WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-devel] [PATCH] xenstored: allow guests to reintroduce themselve

from [Keir Fraser] [Permanent Link][Original]
To: Vincent Hanquez <vincent.hanquez@xxxxxxxxxxxxx>
Subject: Re: [Xen-devel] [PATCH] xenstored: allow guests to reintroduce themselves
From: Keir Fraser <keir@xxxxxxx>
Date: Tue, 09 Aug 2011 12:31:22 +0100
Cc: "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Tue, 09 Aug 2011 04:32:14 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=sender:user-agent:date:subject:from:to:cc:message-id:thread-topic :thread-index:in-reply-to:mime-version:content-type :content-transfer-encoding; bh=owA4uSS+tV/02BDa/vY5d5PvKWeT0mNMWkpEKq7RqtU=; b=wr85TUmdu6OR8GOwyHVDyV/w2aLB04FOWoqrTIT7TPk5oSc35amobOQB9oppCTXz7x h6/gGw7/KQC/mzejnR5KvBxcPLKLEM8B0vWCbZNPKL7EPM5Zq3T07gaZ1aaYfqDeYJZV q49TyFmX2TVgqM9c1zB8rmK0rzVWf9BOYK9lQ=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4E411780.7050902@xxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcxWh91IYsrVxd8VSUaffPGbhHebRA==
Thread-topic: [Xen-devel] [PATCH] xenstored: allow guests to reintroduce themselves
User-agent: Microsoft-Entourage/12.30.0.110427 
On 09/08/2011 12:18, "Vincent Hanquez" <vincent.hanquez@xxxxxxxxxxxxx>
wrote:

> On 08/09/2011 12:00 PM, Keir Fraser wrote:
>> If userspace connections to xenbus were not trusted, we'd
>> need a lot more filtering than we have.
> 
> I don't think people that are using it in guest userspace (quite liberally)
> have necessarily realized this.

Well, you do need to be root (at least by default) to access the xenstore
device, and there are myriad other ways for a root process to break the
guest. Admittedly you could start as root and then deprivilege yourself, in
which case the xenstore conenction would be an ongoing point of excess
privilege.

Do you have any examples of projects which could run with much lesser
privilege, and very constrained xenstore access, if a suitably controlled
xenstore interface was provided?

 -- Keir



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-devel] [PATCH 3/3] xen/pv-on-hvm kexec+kdump: reset PV devices in kexec or crash kernel, Ian Campbell
Next by Date:  Re: [Xen-devel] [PATCH] xl: add memory allocation logic for numa platform, Ian Campbell
Previous by Thread:  Re: [Xen-devel] [PATCH] xenstored: allow guests to reintroduce themselves, Vincent Hanquez
Next by Thread:  Re: [Xen-devel] [PATCH] xenstored: allow guests to reintroduce themselves, Vincent Hanquez
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy