Re: [Xen-devel] [PATCH 1/2] libxl: do not assume Dom0 backend while listing disks and nics

[Ian Campbell <Ian.Campbell@xxxxxxxxxx>]

On Wed, 2013-05-01 at 11:29 +0100, Ian Jackson wrote:
> Marek Marczykowski writes ("[PATCH 1/2] libxl: do not assume Dom0 backend 
> while listing disks and nics"):
> > One more place where code assumed that all backends are in dom0. List
> > devices in domain device/ tree, instead of backend/ of dom0.
> > Additionally fix libxl_devid_to_device_{nic,disk} to fill backend_domid
> > properly.
> 
> After this change, can a guest cause a backend to be leaked when the
> domain is destroyed ?  If it deletes the contents of the frontend
> directory in xenstore, I think the device will no longer show up in
> the lists and so won't be deleted when the guest goes away.

I would have hoped that XS perms on key nodes, like the backend link
would prevent this, but since the actual frontend directory is guest
writeable I rather expect we can't make this so.

> Would iterating over all domains looking for backends for a particular
> frontend domain work ?  That would allow a rogue guest to cause
> entries to appear in the list of course, by pretending to be a
> backend domain...

Or should libxl keep a shadow list of devices for the domain in its
private xs directory?

Ian.


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel