Fix handling of the entries-per-domain quota. Entries which are created by

the guest but deleted by dom0 were remaining accounted against the guest,
which meant that the guest would eventually run out of quota.

This patch also prevents unprivileged domains from changing the owner of a
node.  One guest could attack another by creating nodes and then transferring
them to the ownership of another, and though the accounting could be made to
work properly in this case, domains should never be transferring nodes in any
case, so it seems safer just to disallow the operation entirely.

Signed-off-by: Ewan Mellor <ewan@xensource.com>

1 files changed, 23 insertions, 6 deletions

diff --git a/tools/xenstore/xenstored_domain.c b/tools/xenstore/xenstored_domain.c
index 40cc20386a..d21ae7b9c7 100644
--- a/tools/xenstore/xenstored_domain.c
+++ b/tools/xenstore/xenstored_domain.c
@@ -501,18 +501,35 @@ int domain_init(void)
 	return xce_handle;
 }
 
-void domain_entry_inc(struct connection *conn)
+void domain_entry_inc(struct connection *conn, struct node *node)
 {
-	if (!conn || !conn->domain)
+	struct domain *d;
+
+	if (!conn)
 		return;
-	conn->domain->nbentry++;
+
+	if (node->perms && node->perms[0].id != conn->id) {
+		d = find_domain_by_domid(node->perms[0].id);
+		if (d)
+			d->nbentry++;
+	}
+	else if (conn->domain) {
+		conn->domain->nbentry++;
+	}
 }
 
-void domain_entry_dec(struct connection *conn)
+void domain_entry_dec(struct connection *conn, struct node *node)
 {
-	if (!conn || !conn->domain)
+	struct domain *d;
+
+	if (!conn)
 		return;
-	if (conn->domain->nbentry)
+
+	if (node->perms && node->perms[0].id != conn->id) {
+		d = find_domain_by_domid(node->perms[0].id);
+		if (d && d->nbentry)
+			d->nbentry--;
+	} else if (conn->domain && conn->domain->nbentry)
 		conn->domain->nbentry--;
 }