Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IH-507: xapi_xenops: raise an error when the kernel isn't allowed #5874

Merged
merged 2 commits into from
Jul 23, 2024
Merged

IH-507: xapi_xenops: raise an error when the kernel isn't allowed #5874

merged 2 commits into from
Jul 23, 2024

Conversation

psafont
Copy link
Member

@psafont psafont commented Jul 22, 2024

Previously the path was replaced by an empty string, when trying to start he vm. The only feedback was on the logs as a debug message, but not all users that start VMs have access to the logs.

@andyhhp
Copy link
Contributor

andyhhp commented Jul 22, 2024

FWIW, 👍 to this. Even knowing there was a restriction like this, it's deeply unintuitive to debug when you get it wrong.

Also, we should never have allowed /boot/guest/ to be used like this in the first place. Maybe we take the opportunity to fix that mistake?

@psafont
IH-507: xapi_xenops: raise an error when the kernel isn't allowed
d88017e 
Previously the path was replaced by an empty string, when trying to start he
vm. The only feedback was on the logs as a debug message, but not all users
that start VMs have access to the logs.

Signed-off-by: Pau Ruiz Safont <pau.ruizsafont@cloud.com>
@psafont
IH-507: Do not allow guest kernels in /boot/
5dc2900 
This location is for dom0's boot chain exclusively

Signed-off-by: Pau Ruiz Safont <pau.ruizsafont@cloud.com>
@psafont
Copy link
Member Author

psafont commented Jul 23, 2024

I'm running changed internal tests that were using /boot/guest: Job run 4057980

lindig
lindig approved these changes Jul 23, 2024
View reviewed changes
Copy link
Contributor

@lindig lindig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The given paths is quite carefully checked using realpath to avoid symlink attacks.

@psafont psafont merged commit 1d0aae5 into xapi-project:master Jul 23, 2024
15 checks passed
@psafont psafont deleted the private/paus/minions branch July 23, 2024 13:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@last-genius last-genius last-genius approved these changes

@lindig lindig lindig approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@psafont @andyhhp @lindig @last-genius