Xen devel - Jul 2010 - [PATCH] tools: add XS_RESTRICT operation to C xenstore client libs.

The OCaml xenstored supports the XS_RESTRICT operation, which
deprivileges a dom0 xenstore connection so it can only affect one
domain''s entries.   Add the relevant definitions to the C libraries 
so that callers can use it. 

Signed-off-by: Tim Deegan <Tim.Deegan@citrix.com>

diff -r aecf092da748 tools/ocaml/libs/xb/op.ml
--- a/tools/ocaml/libs/xb/op.ml	Wed Jun 30 22:12:54 2010 +0100
+++ b/tools/ocaml/libs/xb/op.ml	Fri Jul 02 13:37:02 2010 +0100
@@ -31,13 +31,13 @@
            Transaction_end; Introduce; Release;
            Getdomainpath; Write; Mkdir; Rm;
            Setperms; Watchevent; Error; Isintroduced;
-           Resume; Set_target |]
+           Resume; Set_target; Restrict |]
 let size = Array.length operation_c_mapping
 
 (* [offset_pq] has to be the same as in <xen/io/xs_wire.h> *)
 let offset_pq = size
 let operation_c_mapping_pq -	[| Restrict |]
+	[| |]
 let size_pq = Array.length operation_c_mapping_pq
 
 let array_search el a diff -r aecf092da748 tools/xenstore/xs.c
--- a/tools/xenstore/xs.c	Wed Jun 30 22:12:54 2010 +0100
+++ b/tools/xenstore/xs.c	Fri Jul 02 13:37:02 2010 +0100
@@ -615,6 +615,14 @@
 	return false;
 }
 
+bool xs_restrict(struct xs_handle *h, unsigned domid)
+{
+	char buf[16];
+
+	sprintf(buf, "%d", domid);
+	return xs_bool(xs_single(h, XBT_NULL, XS_RESTRICT, buf, NULL));
+}
+
 /* Watch a node for changes (poll on fd to detect, or call read_watch()).
  * When the node (or any child) changes, fd will become readable.
  * Token is returned when watch is read, to allow matching.
diff -r aecf092da748 tools/xenstore/xs.h
--- a/tools/xenstore/xs.h	Wed Jun 30 22:12:54 2010 +0100
+++ b/tools/xenstore/xs.h	Fri Jul 02 13:37:02 2010 +0100
@@ -82,6 +82,15 @@
  */
 bool xs_rm(struct xs_handle *h, xs_transaction_t t,
 	   const char *path);
+
+/* Restrict a xenstore handle so that it acts as if it had the
+ * permissions of domain @domid.  The handle must currently be
+ * using domain 0''s credentials.
+ *
+ * Returns false on failure, in which case the handle continues
+ * to use the old credentials, or true on success.
+ */
+bool xs_restrict(struct xs_handle *h, unsigned domid);
 
 /* Get permissions of node (first element is owner, first perms is
"other").
  * Returns malloced array, or NULL: call free() after use.
diff -r aecf092da748 xen/include/public/io/xs_wire.h
--- a/xen/include/public/io/xs_wire.h	Wed Jun 30 22:12:54 2010 +0100
+++ b/xen/include/public/io/xs_wire.h	Fri Jul 02 13:37:02 2010 +0100
@@ -47,7 +47,8 @@
     XS_ERROR,
     XS_IS_DOMAIN_INTRODUCED,
     XS_RESUME,
-    XS_SET_TARGET
+    XS_SET_TARGET,
+    XS_RESTRICT
 };
 
 #define XS_WRITE_NONE "NONE"


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Tim Deegan writes ("[Xen-devel] [PATCH] tools: add XS_RESTRICT operation to
C xenstore client libs."):
> The OCaml xenstored supports the XS_RESTRICT operation, which
> deprivileges a dom0 xenstore connection so it can only affect one
> domain''s entries.   Add the relevant definitions to the C
libraries
> so that callers can use it. 
Can you explain what this is for, please ?  If it''s for security
against a hostile caller, what prevents the caller from simply opening
another xenstore connection ?

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On 02/07/2010 17:50, "Ian Jackson" <Ian.Jackson@eu.citrix.com>
wrote:
> Tim Deegan writes ("[Xen-devel] [PATCH] tools: add XS_RESTRICT
operation to C
> xenstore client libs."):
>> The OCaml xenstored supports the XS_RESTRICT operation, which
>> deprivileges a dom0 xenstore connection so it can only affect one
>> domain''s entries.   Add the relevant definitions to the C
libraries
>> so that callers can use it.
> 
> Can you explain what this is for, please ?  If it''s for security
> against a hostile caller, what prevents the caller from simply opening
> another xenstore connection ?
A daemon like qemu-dm can do privileged things like opening a xenstore
connection, and then deprivilege itself via setuid() before handling I/O
requests and exposing itself on that particular attack front. XS_RESTRICT
allows such a service to further and more precisely deprivilege itself.

 -- Keir



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel