WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-changelog

[Xen-changelog] [xen-unstable] Fix handling of the entries-per-domain qu

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] [xen-unstable] Fix handling of the entries-per-domain quota. Entries which are created by
From: Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>
Date: Mon, 13 Nov 2006 12:50:14 +0000
Delivery-date: Mon, 13 Nov 2006 04:50:07 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx
# HG changeset patch
# User Ewan Mellor <ewan@xxxxxxxxxxxxx>
# Node ID 38c16b37529864809e64b807297a3c46c9e8d426
# Parent  0b385df5f2360cbd947a673f4901b88671a9da89
Fix handling of the entries-per-domain quota.  Entries which are created by
the guest but deleted by dom0 were remaining accounted against the guest,
which meant that the guest would eventually run out of quota.

This patch also prevents unprivileged domains from changing the owner of a
node.  One guest could attack another by creating nodes and then transferring
them to the ownership of another, and though the accounting could be made to
work properly in this case, domains should never be transferring nodes in any
case, so it seems safer just to disallow the operation entirely.

Signed-off-by: Ewan Mellor <ewan@xxxxxxxxxxxxx>
---
 tools/xenstore/xenstored_core.c   |   25 +++++++++++++++++------
 tools/xenstore/xenstored_domain.c |   41 ++++++++++++++++++++++++++------------
 tools/xenstore/xenstored_domain.h |    4 +--
 3 files changed, 50 insertions(+), 20 deletions(-)

diff -r 0b385df5f236 -r 38c16b375298 tools/xenstore/xenstored_core.c
--- a/tools/xenstore/xenstored_core.c   Mon Nov 13 09:49:12 2006 +0000
+++ b/tools/xenstore/xenstored_core.c   Mon Nov 13 10:43:29 2006 +0000
@@ -791,7 +791,7 @@ static void delete_node_single(struct co
                corrupt(conn, "Could not delete '%s'", node->name);
                return;
        }
-       domain_entry_dec(conn);
+       domain_entry_dec(conn, node);
 }
 
 /* Must not be / */
@@ -842,7 +842,7 @@ static struct node *construct_node(struc
        node->children = node->data = NULL;
        node->childlen = node->datalen = 0;
        node->parent = parent;
-       domain_entry_inc(conn);
+       domain_entry_inc(conn, node);
        return node;
 }
 
@@ -878,7 +878,7 @@ static struct node *create_node(struct c
         * something goes wrong. */
        for (i = node; i; i = i->parent) {
                if (!write_node(conn, i)) {
-                       domain_entry_dec(conn);
+                       domain_entry_dec(conn, i);
                        return NULL;
                }
                talloc_set_destructor(i, destroy_node);
@@ -1108,6 +1108,7 @@ static void do_set_perms(struct connecti
 static void do_set_perms(struct connection *conn, struct buffered_data *in)
 {
        unsigned int num;
+       struct xs_permissions *perms;
        char *name, *permstr;
        struct node *node;
 
@@ -1129,12 +1130,24 @@ static void do_set_perms(struct connecti
                return;
        }
 
-       node->perms = talloc_array(node, struct xs_permissions, num);
-       node->num_perms = num;
-       if (!xs_strings_to_perms(node->perms, num, permstr)) {
+       perms = talloc_array(node, struct xs_permissions, num);
+       if (!xs_strings_to_perms(perms, num, permstr)) {
                send_error(conn, errno);
                return;
        }
+
+       /* Unprivileged domains may not change the owner. */
+       if (domain_is_unprivileged(conn) &&
+           perms[0].id != node->perms[0].id) {
+               send_error(conn, EPERM);
+               return;
+       }
+
+       domain_entry_dec(conn, node);
+       node->perms = perms;
+       node->num_perms = num;
+       domain_entry_inc(conn, node);
+
        if (!write_node(conn, node)) {
                send_error(conn, errno);
                return;
diff -r 0b385df5f236 -r 38c16b375298 tools/xenstore/xenstored_domain.c
--- a/tools/xenstore/xenstored_domain.c Mon Nov 13 09:49:12 2006 +0000
+++ b/tools/xenstore/xenstored_domain.c Mon Nov 13 10:43:29 2006 +0000
@@ -501,18 +501,35 @@ int domain_init(void)
        return xce_handle;
 }
 
-void domain_entry_inc(struct connection *conn)
-{
-       if (!conn || !conn->domain)
-               return;
-       conn->domain->nbentry++;
-}
-
-void domain_entry_dec(struct connection *conn)
-{
-       if (!conn || !conn->domain)
-               return;
-       if (conn->domain->nbentry)
+void domain_entry_inc(struct connection *conn, struct node *node)
+{
+       struct domain *d;
+
+       if (!conn)
+               return;
+
+       if (node->perms && node->perms[0].id != conn->id) {
+               d = find_domain_by_domid(node->perms[0].id);
+               if (d)
+                       d->nbentry++;
+       }
+       else if (conn->domain) {
+               conn->domain->nbentry++;
+       }
+}
+
+void domain_entry_dec(struct connection *conn, struct node *node)
+{
+       struct domain *d;
+
+       if (!conn)
+               return;
+
+       if (node->perms && node->perms[0].id != conn->id) {
+               d = find_domain_by_domid(node->perms[0].id);
+               if (d && d->nbentry)
+                       d->nbentry--;
+       } else if (conn->domain && conn->domain->nbentry)
                conn->domain->nbentry--;
 }
 
diff -r 0b385df5f236 -r 38c16b375298 tools/xenstore/xenstored_domain.h
--- a/tools/xenstore/xenstored_domain.h Mon Nov 13 09:49:12 2006 +0000
+++ b/tools/xenstore/xenstored_domain.h Mon Nov 13 10:43:29 2006 +0000
@@ -50,8 +50,8 @@ bool domain_is_unprivileged(struct conne
 bool domain_is_unprivileged(struct connection *conn);
 
 /* Quota manipulation */
-void domain_entry_inc(struct connection *conn);
-void domain_entry_dec(struct connection *conn);
+void domain_entry_inc(struct connection *conn, struct node *);
+void domain_entry_dec(struct connection *conn, struct node *);
 int domain_entry(struct connection *conn);
 void domain_watch_inc(struct connection *conn);
 void domain_watch_dec(struct connection *conn);

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] [xen-unstable] Fix handling of the entries-per-domain quota. Entries which are created by, Xen patchbot-unstable <=