WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel] [PATCH] /sys/hypervisor/uuid


On 19 May 2006, at 18:21, Markus Armbruster wrote:

                                                   Alternatively, you
could add some code to the xenstore dev driver to only allow read-only
access for non-root users.

Does the dev driver enforce root?  Isn't that policy in the kernel?

It's enforced only by the device file permissions and owner/group right now.

Is it safe to allow unpriveleged read-only access to *all* of xenstore
in domU?

Not naively, I'm pretty sure. Not because I think that the guest-accessible portions of xenstore contain big secrets, but simply because I don't particularly trust the xenstore dev driver (for example, a process that starts a transaction and never finishes it will prevent save/restore from working). If we allowed a non-root process to execute only XS_READ, I think that would be okay.

I'm personally not against the sysfs solution though, if we agree that seeing your own uuid is useful at all. At least it is small and self-contained and, in the face of VM fork, I can imagine supporting poll/select/sigio on that sysfs file or some other to notify processes when platform/guest details have changed due to virtualisation-specific events. It's maybe possible to support that kind of thing in other ways, but it sounds like a pita to me.

 -- Keir


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel