tools/ocaml/xenstored: add xenstored.conf flag to turn off watch permission checks

There are flags to turn off quotas and the permission system, so add one
that turns off the newly introduced watch permission checks as well.

This is part of XSA-115.

Signed-off-by: Edwin Török <edvin.torok@citrix.com>
Acked-by: Christian Lindig <christian.lindig@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

diff --git a/tools/ocaml/xenstored/connection.ml b/tools/ocaml/xenstored/connection.ml
index 644a448f2eb3cdec159e8c49b8ba8341b7c82a0c..fa0d3c4d921c52c696d822f602a39c6bb642e561 100644 (file)
--- a/tools/ocaml/xenstored/connection.ml
+++ b/tools/ocaml/xenstored/connection.ml
@@ -218,7 +218,7 @@ let fire_single_watch_unchecked watch =
 let fire_single_watch (oldroot, root) watch =
        let abspath = get_watch_path watch.con watch.path |> Store.Path.of_string in
        let perms = lookup_watch_perms oldroot root abspath in
-       if List.exists (Perms.has watch.con.perm READ) perms then
+       if Perms.can_fire_watch watch.con.perm perms then
                fire_single_watch_unchecked watch
        else
                let perms = perms |> List.map (Perms.Node.to_string ~sep:" ") |> String.concat ", " in

diff --git a/tools/ocaml/xenstored/oxenstored.conf.in b/tools/ocaml/xenstored/oxenstored.conf.in
index 151b65b72d7d9fd79adf9088540cc69ceff10775..f84348298118298d32237cd5fc6f4e93999fdeda 100644 (file)
--- a/tools/ocaml/xenstored/oxenstored.conf.in
+++ b/tools/ocaml/xenstored/oxenstored.conf.in
@@ -44,6 +44,16 @@ conflict-rate-limit-is-aggregate = true
 # Activate node permission system
 perms-activate = true
 
+# Activate the watch permission system
+# When this is enabled unprivileged guests can only get watch events
+# for xenstore entries that they would've been able to read.
+#
+# When this is disabled unprivileged guests may get watch events
+# for xenstore entries that they cannot read. The watch event contains
+# only the entry name, not the value.
+# This restores behaviour prior to XSA-115.
+perms-watch-activate = true
+
 # Activate quota
 quota-activate = true
 quota-maxentity = 1000

diff --git a/tools/ocaml/xenstored/perms.ml b/tools/ocaml/xenstored/perms.ml
index 23b80aba3d0080f9004cec7381abf5a0c880de56..ee7fee6bda383a0cd42c6c7c32a6ce82b7c8257a 100644 (file)
--- a/tools/ocaml/xenstored/perms.ml
+++ b/tools/ocaml/xenstored/perms.ml
@@ -20,6 +20,7 @@ let info fmt = Logging.info "perms" fmt
 open Stdext
 
 let activate = ref true
+let watch_activate = ref true
 
 type permty = READ | WRITE | RDWR | NONE
 
@@ -168,5 +169,9 @@ let check connection request node =
 (* check if the current connection has the requested perm on the current node *)
 let has connection request node = not (lacks connection request node)
 
+let can_fire_watch connection perms =
+       not !watch_activate
+       || List.exists (has connection READ) perms
+
 let equiv perm1 perm2 =
        (Node.to_string perm1) = (Node.to_string perm2)

diff --git a/tools/ocaml/xenstored/xenstored.ml b/tools/ocaml/xenstored/xenstored.ml
index a7b837c19c4be8f36e9ff1466e7da4192c81a6a6..6926a4de41b34ca352e311a8caf69cbd411d2d8b 100644 (file)
--- a/tools/ocaml/xenstored/xenstored.ml
+++ b/tools/ocaml/xenstored/xenstored.ml
@@ -95,6 +95,7 @@ let parse_config filename =
                ("conflict-max-history-seconds", Config.Set_float Define.conflict_max_history_seconds);
                ("conflict-rate-limit-is-aggregate", Config.Set_bool Define.conflict_rate_limit_is_aggregate);
                ("perms-activate", Config.Set_bool Perms.activate);
+               ("perms-watch-activate", Config.Set_bool Perms.watch_activate);
                ("quota-activate", Config.Set_bool Quota.activate);
                ("quota-maxwatch", Config.Set_int Define.maxwatch);
                ("quota-transaction", Config.Set_int Define.maxtransaction);