[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v2] xenstore: remove XS_RESTRICT support

On Mon, Jan 23, 2017 at 01:34:21PM +0100, Juergen Gross wrote:
> On 23/01/17 13:14, Wei Liu wrote:
> > On Mon, Jan 23, 2017 at 12:32:55PM +0100, Juergen Gross wrote:
> >> XS_RESTRICT and the xenstore library function xs_restrict() have never
> >> been usable in all configurations and there are no known users.
> >>
> >> This functionality was thought to limit access rights of device models
> >> to xenstore in order to avoid affecting other domains in case of a
> >> security breech. Unfortunately XS_RESTRICT won't help as current
> >> qemu is requiring access to dom0 only accessible xenstore paths to
> >> work correctly. So this command is useless and should be removed.
> >>
> >> In order to avoid problems in the future remove all support for
> >> XS_RESTRICT from xenstore.
> >>
> >> Signed-off-by: Juergen Gross <jgross@xxxxxxxx>
> >> ---
> >> I'm rather sure I didn't delete anything from oxenstored not related
> >> to XS_RESTRICT, but I could have missed something. I'd appreciate a
> >> thorough review of the ocaml changes I did as my knowledge is rather
> >> limited here.
> > [...]
> >>            in
> >>    if domid = Define.domid_self || Domains.exist domains domid then 
> >> "T\000" else "F\000"
> >>  
> >> -(* [restrict] is in the patch queue since xen3.2 *)
> >> -let do_restrict con t domains cons data =
> >> -  if not (Connection.is_dom0 con)
> >> -  then raise Define.Permission_denied;
> >> -  let domid =
> >> -          match (split None '\000' data) with
> >> -          | [ domid; "" ] -> c_int_of_string domid
> >> -          | _          -> raise Invalid_Cmd_Args
> >> -  in
> >> -  Connection.restrict con domid
> > 
> > You haven't removed the restrict function in connection.ml and perms.ml.
> 
> I wasn't sure whether they are needed for "normal" permission checks.
> 
> Will remove them in V3.
> 

Yeah, try to remove them and see if oxenstored still compiles. ;-)

> 
> Juergen
> 

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.