From: Edwin Török <edvin.torok@citrix.com>
Date: Fri, 11 Dec 2020 20:50:36 +0000 (+0100)
Subject: tools/ocaml/xenstored: check privilege for XS_IS_DOMAIN_INTRODUCED
X-Git-Tag: archive/raspbian/4.11.4+57-g41a822c392-2+rpi1^2~15
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=b8b7578206ab2d9ba7a5f19f989ee68f924901fc;p=xen.git

tools/ocaml/xenstored: check privilege for XS_IS_DOMAIN_INTRODUCED

The Xenstore command XS_IS_DOMAIN_INTRODUCED should be possible for privileged
domains only (the only user in the tree is the xenpaging daemon).

This is part of XSA-115.

Signed-off-by: Edwin Török <edvin.torok@citrix.com>
Acked-by: Christian Lindig <christian.lindig@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

Gbp-Pq: Name 0062-tools-ocaml-xenstored-check-privilege-for-XS_IS_DOMA.patch
---

diff --git a/tools/ocaml/xenstored/process.ml b/tools/ocaml/xenstored/process.ml
index 0a0e43d1f0..f374abe998 100644
--- a/tools/ocaml/xenstored/process.ml
+++ b/tools/ocaml/xenstored/process.ml
@@ -166,7 +166,9 @@ let do_setperms con t domains cons data =
 let do_error con t domains cons data =
 	raise Define.Unknown_operation
 
-let do_isintroduced con t domains cons data =
+let do_isintroduced con _t domains _cons data =
+	if not (Connection.is_dom0 con)
+	then raise Define.Permission_denied;
 	let domid =
 		match (split None '\000' data) with
 		| domid :: _ -> int_of_string domid