| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Matthew Daley has observed that the PV console protocol places sensitive host
state into a guest writeable xenstore locations, this includes:
- The pty used to communicate between the console backend daemon and its
client, allowing the guest administrator to read and write arbitrary host
files.
- The output file, allowing the guest administrator to write arbitrary host
files or to target arbitrary qemu chardevs which include sockets, udp, ptr,
pipes etc (see -chardev in qemu(1) for a more complete list).
- The maximum buffer size, allowing the guest administrator to consume more
resources than the host administrator has configured.
- The backend to use (qemu vs xenconsoled), potentially allowing the guest
administrator to confuse host software.
So we arrange to make the sensitive keys in the xenstore frontend directory
read only for the guest. This is safe since the xenstore permissions model,
unlike POSIX directory permissions, does not allow the guest to remove and
recreate a node if it has write access to the containing directory.
There are a few associated wrinkles:
- The primary PV console is "special". It's xenstore node is not under the
usual /devices/ subtree and it does not use the customary xenstore state
machine protocol. Unfortunately its directory is used for other things,
including the vnc-port node, which we do not want the guest to be able to
write to. Rather than trying to track down all the possible secondary uses
of this directory just make it r/o to the guest. All newly created
subdirectories inherit these permissions and so are now safe by default.
- The other serial consoles do use the customary xenstore state machine and
therefore need write access to at least the "protocol" and "state" nodes,
however they may also want to use arbitrary "feature-foo" nodes (although
I'm not aware of any) and therefore we cannot simply lock down the entire
frontend directory. Instead we add support to libxl__device_generic_add for
frontend keys which are explicitly read only and use that to lock down the
sensitive keys.
- Minios' console frontend wants to write the "type" node, which it has no
business doing since this is a host/toolstack level decision. This fails
now that the node has become read only to the PV guest. Since the toolstack
already writes this node just remove the attempt to set it.
This is a security issue, XSA-57.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
|
| |
|
|
|
|
| |
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This functionality is a bit of a mess and several configurations are
not properly supported.
The protocol for changing is basically to change the params node in
the disk xenstore backend. There is no interlock or error reporting in
this protocol. Completely removing the device and recreating it is not
necessary nor expected. For reference the equivalent xend code is
tools/python/xen/xend/server/blkif.py::BlkifController::reconfigureDevice().
Device model stub domains are not supported. There appears to be no
way correctly to do a media change on the emulated device while also
changing the stub domains PV backend to point to the new
backend. Reworking this is a significant task deferred until 4.3. xend
(via the equivalent "xm block-configure" functionality) also does not
support media change for stub domains (confirmed by code inspection
and experiment). Unlike xend this version errors out instead of
silently not achieving anything in this case.
There is no support for qemu-xen (upstream) media change. I expect
this is supported on the qemu side and required QMP plumbing on the
libxl side. Again this is deferred until 4.3.
On the plus side the current implementation is trivially "asynchronous".
Adds a libxl__xs_writev_atonce helper to write a key-value list to
xenstore in one go.
Tested with Windows 7.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>
|
| |
|
|
|
|
| |
Signed-off-by: Roger Pau Monne <roger.pau@citrix.com>
Acked-by: Ian Campbell <ian.campbell@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This includes the EAGAIN case.
Users are of the form:
xs_transaction_t t = 0;
for (;;) {
rc = libxl__xs_transaction_start(gc, &t);
rc = stuff
if (rc) goto out;
...more...
rc = libxl__xs_transaction_commit(gc, &t);
if (!rc) break;
if (rc<0) goto out;
}
...
out:
So in EAGAIN (commit -> +1) we will go round the loop again and call start
which leads to:
xl: libxl_xshelp.c:174: libxl__xs_transaction_start: Assertion `!*t' failed.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In 25182:6c3345d7e9d9 the practice of passing NULL to gc-using memory
allocation functions was introduced. However, the arrangements there
were not correct as committed, because the error handling and logging
depends on getting a ctx from the gc - so an allocation error would in
fact result in libxl dereferencing NULL.
Instead, provide a special dummy gc in the ctx, called `nogc_gc'. It
is marked out specially by having alloc_maxsize==-1, which is
otherwise invalid.
Functions which need to actually look into the gc use the new test
function gc_is_real (whose purpose is mainly clarity of the code) to
check whether the gc is the dummy one, and do nothing if it is. And
we provide a helper macro NOGC which uses the in-scope real gc to find
the ctx and hence the dummy gc (and which replaces the previous
#define NOGC NULL).
Change all callers which pass 0 or NULL to an allocation function to
use NOGC or &ctx->nogc_gc, as applicable in the context.
We add a comment near the definition of LIBXL_INIT_GC pointing out
that it isn't any more the only place a libxl__gc struct is
initialised, for the benefit of anyone changing the contents of gc's
in the future.
Also, actually document that libxl__ptr_add is legal with ptr==NULL,
and change a couple of calls not to check for NULL argument.
