From: Ian Campbell <ian.campbell@citrix.com>
To: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: wei.liu2@citrix.com, xen-devel@lists.xensource.com,
Ian.Jackson@eu.citrix.com
Subject: Re: [PATCH v3 1/6] libxl: allow /local/domain/$LIBXL_TOOLSTACK_DOMID/device-model/$DOMID to be written by $DOMID
Date: Thu, 25 Jun 2015 17:16:26 +0100 [thread overview]
Message-ID: <1435248986.32500.110.camel@citrix.com> (raw)
In-Reply-To: <1433930994-32527-1-git-send-email-stefano.stabellini@eu.citrix.com>
On Wed, 2015-06-10 at 11:09 +0100, Stefano Stabellini wrote:
> The device model is going to restrict its xenstore connection to $DOMID
> level.
Am I correct in concluding that only oxenstored supports XS_RESTRICT? I
don't see it in C xenstored at all.
> Let qemu-xen access
> /local/domain/$LIBXL_TOOLSTACK_DOMID/device-model/$DOMID, as it is
> required by QEMU to read/write the physmap. It doesn't contain any
> information the guest is not already fully aware of.
docs/misc/xenstore-paths.markdown should also be updated to reflect the
changes here (and document any keys which are missing, since you seem to
list more here than the doc contains).
> Add a maximum limit of physmap entries to save, so that the guest cannot
> DOS the toolstack.
How will we cope when the limit needs to be increased in the future for
some reason?
There is an interesting general issue here which is that we have
XS_RESTRICT which changes a connection to be treated as having the
permissions of a given target domain instead of the originating
privileged domain.
This means that in order to reduce the privileges of one thing we have
to increase the privilege of the guest itself (by granting access to
those paths), which seems rather counter-intuitive.
What we really want is a new privilege type which is "read/write to
connections which are _privileged_ over $domid, but not $domid itself"
and for XS_RESTRICT to imply that.
Retrofitting something like that to xenstored would be tricky I suspect.
When the physmap stuff was added doing it via xenstore was convenient
because we weren't concerning ourselves with this deprivileging. How
that we are though perhaps we should think about whether this is still
appropriate and consider using a QMP command to request the list instead
for example.
> @@ -1698,6 +1700,9 @@ int libxl__toolstack_save(uint32_t domid, uint8_t **buf,
> &num);
> count = num;
>
> + if (count > MAX_PHYSMAP_ENTRIES)
> + return -1;
Probably worth logging some sort of clue here.
Ian.
next prev parent reply other threads:[~2015-06-25 16:16 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-10 10:07 [PATCH v3 0/6] libxl: xs_restrict QEMU Stefano Stabellini
2015-06-10 10:09 ` [PATCH v3 1/6] libxl: allow /local/domain/$LIBXL_TOOLSTACK_DOMID/device-model/$DOMID to be written by $DOMID Stefano Stabellini
2015-06-16 14:52 ` Wei Liu
2015-06-29 17:50 ` Stefano Stabellini
2015-06-25 16:16 ` Ian Campbell [this message]
2015-06-29 17:52 ` Stefano Stabellini
2015-06-30 8:49 ` Ian Campbell
2015-06-30 13:49 ` Stefano Stabellini
2015-06-30 14:04 ` Ian Campbell
2015-06-30 15:00 ` Stefano Stabellini
2015-07-03 14:37 ` Ian Campbell
2015-07-23 17:13 ` Stefano Stabellini
2015-06-30 9:06 ` Ian Jackson
2015-06-10 10:09 ` [PATCH v3 2/6] libxl: do not add a vkb backend to hvm guests Stefano Stabellini
2015-06-16 14:57 ` Wei Liu
2015-06-16 15:39 ` Stefano Stabellini
2015-06-25 16:19 ` Ian Campbell
2015-06-29 17:59 ` Stefano Stabellini
2015-06-30 8:51 ` Ian Campbell
2015-06-30 11:21 ` Stefano Stabellini
2015-06-30 13:32 ` Ian Campbell
2015-06-30 14:02 ` Stefano Stabellini
2015-06-30 14:13 ` Ian Campbell
2015-06-30 20:38 ` Konrad Rzeszutek Wilk
2015-07-01 10:29 ` Stefano Stabellini
2015-07-01 10:55 ` Roger Pau Monné
2015-07-01 10:56 ` Stefano Stabellini
2015-07-01 11:14 ` Roger Pau Monné
2015-07-01 11:10 ` Fabio Fantoni
2015-07-01 18:41 ` Konrad Rzeszutek Wilk
2015-07-02 11:04 ` Stefano Stabellini
2015-07-02 14:31 ` Konrad Rzeszutek Wilk
2015-06-10 10:09 ` [PATCH v3 3/6] [WIP] libxl: xsrestrict QEMU Stefano Stabellini
2015-06-25 16:24 ` Ian Campbell
2015-06-29 18:07 ` Stefano Stabellini
2015-06-30 8:53 ` Ian Campbell
2015-06-30 13:53 ` Stefano Stabellini
2015-06-10 10:09 ` [PATCH v3 4/6] libxl: change xs path for QEMU Stefano Stabellini
2015-06-25 16:21 ` Ian Campbell
2015-06-29 18:26 ` Stefano Stabellini
2015-06-10 10:09 ` [PATCH v3 5/6] libxl: change qdisk-backend-pid path on xenstore Stefano Stabellini
2015-06-10 10:09 ` [PATCH v3 6/6] libxl: spawns two QEMUs for HVM guests Stefano Stabellini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1435248986.32500.110.camel@citrix.com \
--to=ian.campbell@citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=stefano.stabellini@eu.citrix.com \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.