Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Please login to access the resource
SUSE:SLE-15-SP7:GA
xen.25148
xsa115-5.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File xsa115-5.patch of Package xen.25148
From c625fae44aedc246776b52eb1173cf847a3d4d80 Mon Sep 17 00:00:00 2001 From: Juergen Gross <jgross@suse.com> Date: Thu, 11 Jun 2020 16:12:41 +0200 Subject: [PATCH 05/10] tools/xenstore: check privilege for XS_IS_DOMAIN_INTRODUCED The Xenstore command XS_IS_DOMAIN_INTRODUCED should be possible for privileged domains only (the only user in the tree is the xenpaging daemon). Instead of having the privilege test for each command introduce a per-command flag for that purpose. This is part of XSA-115. Signed-off-by: Juergen Gross <jgross@suse.com> Reviewed-by: Julien Grall <jgrall@amazon.com> Reviewed-by: Paul Durrant <paul@xen.org> --- tools/xenstore/xenstored_core.c | 24 ++++++++++++++++++------ tools/xenstore/xenstored_domain.c | 7 ++----- 2 files changed, 20 insertions(+), 11 deletions(-) --- xen-4.12.4-testing.orig/tools/xenstore/xenstored_core.c +++ xen-4.12.4-testing/tools/xenstore/xenstored_core.c @@ -1283,8 +1283,10 @@ static struct { int (*func)(struct connection *conn, struct buffered_data *in); unsigned int flags; #define XS_FLAG_NOTID (1U << 0) /* Ignore transaction id. */ +#define XS_FLAG_PRIV (1U << 1) /* Privileged domain only. */ } const wire_funcs[XS_TYPE_COUNT] = { - [XS_CONTROL] = { "CONTROL", do_control }, + [XS_CONTROL] = + { "CONTROL", do_control, XS_FLAG_PRIV }, [XS_DIRECTORY] = { "DIRECTORY", send_directory }, [XS_READ] = { "READ", do_read }, [XS_GET_PERMS] = { "GET_PERMS", do_get_perms }, @@ -1294,8 +1296,10 @@ static struct { { "UNWATCH", do_unwatch, XS_FLAG_NOTID }, [XS_TRANSACTION_START] = { "TRANSACTION_START", do_transaction_start }, [XS_TRANSACTION_END] = { "TRANSACTION_END", do_transaction_end }, - [XS_INTRODUCE] = { "INTRODUCE", do_introduce }, - [XS_RELEASE] = { "RELEASE", do_release }, + [XS_INTRODUCE] = + { "INTRODUCE", do_introduce, XS_FLAG_PRIV }, + [XS_RELEASE] = + { "RELEASE", do_release, XS_FLAG_PRIV }, [XS_GET_DOMAIN_PATH] = { "GET_DOMAIN_PATH", do_get_domain_path }, [XS_WRITE] = { "WRITE", do_write }, [XS_MKDIR] = { "MKDIR", do_mkdir }, @@ -1304,9 +1308,11 @@ static struct { [XS_WATCH_EVENT] = { "WATCH_EVENT", NULL }, [XS_ERROR] = { "ERROR", NULL }, [XS_IS_DOMAIN_INTRODUCED] = - { "IS_DOMAIN_INTRODUCED", do_is_domain_introduced }, - [XS_RESUME] = { "RESUME", do_resume }, - [XS_SET_TARGET] = { "SET_TARGET", do_set_target }, + { "IS_DOMAIN_INTRODUCED", do_is_domain_introduced, XS_FLAG_PRIV }, + [XS_RESUME] = + { "RESUME", do_resume, XS_FLAG_PRIV }, + [XS_SET_TARGET] = + { "SET_TARGET", do_set_target, XS_FLAG_PRIV }, [XS_RESET_WATCHES] = { "RESET_WATCHES", do_reset_watches }, [XS_DIRECTORY_PART] = { "DIRECTORY_PART", send_directory_part }, }; @@ -1334,6 +1340,12 @@ static void process_message(struct conne return; } + if ((wire_funcs[type].flags & XS_FLAG_PRIV) && + domain_is_unprivileged(conn)) { + send_error(conn, EACCES); + return; + } + trans = (wire_funcs[type].flags & XS_FLAG_NOTID) ? NULL : transaction_lookup(conn, in->hdr.msg.tx_id); if (IS_ERR(trans)) { --- xen-4.12.4-testing.orig/tools/xenstore/xenstored_domain.c +++ xen-4.12.4-testing/tools/xenstore/xenstored_domain.c @@ -385,7 +385,7 @@ int do_introduce(struct connection *conn if (get_strings(in, vec, ARRAY_SIZE(vec)) < ARRAY_SIZE(vec)) return EINVAL; - if (domain_is_unprivileged(conn) || !conn->can_write) + if (!conn->can_write) return EACCES; domid = atoi(vec[0]); @@ -453,7 +453,7 @@ int do_set_target(struct connection *con if (get_strings(in, vec, ARRAY_SIZE(vec)) < ARRAY_SIZE(vec)) return EINVAL; - if (domain_is_unprivileged(conn) || !conn->can_write) + if (!conn->can_write) return EACCES; domid = atoi(vec[0]); @@ -488,9 +488,6 @@ static struct domain *onearg_domain(stru if (!domid) return ERR_PTR(-EINVAL); - if (domain_is_unprivileged(conn)) - return ERR_PTR(-EACCES); - return find_connected_domain(domid); }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor