# HG changeset patch
# User Ewan Mellor <ewan@xxxxxxxxxxxxx>
# Node ID 38c16b37529864809e64b807297a3c46c9e8d426
# Parent 0b385df5f2360cbd947a673f4901b88671a9da89
Fix handling of the entries-per-domain quota. Entries which are created by
the guest but deleted by dom0 were remaining accounted against the guest,
which meant that the guest would eventually run out of quota.
This patch also prevents unprivileged domains from changing the owner of a
node. One guest could attack another by creating nodes and then transferring
them to the ownership of another, and though the accounting could be made to
work properly in this case, domains should never be transferring nodes in any
case, so it seems safer just to disallow the operation entirely.
Signed-off-by: Ewan Mellor <ewan@xxxxxxxxxxxxx>
---
tools/xenstore/xenstored_core.c | 25 +++++++++++++++++------
tools/xenstore/xenstored_domain.c | 41 ++++++++++++++++++++++++++------------
tools/xenstore/xenstored_domain.h | 4 +--
3 files changed, 50 insertions(+), 20 deletions(-)
diff -r 0b385df5f236 -r 38c16b375298 tools/xenstore/xenstored_core.c
--- a/tools/xenstore/xenstored_core.c Mon Nov 13 09:49:12 2006 +0000
+++ b/tools/xenstore/xenstored_core.c Mon Nov 13 10:43:29 2006 +0000
@@ -791,7 +791,7 @@ static void delete_node_single(struct co
corrupt(conn, "Could not delete '%s'", node->name);
return;
}
- domain_entry_dec(conn);
+ domain_entry_dec(conn, node);
}
/* Must not be / */
@@ -842,7 +842,7 @@ static struct node *construct_node(struc
node->children = node->data = NULL;
node->childlen = node->datalen = 0;
node->parent = parent;
- domain_entry_inc(conn);
+ domain_entry_inc(conn, node);
return node;
}
@@ -878,7 +878,7 @@ static struct node *create_node(struct c
* something goes wrong. */
for (i = node; i; i = i->parent) {
if (!write_node(conn, i)) {
- domain_entry_dec(conn);
+ domain_entry_dec(conn, i);
return NULL;
}
talloc_set_destructor(i, destroy_node);
@@ -1108,6 +1108,7 @@ static void do_set_perms(struct connecti
static void do_set_perms(struct connection *conn, struct buffered_data *in)
{
unsigned int num;
+ struct xs_permissions *perms;
char *name, *permstr;
struct node *node;
@@ -1129,12 +1130,24 @@ static void do_set_perms(struct connecti
return;
}
- node->perms = talloc_array(node, struct xs_permissions, num);
- node->num_perms = num;
- if (!xs_strings_to_perms(node->perms, num, permstr)) {
+ perms = talloc_array(node, struct xs_permissions, num);
+ if (!xs_strings_to_perms(perms, num, permstr)) {
send_error(conn, errno);
return;
}
+
+ /* Unprivileged domains may not change the owner. */
+ if (domain_is_unprivileged(conn) &&
+ perms[0].id != node->perms[0].id) {
+ send_error(conn, EPERM);
+ return;
+ }
+
+ domain_entry_dec(conn, node);
+ node->perms = perms;
+ node->num_perms = num;
+ domain_entry_inc(conn, node);
+
if (!write_node(conn, node)) {
send_error(conn, errno);
return;
diff -r 0b385df5f236 -r 38c16b375298 tools/xenstore/xenstored_domain.c
--- a/tools/xenstore/xenstored_domain.c Mon Nov 13 09:49:12 2006 +0000
+++ b/tools/xenstore/xenstored_domain.c Mon Nov 13 10:43:29 2006 +0000
@@ -501,18 +501,35 @@ int domain_init(void)
return xce_handle;
}
-void domain_entry_inc(struct connection *conn)
-{
- if (!conn || !conn->domain)
- return;
- conn->domain->nbentry++;
-}
-
-void domain_entry_dec(struct connection *conn)
-{
- if (!conn || !conn->domain)
- return;
- if (conn->domain->nbentry)
+void domain_entry_inc(struct connection *conn, struct node *node)
+{
+ struct domain *d;
+
+ if (!conn)
+ return;
+
+ if (node->perms && node->perms[0].id != conn->id) {
+ d = find_domain_by_domid(node->perms[0].id);
+ if (d)
+ d->nbentry++;
+ }
+ else if (conn->domain) {
+ conn->domain->nbentry++;
+ }
+}
+
+void domain_entry_dec(struct connection *conn, struct node *node)
+{
+ struct domain *d;
+
+ if (!conn)
+ return;
+
+ if (node->perms && node->perms[0].id != conn->id) {
+ d = find_domain_by_domid(node->perms[0].id);
+ if (d && d->nbentry)
+ d->nbentry--;
+ } else if (conn->domain && conn->domain->nbentry)
conn->domain->nbentry--;
}
diff -r 0b385df5f236 -r 38c16b375298 tools/xenstore/xenstored_domain.h
--- a/tools/xenstore/xenstored_domain.h Mon Nov 13 09:49:12 2006 +0000
+++ b/tools/xenstore/xenstored_domain.h Mon Nov 13 10:43:29 2006 +0000
@@ -50,8 +50,8 @@ bool domain_is_unprivileged(struct conne
bool domain_is_unprivileged(struct connection *conn);
/* Quota manipulation */
-void domain_entry_inc(struct connection *conn);
-void domain_entry_dec(struct connection *conn);
+void domain_entry_inc(struct connection *conn, struct node *);
+void domain_entry_dec(struct connection *conn, struct node *);
int domain_entry(struct connection *conn);
void domain_watch_inc(struct connection *conn);
void domain_watch_dec(struct connection *conn);
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|