This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] [PATCH][ACM] kernel enforcement of vbd policies via blkb

To: Bryan D Payne <bdpayne@xxxxxxxxxx>
Subject: Re: [Xen-devel] [PATCH][ACM] kernel enforcement of vbd policies via blkback driver
From: Steven Hand <Steven.Hand@xxxxxxxxxxxx>
Date: Tue, 25 Jul 2006 19:48:32 +0100
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx, Steven.Hand@xxxxxxxxxxxx, Reiner Sailer <sailer@xxxxxxxxxx>
Delivery-date: Tue, 25 Jul 2006 11:49:55 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: Message from Bryan D Payne <bdpayne@xxxxxxxxxx> of "Tue, 25 Jul 2006 13:45:52 EDT." <OF194E0D98.3F4EC3C7-ON852571B6.005FA1C0-852571B6.0061916F@xxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
>> The tools hook is not just a usability/conformity check. The check
>> ensures that the tools will not set up entries in xenstore that would
>> allow blkback to create a non-conformant vbd. So there is no way for a
>> guest to trick blkback into creating a non-conformant vbd: it can only
>> connect to vbds specified in its config file or added later via the
>> vbd-add xm hotplug command. The tools stack should perform its
>> compiance checks on both 'xm create' and 'xm vbd-add', and that should
>> be sufficient.
>My concern is that security is now relying on the correctness of all code
>that can write to the xenstore.  The quantity of code that does this will
>likely continue to grow, and even include third party tools.  If any of
>this code attachs a vbd to a domain without performing a security check,
>then the security would be bypassed.

There still a major dependency on xenstore; it's pretty much part of the 
TCB at present. I know some folks have been thinking about how to 'secure' 
it more comprehensively while allowing integration with whatever ACM 
policy is in force. I think this is a more promising approach than an ad 
hoc extra check in blkback. 



Xen-devel mailing list

<Prev in Thread] Current Thread [Next in Thread>