diff options
| author | Ian Jackson <ian.jackson@eu.citrix.com> | 2013-06-25 11:24:22 +0100 |
|---|---|---|
| committer | Ian Jackson <Ian.Jackson@eu.citrix.com> | 2013-06-25 11:24:22 +0100 |
| commit | 28d386fc4341683af86f6c3fde544e1651715ffd (patch) | |
| tree | c5604f0179969ae1dd127cfc74b727d8452c6196 /tools/libxl/libxl_internal.h | |
| parent | 6809b4859f186d74a0eed31fba1d90c7f32e1a69 (diff) | |
| download | xen-28d386fc4341683af86f6c3fde544e1651715ffd.tar.gz xen-28d386fc4341683af86f6c3fde544e1651715ffd.tar.bz2 xen-28d386fc4341683af86f6c3fde544e1651715ffd.zip | |
libxl: Restrict permissions on PV console device xenstore nodes
Matthew Daley has observed that the PV console protocol places sensitive host
state into a guest writeable xenstore locations, this includes:
- The pty used to communicate between the console backend daemon and its
client, allowing the guest administrator to read and write arbitrary host
files.
- The output file, allowing the guest administrator to write arbitrary host
files or to target arbitrary qemu chardevs which include sockets, udp, ptr,
pipes etc (see -chardev in qemu(1) for a more complete list).
- The maximum buffer size, allowing the guest administrator to consume more
resources than the host administrator has configured.
- The backend to use (qemu vs xenconsoled), potentially allowing the guest
administrator to confuse host software.
So we arrange to make the sensitive keys in the xenstore frontend directory
read only for the guest. This is safe since the xenstore permissions model,
unlike POSIX directory permissions, does not allow the guest to remove and
recreate a node if it has write access to the containing directory.
There are a few associated wrinkles:
- The primary PV console is "special". It's xenstore node is not under the
usual /devices/ subtree and it does not use the customary xenstore state
machine protocol. Unfortunately its directory is used for other things,
including the vnc-port node, which we do not want the guest to be able to
write to. Rather than trying to track down all the possible secondary uses
of this directory just make it r/o to the guest. All newly created
subdirectories inherit these permissions and so are now safe by default.
- The other serial consoles do use the customary xenstore state machine and
therefore need write access to at least the "protocol" and "state" nodes,
however they may also want to use arbitrary "feature-foo" nodes (although
I'm not aware of any) and therefore we cannot simply lock down the entire
frontend directory. Instead we add support to libxl__device_generic_add for
frontend keys which are explicitly read only and use that to lock down the
sensitive keys.
- Minios' console frontend wants to write the "type" node, which it has no
business doing since this is a host/toolstack level decision. This fails
now that the node has become read only to the PV guest. Since the toolstack
already writes this node just remove the attempt to set it.
This is a security issue, XSA-57.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Diffstat (limited to 'tools/libxl/libxl_internal.h')
| -rw-r--r-- | tools/libxl/libxl_internal.h | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/tools/libxl/libxl_internal.h b/tools/libxl/libxl_internal.h index 3ba3a21850..00ff6b96cd 100644 --- a/tools/libxl/libxl_internal.h +++ b/tools/libxl/libxl_internal.h @@ -519,6 +519,11 @@ _hidden char **libxl__xs_kvs_of_flexarray(libxl__gc *gc, flexarray_t *array, int /* treats kvs as pairs of keys and values and writes each to dir. */ _hidden int libxl__xs_writev(libxl__gc *gc, xs_transaction_t t, const char *dir, char **kvs); +/* as writev but also sets the permissions on each path */ +_hidden int libxl__xs_writev_perms(libxl__gc *gc, xs_transaction_t t, + const char *dir, char *kvs[], + struct xs_permissions *perms, + unsigned int num_perms); /* _atonce creates a transaction and writes all keys at once */ _hidden int libxl__xs_writev_atonce(libxl__gc *gc, const char *dir, char **kvs); @@ -933,7 +938,7 @@ _hidden int libxl__device_console_add(libxl__gc *gc, uint32_t domid, libxl__domain_build_state *state); _hidden int libxl__device_generic_add(libxl__gc *gc, xs_transaction_t t, - libxl__device *device, char **bents, char **fents); + libxl__device *device, char **bents, char **fents, char **ro_fents); _hidden char *libxl__device_backend_path(libxl__gc *gc, libxl__device *device); _hidden char *libxl__device_frontend_path(libxl__gc *gc, libxl__device *device); _hidden int libxl__parse_backend_path(libxl__gc *gc, const char *path, |