* [PATCH] tools: add XS_RESTRICT operation to C xenstore client libs.
@ 2010-07-02 12:44 Tim Deegan
2010-07-02 16:50 ` Ian Jackson
0 siblings, 1 reply; 3+ messages in thread
From: Tim Deegan @ 2010-07-02 12:44 UTC (permalink / raw)
To: xen-devel
[-- Attachment #1: Type: text/plain, Size: 2643 bytes --]
The OCaml xenstored supports the XS_RESTRICT operation, which
deprivileges a dom0 xenstore connection so it can only affect one
domain's entries. Add the relevant definitions to the C libraries
so that callers can use it.
Signed-off-by: Tim Deegan <Tim.Deegan@citrix.com>
diff -r aecf092da748 tools/ocaml/libs/xb/op.ml
--- a/tools/ocaml/libs/xb/op.ml Wed Jun 30 22:12:54 2010 +0100
+++ b/tools/ocaml/libs/xb/op.ml Fri Jul 02 13:37:02 2010 +0100
@@ -31,13 +31,13 @@
Transaction_end; Introduce; Release;
Getdomainpath; Write; Mkdir; Rm;
Setperms; Watchevent; Error; Isintroduced;
- Resume; Set_target |]
+ Resume; Set_target; Restrict |]
let size = Array.length operation_c_mapping
(* [offset_pq] has to be the same as in <xen/io/xs_wire.h> *)
let offset_pq = size
let operation_c_mapping_pq =
- [| Restrict |]
+ [| |]
let size_pq = Array.length operation_c_mapping_pq
let array_search el a =
diff -r aecf092da748 tools/xenstore/xs.c
--- a/tools/xenstore/xs.c Wed Jun 30 22:12:54 2010 +0100
+++ b/tools/xenstore/xs.c Fri Jul 02 13:37:02 2010 +0100
@@ -615,6 +615,14 @@
return false;
}
+bool xs_restrict(struct xs_handle *h, unsigned domid)
+{
+ char buf[16];
+
+ sprintf(buf, "%d", domid);
+ return xs_bool(xs_single(h, XBT_NULL, XS_RESTRICT, buf, NULL));
+}
+
/* Watch a node for changes (poll on fd to detect, or call read_watch()).
* When the node (or any child) changes, fd will become readable.
* Token is returned when watch is read, to allow matching.
diff -r aecf092da748 tools/xenstore/xs.h
--- a/tools/xenstore/xs.h Wed Jun 30 22:12:54 2010 +0100
+++ b/tools/xenstore/xs.h Fri Jul 02 13:37:02 2010 +0100
@@ -82,6 +82,15 @@
*/
bool xs_rm(struct xs_handle *h, xs_transaction_t t,
const char *path);
+
+/* Restrict a xenstore handle so that it acts as if it had the
+ * permissions of domain @domid. The handle must currently be
+ * using domain 0's credentials.
+ *
+ * Returns false on failure, in which case the handle continues
+ * to use the old credentials, or true on success.
+ */
+bool xs_restrict(struct xs_handle *h, unsigned domid);
/* Get permissions of node (first element is owner, first perms is "other").
* Returns malloced array, or NULL: call free() after use.
diff -r aecf092da748 xen/include/public/io/xs_wire.h
--- a/xen/include/public/io/xs_wire.h Wed Jun 30 22:12:54 2010 +0100
+++ b/xen/include/public/io/xs_wire.h Fri Jul 02 13:37:02 2010 +0100
@@ -47,7 +47,8 @@
XS_ERROR,
XS_IS_DOMAIN_INTRODUCED,
XS_RESUME,
- XS_SET_TARGET
+ XS_SET_TARGET,
+ XS_RESTRICT
};
#define XS_WRITE_NONE "NONE"
[-- Attachment #2: restrict_xenstored --]
[-- Type: text/plain, Size: 2365 bytes --]
diff -r aecf092da748 tools/ocaml/libs/xb/op.ml
--- a/tools/ocaml/libs/xb/op.ml Wed Jun 30 22:12:54 2010 +0100
+++ b/tools/ocaml/libs/xb/op.ml Fri Jul 02 13:37:02 2010 +0100
@@ -31,13 +31,13 @@
Transaction_end; Introduce; Release;
Getdomainpath; Write; Mkdir; Rm;
Setperms; Watchevent; Error; Isintroduced;
- Resume; Set_target |]
+ Resume; Set_target; Restrict |]
let size = Array.length operation_c_mapping
(* [offset_pq] has to be the same as in <xen/io/xs_wire.h> *)
let offset_pq = size
let operation_c_mapping_pq =
- [| Restrict |]
+ [| |]
let size_pq = Array.length operation_c_mapping_pq
let array_search el a =
diff -r aecf092da748 tools/xenstore/xs.c
--- a/tools/xenstore/xs.c Wed Jun 30 22:12:54 2010 +0100
+++ b/tools/xenstore/xs.c Fri Jul 02 13:37:02 2010 +0100
@@ -615,6 +615,14 @@
return false;
}
+bool xs_restrict(struct xs_handle *h, unsigned domid)
+{
+ char buf[16];
+
+ sprintf(buf, "%d", domid);
+ return xs_bool(xs_single(h, XBT_NULL, XS_RESTRICT, buf, NULL));
+}
+
/* Watch a node for changes (poll on fd to detect, or call read_watch()).
* When the node (or any child) changes, fd will become readable.
* Token is returned when watch is read, to allow matching.
diff -r aecf092da748 tools/xenstore/xs.h
--- a/tools/xenstore/xs.h Wed Jun 30 22:12:54 2010 +0100
+++ b/tools/xenstore/xs.h Fri Jul 02 13:37:02 2010 +0100
@@ -82,6 +82,15 @@
*/
bool xs_rm(struct xs_handle *h, xs_transaction_t t,
const char *path);
+
+/* Restrict a xenstore handle so that it acts as if it had the
+ * permissions of domain @domid. The handle must currently be
+ * using domain 0's credentials.
+ *
+ * Returns false on failure, in which case the handle continues
+ * to use the old credentials, or true on success.
+ */
+bool xs_restrict(struct xs_handle *h, unsigned domid);
/* Get permissions of node (first element is owner, first perms is "other").
* Returns malloced array, or NULL: call free() after use.
diff -r aecf092da748 xen/include/public/io/xs_wire.h
--- a/xen/include/public/io/xs_wire.h Wed Jun 30 22:12:54 2010 +0100
+++ b/xen/include/public/io/xs_wire.h Fri Jul 02 13:37:02 2010 +0100
@@ -47,7 +47,8 @@
XS_ERROR,
XS_IS_DOMAIN_INTRODUCED,
XS_RESUME,
- XS_SET_TARGET
+ XS_SET_TARGET,
+ XS_RESTRICT
};
#define XS_WRITE_NONE "NONE"
[-- Attachment #3: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] tools: add XS_RESTRICT operation to C xenstore client libs.
2010-07-02 12:44 [PATCH] tools: add XS_RESTRICT operation to C xenstore client libs Tim Deegan
@ 2010-07-02 16:50 ` Ian Jackson
2010-07-02 17:43 ` Keir Fraser
0 siblings, 1 reply; 3+ messages in thread
From: Ian Jackson @ 2010-07-02 16:50 UTC (permalink / raw)
To: Tim Deegan; +Cc: xen-devel
Tim Deegan writes ("[Xen-devel] [PATCH] tools: add XS_RESTRICT operation to C xenstore client libs."):
> The OCaml xenstored supports the XS_RESTRICT operation, which
> deprivileges a dom0 xenstore connection so it can only affect one
> domain's entries. Add the relevant definitions to the C libraries
> so that callers can use it.
Can you explain what this is for, please ? If it's for security
against a hostile caller, what prevents the caller from simply opening
another xenstore connection ?
Ian.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] tools: add XS_RESTRICT operation to C xenstore client libs.
2010-07-02 16:50 ` Ian Jackson
@ 2010-07-02 17:43 ` Keir Fraser
0 siblings, 0 replies; 3+ messages in thread
From: Keir Fraser @ 2010-07-02 17:43 UTC (permalink / raw)
To: Ian Jackson, Tim Deegan; +Cc: xen-devel
On 02/07/2010 17:50, "Ian Jackson" <Ian.Jackson@eu.citrix.com> wrote:
> Tim Deegan writes ("[Xen-devel] [PATCH] tools: add XS_RESTRICT operation to C
> xenstore client libs."):
>> The OCaml xenstored supports the XS_RESTRICT operation, which
>> deprivileges a dom0 xenstore connection so it can only affect one
>> domain's entries. Add the relevant definitions to the C libraries
>> so that callers can use it.
>
> Can you explain what this is for, please ? If it's for security
> against a hostile caller, what prevents the caller from simply opening
> another xenstore connection ?
A daemon like qemu-dm can do privileged things like opening a xenstore
connection, and then deprivilege itself via setuid() before handling I/O
requests and exposing itself on that particular attack front. XS_RESTRICT
allows such a service to further and more precisely deprivilege itself.
-- Keir
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-07-02 17:43 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-07-02 12:44 [PATCH] tools: add XS_RESTRICT operation to C xenstore client libs Tim Deegan
2010-07-02 16:50 ` Ian Jackson
2010-07-02 17:43 ` Keir Fraser
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.