[XEN PATCH 0/X] tools/libxl: XSA-403 follow-up

[XEN PATCH 0/X] tools/libxl: XSA-403 follow-up

[Anthony PERARD]

Hi,

Two patches:
    - one for stable branches (I've rework the XSA's patch on 4.16 so
      patch will need to be backported);
    - and one patch for staging, forward porting the patch for stable
      branches.

Those patches are a rework of the patch for the stable branches available
in XSA-403. The environment variable is now in upper case, like one
would expect, and now a value of "0" as the same meaning as the variable
been absent. Also, there's a bit of documentation in `man xl`.

Thanks,

-- 
Anthony PERARD

[XEN PATCH stable-4.16] tools/libxl: env variable to signal whether disk/nic backend is trusted

[Anthony PERARD]

From: Roger Pau Monne <roger.pau@citrix.com>

Introduce support in libxl for fetching the default backend trusted
option for disk and nic devices.

Users can set LIBXL_{DISK,NIC}_BACKEND_UNTRUSTED environment variable
to notify libxl of whether the backends for disk and nic devices
should be trusted.  Such information is passed into the frontend so it
can take the appropriate measures.

This is part of XSA-403.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
---
changes:
- envvar now upper case
- documentation in xl man page
- value "0" also mean "trusted"
---
 docs/man/xl.1.pod.in          | 18 ++++++++++++++++++
 tools/libs/light/libxl_disk.c |  5 +++++
 tools/libs/light/libxl_nic.c  |  7 +++++++
 3 files changed, 30 insertions(+)

diff --git a/docs/man/xl.1.pod.in b/docs/man/xl.1.pod.in
index e2176bd696..45e1430aeb 100644
--- a/docs/man/xl.1.pod.in
+++ b/docs/man/xl.1.pod.in
@@ -1946,6 +1946,24 @@ shows the decimal value. For non-linear mode, it shows hexadecimal value.
 
 =back
 
+=head1 ENVIRONMENT
+
+=over 4
+
+=item B<LIBXL_DISK_BACKEND_UNTRUSTED>
+
+Set this environment variable to "1" to suggest to the guest that the disk
+backend shouldn't be trusted. If the variable is absent or set to "0", the
+backend will be trusted.
+
+=item B<LIBXL_NIC_BACKEND_UNTRUSTED>
+
+Set this environment variable to "1" to suggest to the guest that the network
+backend shouldn't be trusted. If the variable is absent or set to "0", the
+backend will be trusted.
+
+=back
+
 =head1 IGNORED FOR COMPATIBILITY WITH XM
 
 xl is mostly command-line compatible with the old xm utility used with
diff --git a/tools/libs/light/libxl_disk.c b/tools/libs/light/libxl_disk.c
index 93936d0dd0..67d1cc1857 100644
--- a/tools/libs/light/libxl_disk.c
+++ b/tools/libs/light/libxl_disk.c
@@ -246,6 +246,7 @@ static void device_disk_add(libxl__egc *egc, uint32_t domid,
     libxl_domain_config d_config;
     libxl_device_disk disk_saved;
     libxl__flock *lock = NULL;
+    const char *envvar;
 
     libxl_domain_config_init(&d_config);
     libxl_device_disk_init(&disk_saved);
@@ -395,6 +396,10 @@ static void device_disk_add(libxl__egc *egc, uint32_t domid,
         flexarray_append(front, GCSPRINTF("%d", device->devid));
         flexarray_append(front, "device-type");
         flexarray_append(front, disk->is_cdrom ? "cdrom" : "disk");
+        flexarray_append(front, "trusted");
+        envvar = getenv("LIBXL_DISK_BACKEND_UNTRUSTED");
+        /* Set "trusted=1" if envvar missing or is "0". */
+        flexarray_append(front, !envvar || !strcmp("0", envvar) ? "1" : "0");
 
         /*
          * Old PV kernel disk frontends before 2.6.26 rely on tool stack to
diff --git a/tools/libs/light/libxl_nic.c b/tools/libs/light/libxl_nic.c
index 0b9e70c9d1..f87890d1d6 100644
--- a/tools/libs/light/libxl_nic.c
+++ b/tools/libs/light/libxl_nic.c
@@ -132,6 +132,8 @@ static int libxl__set_xenstore_nic(libxl__gc *gc, uint32_t domid,
                                    flexarray_t *back, flexarray_t *front,
                                    flexarray_t *ro_front)
 {
+    const char *envvar;
+
     flexarray_grow(back, 2);
 
     if (nic->script)
@@ -255,6 +257,11 @@ static int libxl__set_xenstore_nic(libxl__gc *gc, uint32_t domid,
     flexarray_append(back, "hotplug-status");
     flexarray_append(back, "");
 
+    flexarray_append(front, "trusted");
+    envvar = getenv("LIBXL_NIC_BACKEND_UNTRUSTED");
+    /* Set "trusted=1" if envvar missing or is "0". */
+    flexarray_append(front, !envvar || !strcmp("0", envvar) ? "1" : "0");
+
     return 0;
 }
 
-- 
Anthony PERARD

[XEN PATCH] tools/libxl: env variable to trusted default

[Anthony PERARD]

This is a forward port of "tools/libxl: env variable to signal whether
disk/nic backend is trusted", to allow the environment variable to
still work when upgrading from 4.16 or earlier.

Introduce support in libxl for fetching the default backend trusted
option for disk and nic devices.

This is part of XSA-403.

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
---
 docs/man/xl.1.pod.in          | 24 ++++++++++++++++++++++++
 tools/libs/light/libxl_disk.c |  6 +++++-
 tools/libs/light/libxl_nic.c  |  5 ++++-
 3 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/docs/man/xl.1.pod.in b/docs/man/xl.1.pod.in
index 101e14241d..a5a2af5df9 100644
--- a/docs/man/xl.1.pod.in
+++ b/docs/man/xl.1.pod.in
@@ -1945,6 +1945,30 @@ shows the decimal value. For non-linear mode, it shows hexadecimal value.
 
 =back
 
+=head1 ENVIRONMENT
+
+=over 4
+
+=item B<LIBXL_DISK_BACKEND_UNTRUSTED>
+
+Use B<trusted> or B<untrusted> from L<xl-disk-configuration(5)> instead for a
+more fine grain setting.
+
+This environment variable allows to changed the default value of B<trusted>;
+if it is set to "1", the default will be B<untrusted>; if the variable is
+absent or set to "0", the default will be B<trusted>.
+
+=item B<LIBXL_NIC_BACKEND_UNTRUSTED>
+
+Use B<trusted> / B<untrusted> from L<xl-network-configuration(5)> instead for a
+more fine grain setting.
+
+This environment variable allows to changed the default value of B<trusted>;
+if it is set to "1", the default will be B<untrusted>; if the variable is
+absent or set to "0", the default will be B<trusted>.
+
+=back
+
 =head1 IGNORED FOR COMPATIBILITY WITH XM
 
 xl is mostly command-line compatible with the old xm utility used with
diff --git a/tools/libs/light/libxl_disk.c b/tools/libs/light/libxl_disk.c
index 9da2b2ed27..7564a12868 100644
--- a/tools/libs/light/libxl_disk.c
+++ b/tools/libs/light/libxl_disk.c
@@ -155,11 +155,15 @@ static int libxl__device_disk_setdefault(libxl__gc *gc, uint32_t domid,
                                          libxl_device_disk *disk, bool hotplug)
 {
     int rc;
+    const char *envvar;
 
     libxl_defbool_setdefault(&disk->discard_enable, !!disk->readwrite);
     libxl_defbool_setdefault(&disk->colo_enable, false);
     libxl_defbool_setdefault(&disk->colo_restore_enable, false);
-    libxl_defbool_setdefault(&disk->trusted, true);
+
+    envvar = getenv("LIBXL_DISK_BACKEND_UNTRUSTED");
+    /* Default to trusted if envvar missing or is "0". */
+    libxl_defbool_setdefault(&disk->trusted, !envvar || !strcmp("0", envvar));
 
     rc = libxl__resolve_domid(gc, disk->backend_domname, &disk->backend_domid);
     if (rc < 0) return rc;
diff --git a/tools/libs/light/libxl_nic.c b/tools/libs/light/libxl_nic.c
index d6bf06fc34..ff3aede6ea 100644
--- a/tools/libs/light/libxl_nic.c
+++ b/tools/libs/light/libxl_nic.c
@@ -59,6 +59,7 @@ static int libxl__device_nic_setdefault(libxl__gc *gc, uint32_t domid,
                                         libxl_device_nic *nic, bool hotplug)
 {
     int rc;
+    const char *envvar;
 
     if (!nic->mtu)
         nic->mtu = LIBXL_DEVICE_NIC_MTU_DEFAULT;
@@ -116,7 +117,9 @@ static int libxl__device_nic_setdefault(libxl__gc *gc, uint32_t domid,
         abort();
     }
 
-    libxl_defbool_setdefault(&nic->trusted, true);
+    envvar = getenv("LIBXL_NIC_BACKEND_UNTRUSTED");
+    /* Default to trusted if envvar missing or is "0". */
+    libxl_defbool_setdefault(&nic->trusted, !envvar || !strcmp("0", envvar));
 
     return rc;
 }
-- 
Anthony PERARD

Re: [XEN PATCH 0/X] tools/libxl: XSA-403 follow-up

[Jan Beulich]

On 29.07.2022 15:26, Anthony PERARD wrote:
> Two patches:
>     - one for stable branches (I've rework the XSA's patch on 4.16 so
>       patch will need to be backported);
>     - and one patch for staging, forward porting the patch for stable
>       branches.
> 
> Those patches are a rework of the patch for the stable branches available
> in XSA-403. The environment variable is now in upper case, like one
> would expect, and now a value of "0" as the same meaning as the variable
> been absent. Also, there's a bit of documentation in `man xl`.

Thank you very much for helping out with this. While arguably not worth
a lot,
Reviewed-by: Jan Beulich <jbeulich@suse.com>
and I'm inclined to throw this in rather quickly, not the least to have
it in 4.16 a little ahead of the next stable version release there.

Jan

Re: [XEN PATCH 0/X] tools/libxl: XSA-403 follow-up

[Jan Beulich]

On 01.08.2022 11:43, Jan Beulich wrote:
> On 29.07.2022 15:26, Anthony PERARD wrote:
>> Two patches:
>>     - one for stable branches (I've rework the XSA's patch on 4.16 so
>>       patch will need to be backported);
>>     - and one patch for staging, forward porting the patch for stable
>>       branches.
>>
>> Those patches are a rework of the patch for the stable branches available
>> in XSA-403. The environment variable is now in upper case, like one
>> would expect, and now a value of "0" as the same meaning as the variable
>> been absent. Also, there's a bit of documentation in `man xl`.
> 
> Thank you very much for helping out with this. While arguably not worth
> a lot,
> Reviewed-by: Jan Beulich <jbeulich@suse.com>
> and I'm inclined to throw this in rather quickly, not the least to have
> it in 4.16 a little ahead of the next stable version release there.

Actually, as per the advisory it's only the stable trees which want the
respective change committed. Unless I'm unaware of a change in mind.

Jan