Reported-by: Bamvor Jian Zhang <bjzhang@suse.com>
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Bamvor Jian Zhang <bjzhang@suse.com>
Acked-by: Ian Campbell <Ian.Campbell@citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
| |
|
|
|
|
|
|
| |
These useful utility functions make dealing with xenstore a little
less painful.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add a function which behaves like "xenstore-rm -t", and which will be
used to clean xenstore after unplug since we will be no longer
executing xen-hotplug-cleanup script, that used to do that for us.
Signed-off-by: Roger Pau Monne <roger.pau@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>
|
| |
|
|
|
|
|
|
|
| |
libxl__xs_directory takes a transaction parameter, but completely
ignores it, passing XBT_NULL unconditionally to xs_directory.
Signed-off-by: Roger Pau Monne <roger.pau@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Campbell <ian.campbell@citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move a lot of
#include <stdfoo.h>
from individual files into libxl_internal.h. This helps avoid
portability mistakes where necessary system headers are omitted from
individual files, and is also of course a convenience when developing.
Also add
#include "libxl_osdeps.h" /* must come before any other headers */
to the top of most libxl*.c files, so that anyone who adds any headers
before libxl_internal.h will put the in the right place.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use a new libxl__xs_mkdir() to do this and also clean up extraneous
node creation while in the neighbourhood. Checking 'xenstore-ls -fp'
output before and after shows that, as well as the disappearance of
error, drivers, messages and domid, the following perms change is also
present:
-device/suspend = "" (ndomU)
+device/suspend = "" (n0,rdomU)
I believe the new perms are more desirable than the old ones.
Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
Committed-by: Ian Jackson <ian.jackson.citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libxl_internal.h now #includes libxl.h and various system headers.
This
1. makes the order of header inclusion more predictable
2. explicitly allows libxl_internal.h to use objects defined in libxl.h
3. removes the need for individual files to include these headers
Also
- remove some unnecessary #includes of libxl_utils.h,
flexarray.h, etc. in some libxl*.c files,
- include libxl_osdeps.h at the top of libxl_internal.h
- add missing includes of libxl_osdeps.h to a couple of files
- change libxl.h to libxl_internal.h in a couple of files
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
| |
Paths and values which are not modified by these functions should be
declared as "const char *" not "char *".
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The all key is /libxl/$domid/dm-version.
The /libxl/$domid dir is created with the domain and should be only accessible
by the toolstack domain. The function libxl__xs_libxl_path() give this path.
This come with libxl__device_model_version_running() helper function.
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Committed-by: Ian Jackson <ian.jackson.citrix.com>
|
| |
|
|
|
|
|
|
|
| |
Several places which were previsously indented using hard tabs are now
incorrectly indented. Fix them up.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
George Dunlap reports that gcc 4.4.3 complains:
libxl_dm.c: In function libxl__create_device_mode:
libxl_dm.c:776: error: format not a string literal and no format arguments
And indeed the format argument here is a char * from libxl__domain_bios().
Make the argument to libxl__xs_write a const char * and change
libxl__domain_bios to return a const char too.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
It isn't actually being used to write a vector at the only callsite
and can easily be implemented using xs_write.
Furthermore the old implementation used to leak both the key and value
strings.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
committer: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
It's not clear that the namespace rules described in libxl.h are
intended to apply to internal types but I don't see why not.
sed -i -e 's/\<libxl_device\>/libxl__device/g' tools/libxl/*.[ch]
sed -i -e 's/\<libxl_device_kinds\>/libxl__device_kinds/g' tools/libxl/*.[ch]
sed -i -e 's/\<libxl_gc\>/libxl__gc/g' tools/libxl/*.[ch]
sed -i -e 's/\<libxl_gc_owner\>/libxl__gc_owner/g' tools/libxl/*.[ch]
sed -i -e 's/\<libxl_spawn_starting\>/libxl__spawn_starting/g' tools/libxl/*.[ch]
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch covers the remaining functions identified by:
rgrep _hidden tools/libxl/*.h | grep -v libxl__
sed -i -e 's/XL_LOG/LIBXL__LOG/g' tools/libxl/*.[ch]
sed -i -e 's/xl_log/libxl__log/g' tools/libxl/*.[ch]
sed -i -e 's/\(build_\(pre\|post\|pv\|hvm\)\)/libxl__\1/g' tools/libxl/*.[ch]
sed -i -e 's/is_hvm/libxl__domain_is_hvm/g' tools/libxl/*.[ch]
sed -i -e 's/get_shutdown_reason/libxl__domain_shutdown_reason/g' tools/libxl/*.[ch]
sed -i -e 's/restore_common/libxl__domain_restore_common/g' tools/libxl/*.[ch]
sed -i -e 's/core_suspend/libxl__domain_suspend_common/g' tools/libxl/*.[ch]
sed -i -e 's/save_device_model/libxl__domain_save_device_model/g' tools/libxl/*.[ch]
sed -i -e 's/device_disk_backend_type_of_phystype/libxl__device_disk_backend_type_of_phystype/g' tools/libxl/*.[ch]
sed -i -e 's/\<libxl_blktap_enabled\>/libxl__blktap_enabled/g' tools/libxl/*.[ch]
sed -i -e 's/\<libxl_blktap_devpath\>/libxl__blktap_devpath/g' tools/libxl/*.[ch]
Add _hidden to libxl__blktap_enabled and libxl__blktap_devpath
Inline dominfo_libxl__domain_shutdown_reason(info) into
libxl__domain_shutdown_reason, its only caller.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch covers all those which could be trivially converted automatically.
