From: Juergen Gross Subject: tools/xenstore: check privilege for XS_IS_DOMAIN_INTRODUCED The Xenstore command XS_IS_DOMAIN_INTRODUCED should be possible for privileged domains only (the only user in the tree is the xenpaging daemon). Instead of having the privilege test for each command introduce a per-command flag for that purpose. This is part of XSA-115. Signed-off-by: Juergen Gross Reviewed-by: Julien Grall Reviewed-by: Paul Durrant diff --git a/tools/xenstore/xenstored_core.c b/tools/xenstore/xenstored_core.c index 476e69d658..3d0e7b3917 100644 --- a/tools/xenstore/xenstored_core.c +++ b/tools/xenstore/xenstored_core.c @@ -1276,8 +1276,10 @@ static struct { int (*func)(struct connection *conn, struct buffered_data *in); unsigned int flags; #define XS_FLAG_NOTID (1U << 0) /* Ignore transaction id. */ +#define XS_FLAG_PRIV (1U << 1) /* Privileged domain only. */ } const wire_funcs[XS_TYPE_COUNT] = { - [XS_CONTROL] = { "CONTROL", do_control }, + [XS_CONTROL] = + { "CONTROL", do_control, XS_FLAG_PRIV }, [XS_DIRECTORY] = { "DIRECTORY", send_directory }, [XS_READ] = { "READ", do_read }, [XS_GET_PERMS] = { "GET_PERMS", do_get_perms }, @@ -1287,8 +1289,10 @@ static struct { { "UNWATCH", do_unwatch, XS_FLAG_NOTID }, [XS_TRANSACTION_START] = { "TRANSACTION_START", do_transaction_start }, [XS_TRANSACTION_END] = { "TRANSACTION_END", do_transaction_end }, - [XS_INTRODUCE] = { "INTRODUCE", do_introduce }, - [XS_RELEASE] = { "RELEASE", do_release }, + [XS_INTRODUCE] = + { "INTRODUCE", do_introduce, XS_FLAG_PRIV }, + [XS_RELEASE] = + { "RELEASE", do_release, XS_FLAG_PRIV }, [XS_GET_DOMAIN_PATH] = { "GET_DOMAIN_PATH", do_get_domain_path }, [XS_WRITE] = { "WRITE", do_write }, [XS_MKDIR] = { "MKDIR", do_mkdir }, @@ -1297,9 +1301,11 @@ static struct { [XS_WATCH_EVENT] = { "WATCH_EVENT", NULL }, [XS_ERROR] = { "ERROR", NULL }, [XS_IS_DOMAIN_INTRODUCED] = - { "IS_DOMAIN_INTRODUCED", do_is_domain_introduced }, - [XS_RESUME] = { "RESUME", do_resume }, - [XS_SET_TARGET] = { "SET_TARGET", do_set_target }, + { "IS_DOMAIN_INTRODUCED", do_is_domain_introduced, XS_FLAG_PRIV }, + [XS_RESUME] = + { "RESUME", do_resume, XS_FLAG_PRIV }, + [XS_SET_TARGET] = + { "SET_TARGET", do_set_target, XS_FLAG_PRIV }, [XS_RESET_WATCHES] = { "RESET_WATCHES", do_reset_watches }, [XS_DIRECTORY_PART] = { "DIRECTORY_PART", send_directory_part }, }; @@ -1327,6 +1333,12 @@ static void process_message(struct connection *conn, struct buffered_data *in) return; } + if ((wire_funcs[type].flags & XS_FLAG_PRIV) && + domain_is_unprivileged(conn)) { + send_error(conn, EACCES); + return; + } + trans = (wire_funcs[type].flags & XS_FLAG_NOTID) ? NULL : transaction_lookup(conn, in->hdr.msg.tx_id); if (IS_ERR(trans)) { diff --git a/tools/xenstore/xenstored_domain.c b/tools/xenstore/xenstored_domain.c index a2f144f6dd..364ad8ea63 100644 --- a/tools/xenstore/xenstored_domain.c +++ b/tools/xenstore/xenstored_domain.c @@ -372,9 +372,6 @@ int do_introduce(struct connection *conn, struct buffered_data *in) if (get_strings(in, vec, ARRAY_SIZE(vec)) < ARRAY_SIZE(vec)) return EINVAL; - if (domain_is_unprivileged(conn)) - return EACCES; - domid = atoi(vec[0]); /* Ignore the gfn, we don't need it. */ port = atoi(vec[2]); @@ -438,9 +435,6 @@ int do_set_target(struct connection *conn, struct buffered_data *in) if (get_strings(in, vec, ARRAY_SIZE(vec)) < ARRAY_SIZE(vec)) return EINVAL; - if (domain_is_unprivileged(conn)) - return EACCES; - domid = atoi(vec[0]); tdomid = atoi(vec[1]); @@ -473,9 +467,6 @@ static struct domain *onearg_domain(struct connection *conn, if (!domid) return ERR_PTR(-EINVAL); - if (domain_is_unprivileged(conn)) - return ERR_PTR(-EACCES); - return find_connected_domain(domid); }