbell@citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.