sed -n -e 's/_hidden.*[ \*]libxl_\([^_][^()]*\)(.*/\1/pg' tools/libxl/*.h | \
while read i ; do \
sed -i -e "s/libxl_$i/libxl__$i/g" tools/libxl/*.[ch]; \
done
sed -n -e 's/_hidden.*_libxl_\([^_][^()]*\)(.*/\1/pg' tools/libxl/*.h | \
while read i ; do \
sed -i -e "s/_libxl_$i/libxl__$i/g" tools/libxl/*.[ch]; \
done
Check that diffstat includes libxl but not xl.
Fixup tools/libxl/xl_cmdimpl.c which used libxl_device_del instead of
libxl_device_disk_del in a printf.
(Patch runes re-run by Ian Jackson to refresh against tip libxl.)
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
| |
|
|
|
|
| |
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
committer: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
|
| |
|
|
|
|
|
|
| |
This is going to be used by libxl_console_add in the next patch to
avoid creating the device/console path on xenstore for console 0.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently scratch variables allocated by libxl have the same lifetime as
the context. While this is suitable for one off invocations of xl. It is
not so great for a daemon process linking to libxl. In that case there
will be prolific leakage of heap memory.
My proposed solution involves create a new libxl_gc structure, which
contains a pointer to an owning context as well as the garbage
collection data. Top-level library functions which expect to do a lot of
scratch allocations put gc struct on the stack and initialize it with a
macro. Before returning they then call libxl_free_all on this struct.
This means that static helper functions called by such functions will
usually take a gc instead of a ctx as a first parameter.
The patch touches almost every code-path so a close review and testing
would be much appreciated. I have tested with valgrind all of the parts
I could which looked non-straightforward. Suffice to say that it seems
crash-free even if we have exposed a few real memory leaks. These are
for cases where we return eg. block list to an xl caller but there is no
appropriate block_list_free() function to call. Ian Campbells work in
this area should sew up all these loose ends.
Signed-off-by: Gianni Tedesco <gianni.tedesco@citrix.com>
committer: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
|
| |
|
|
|
|
|
|
| |
typedef struct seems to be the dominant idiom in the mixture currently
in use.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
| |
|
|
|
|
|
| |
We need to use PRIu32 for domids, and also to pass arguments in the
right order.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
| |
|
|
| |
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The function libxl_domid_to_name() can return NULL if the path
/local/domain/%d/name does not exist. This causes a segfault if the
NULL name is later passed as a value to libxl_xs_writev(). I'm
hitting this making a call to libxl_device_vfb_add() from my graphical
switcher application.
This patch modifies xs_writev() and libxl_xs_writev() to skip NULL
values.
Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
|
| |
|
|
|
|
| |
use call to lowlevel functions to do the same things.
Signed-off-by: Vincent Hanquez <vincent.hanquez@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
osdeps.[hc] previously mistakenly declared and defined [v]asprintf.
These functions are available in the libc on most platforms. Also,
osdeps.h is used by xc.c but xc.c is not part of the library, so
osdeps.h is part of the public interface and should have a better
name.
So now, instead:
* osdeps.h is libxl_osdeps.h.
* _GNU_SOURCE is #defined in libxl_osdeps.h so that we get the system
[v]asprintf (and various other functions)
* libxl_osdeps.h is included first in every libxl*.c file (it needs
to be before any system headers so that _GNU_SOURCE) takes effect.
* osdeps.[hc] only provide their own reimplementation of [v]asprintf
if NEED_OWN_ASPRINTF is defined. Currently it is not ever defined
but this is provided for any platform which needs it.
* While I was editing the #includes in each .c file, I put them all
into the same order: "libxl_osdeps.h", then system headers,
then local headers.
* xs.h is included in libxl.h. This is needed for "bool"; it has to
not be typedefed in libxl.h because otherwise we get a duplicate
definition when including xs.h.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Introduce new variants of the logging functions which include
errno values (converted using strerror) in the messages passed to
the
application's logging callback.
* Use the new errno-including logging functions everywhere where
appropriate. In general, xc_... functions return errno values or 0;
xs_... functions return 0 or -1 (or some such) setting errno.
* When libxl_xs_get_dompath fails, do not treat it as an allocation
error. It isn't: it usually means xenstored failed.
* Remove many spurious \n's from log messages. (The applications log
callback is expected to add a \n if it wants to do that, so libxl's
logging functions should be passed strings without \n.)
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
|
|
|
Signed-off-by: Vincent Hanquez <Vincent.Hanquez@eu.citrix.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
|
