From 787241f55216d34ca025c835c6a2096d7664d711 Mon Sep 17 00:00:00 2001 From: Juergen Gross Date: Tue, 13 Sep 2022 07:35:08 +0200 Subject: [PATCH 52/87] tools/xenstore: fix connection->id usage Don't use conn->id for privilege checks, but domain_is_unprivileged(). This is part of XSA-326. Signed-off-by: Juergen Gross Reviewed-by: Julien Grall (cherry picked from commit 3047df38e1991510bc295e3e1bb6b6b6c4a97831) --- tools/xenstore/xenstored_control.c | 2 +- tools/xenstore/xenstored_core.h | 2 +- tools/xenstore/xenstored_transaction.c | 3 ++- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/tools/xenstore/xenstored_control.c b/tools/xenstore/xenstored_control.c index 7b4300ef7777..adb8d51b043b 100644 --- a/tools/xenstore/xenstored_control.c +++ b/tools/xenstore/xenstored_control.c @@ -891,7 +891,7 @@ int do_control(struct connection *conn, struct buffered_data *in) unsigned int cmd, num, off; char **vec = NULL; - if (conn->id != 0) + if (domain_is_unprivileged(conn)) return EACCES; off = get_string(in, 0); diff --git a/tools/xenstore/xenstored_core.h b/tools/xenstore/xenstored_core.h index b9b50e81c7b4..b1a70488b989 100644 --- a/tools/xenstore/xenstored_core.h +++ b/tools/xenstore/xenstored_core.h @@ -123,7 +123,7 @@ struct connection /* The index of pollfd in global pollfd array */ int pollfd_idx; - /* Who am I? 0 for socket connections. */ + /* Who am I? Domid of connection. */ unsigned int id; /* Is this connection ignored? */ diff --git a/tools/xenstore/xenstored_transaction.c b/tools/xenstore/xenstored_transaction.c index 54432907fc76..ee1b09031a3b 100644 --- a/tools/xenstore/xenstored_transaction.c +++ b/tools/xenstore/xenstored_transaction.c @@ -477,7 +477,8 @@ int do_transaction_start(struct connection *conn, struct buffered_data *in) if (conn->transaction) return EBUSY; - if (conn->id && conn->transaction_started > quota_max_transaction) + if (domain_is_unprivileged(conn) && + conn->transaction_started > quota_max_transaction) return ENOSPC; /* Attach transaction to input for autofree until it's complete */ -- 2.37.4