mirrored from git://xenbits.xen.org/xen.git
-
Notifications
You must be signed in to change notification settings - Fork 325
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
tools/xenstore: revoke access rights for removed domains
Access rights of Xenstore nodes are per domid. Unfortunately existing granted access rights are not removed when a domain is being destroyed. This means that a new domain created with the same domid will inherit the access rights to Xenstore nodes from the previous domain(s) with the same domid. This can be avoided by adding a generation counter to each domain. The generation counter of the domain is set to the global generation counter when a domain structure is being allocated. When reading or writing a node all permissions of domains which are younger than the node itself are dropped. This is done by flagging the related entry as invalid in order to avoid modifying permissions in a way the user could detect. A special case has to be considered: for a new domain the first Xenstore entries are already written before the domain is officially introduced in Xenstore. In order not to drop the permissions for the new domain a domain struct is allocated even before introduction if the hypervisor is aware of the domain. This requires adding another bool "introduced" to struct domain in xenstored. In order to avoid additional padding holes convert the shutdown flag to bool, too. As verifying permissions has its price regarding runtime add a new quota for limiting the number of permissions an unprivileged domain can set for a node. The default for that new quota is 5. This is part of XSA-322. Signed-off-by: Juergen Gross <jgross@suse.com> Reviewed-by: Paul Durrant <paul@xen.org> Acked-by: Julien Grall <julien@amazon.com>
- Loading branch information
Showing
7 changed files
with
192 additions
and
46 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.