dom0: Fix xenstore permissions qubes_netvm_external_ip

We should ensure that the first expression in the permisions list is nX, where X is the owning domain, and not rX or wX, as otherwise we would be granting all other VMs read access to the key. This is explained in more detail here: http://wiki.xensource.com/xenwiki/XenBus In practice the perms problem applied only to the qubes_netvm_external_ip key that is exposed by each NetVM to corresponding Proxy VMs. Before this fix, the key was readable by any VM in the system, which might not be desired in some more advanced networking setups, such as with Tor Proxy VM.
2011-09-26 17:24:11 +02:00 · 2011-09-26 17:24:11 +02:00 · 59f71f634a
commit 59f71f634a
parent bbccdd30a0
1 changed files with 1 additions and 2 deletions
--- a/dom0/qvm-core/qubes.py
+++ b/dom0/qvm-core/qubes.py
@ -1446,8 +1446,7 @@ class QubesNetVm(QubesVm):
                "/local/domain/{0}/qubes_netvm_external_ip".format(xid)
            ]

-        command.append("r{0}".format(xid,xid))
-        command.append("w{0}".format(xid,xid))
+        command.append("n{0}".format(xid))

        for id in self.__external_ip_allowed_xids:
            command.append("r{0}".format(id))