tools/libxl: env variable to signal whether disk/nic backend is trusted

Introduce support in libxl for fetching the default backend trusted
option for disk and nic devices.

Users can set LIBXL_{DISK,NIC}_BACKEND_UNTRUSTED environment variable
to notify libxl of whether the backends for disk and nic devices
should be trusted.  Such information is passed into the frontend so it
can take the appropriate measures.

This is part of XSA-403.

Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>

diff --git a/docs/man/xl.1.pod.in b/docs/man/xl.1.pod.in
index 52a47a6fbd3d18bcb3873c115200f08c052049ca..8c28a5d5ca4040a10d23be971ae5603b2b8047e8 100644 (file)
--- a/docs/man/xl.1.pod.in
+++ b/docs/man/xl.1.pod.in
@@ -1938,6 +1938,24 @@ shows the decimal value. For non-linear mode, it shows hexadecimal value.
 
 =back
 
+=head1 ENVIRONMENT
+
+=over 4
+
+=item B<LIBXL_DISK_BACKEND_UNTRUSTED>
+
+Set this environment variable to "1" to suggest to the guest that the disk
+backend shouldn't be trusted. If the variable is absent or set to "0", the
+backend will be trusted.
+
+=item B<LIBXL_NIC_BACKEND_UNTRUSTED>
+
+Set this environment variable to "1" to suggest to the guest that the network
+backend shouldn't be trusted. If the variable is absent or set to "0", the
+backend will be trusted.
+
+=back
+
 =head1 IGNORED FOR COMPATIBILITY WITH XM
 
 xl is mostly command-line compatible with the old xm utility used with

diff --git a/tools/libxl/libxl_disk.c b/tools/libxl/libxl_disk.c
index ddc1eec1769fc8095a4515c393ba556a174f20e6..1e9d20d9c32299559d263e9a194dd63f9bfb58ca 100644 (file)
--- a/tools/libxl/libxl_disk.c
+++ b/tools/libxl/libxl_disk.c
@@ -246,6 +246,7 @@ static void device_disk_add(libxl__egc *egc, uint32_t domid,
     libxl_domain_config d_config;
     libxl_device_disk disk_saved;
     libxl__flock *lock = NULL;
+    const char *envvar;
 
     libxl_domain_config_init(&d_config);
     libxl_device_disk_init(&disk_saved);
@@ -395,6 +396,10 @@ static void device_disk_add(libxl__egc *egc, uint32_t domid,
         flexarray_append(front, GCSPRINTF("%d", device->devid));
         flexarray_append(front, "device-type");
         flexarray_append(front, disk->is_cdrom ? "cdrom" : "disk");
+        flexarray_append(front, "trusted");
+        envvar = getenv("LIBXL_DISK_BACKEND_UNTRUSTED");
+        /* Set "trusted=1" if envvar missing or is "0". */
+        flexarray_append(front, !envvar || !strcmp("0", envvar) ? "1" : "0");
 
         /*
          * Old PV kernel disk frontends before 2.6.26 rely on tool stack to

diff --git a/tools/libxl/libxl_nic.c b/tools/libxl/libxl_nic.c
index 07880b39e154571d5891c7ab33b979e6bb312966..b92281ab6abf9c329730c6567b39d1bb03e560f2 100644 (file)
--- a/tools/libxl/libxl_nic.c
+++ b/tools/libxl/libxl_nic.c
@@ -129,6 +129,8 @@ static int libxl__set_xenstore_nic(libxl__gc *gc, uint32_t domid,
                                    flexarray_t *back, flexarray_t *front,
                                    flexarray_t *ro_front)
 {
+    const char *envvar;
+
     flexarray_grow(back, 2);
 
     if (nic->script)
@@ -237,6 +239,11 @@ static int libxl__set_xenstore_nic(libxl__gc *gc, uint32_t domid,
     flexarray_append(front, GCSPRINTF(
                                     LIBXL_MAC_FMT, LIBXL_MAC_BYTES(nic->mac)));
 
+    flexarray_append(front, "trusted");
+    envvar = getenv("LIBXL_NIC_BACKEND_UNTRUSTED");
+    /* Set "trusted=1" if envvar missing or is "0". */
+    flexarray_append(front, !envvar || !strcmp("0", envvar) ? "1" : "0");
+
     return 0;
 }