@@ -715,11 +715,9 @@ Ocfs2 has only very limited security; it is assumed that anyone who can
access the filesystem bits on the shared disk can mount the filesystem and use
it. But in a virtualized data center,
higher isolation requirements may apply.
-As a result, a Xen boot option -- "tmem_shared_auth" -- was
-added. The option defaults to disabled,
-but when it is enabled, management tools must explicitly authenticate (or may
+As a result, management tools must explicitly authenticate (or may
explicitly deny) shared pool access to any client.
-On Xen, this is done with the "xm
+On Xen, this is done with the "xl
tmem-shared-auth" command.
<P>
<b><i>32-bit implementation</i>.</b>
@@ -1543,9 +1543,6 @@ pages) must also be specified via the tbuf\_size parameter.
### tmem\_compress
> `= <boolean>`
-### tmem\_shared\_auth
-> `= <boolean>`
-
### tsc
> `= unstable | skewed | stable:socket`
@@ -846,7 +846,6 @@ struct client *client_create(domid_t cli_id)
client->info.version = TMEM_SPEC_VERSION;
client->info.maxpools = MAX_POOLS_PER_DOMAIN;
client->info.flags.u.compress = tmem_compression_enabled();
- client->shared_auth_required = tmem_shared_auth();
for ( i = 0; i < MAX_GLOBAL_SHARED_POOLS; i++)
client->shared_auth_uuid[i][0] =
client->shared_auth_uuid[i][1] = -1L;
@@ -1530,7 +1529,8 @@ int do_tmem_new_pool(domid_t this_cli_id,
pool->shared = 0;
goto out;
}
- if ( client->shared_auth_required && !tmem_global.shared_auth )
+ /* By default only join domains that are authorized by admin. */
+ if ( !tmem_global.shared_auth )
{
for ( i = 0; i < MAX_GLOBAL_SHARED_POOLS; i++)
if ( (client->shared_auth_uuid[i][0] == uuid_lo) &&
@@ -20,9 +20,6 @@ boolean_param("tmem", opt_tmem);
bool_t __read_mostly opt_tmem_compress = 0;
boolean_param("tmem_compress", opt_tmem_compress);
-bool_t __read_mostly opt_tmem_shared_auth = 0;
-boolean_param("tmem_shared_auth", opt_tmem_shared_auth);
-
atomic_t freeable_page_count = ATOMIC_INIT(0);
/* these are a concurrency bottleneck, could be percpu and dynamically
@@ -41,12 +41,6 @@ static inline bool_t tmem_compression_enabled(void)
return opt_tmem_compress;
}
-extern bool_t opt_tmem_shared_auth;
-static inline bool_t tmem_shared_auth(void)
-{
- return opt_tmem_shared_auth;
-}
-
#ifdef CONFIG_TMEM
extern bool_t opt_tmem;
static inline bool_t tmem_enabled(void)
@@ -291,7 +285,6 @@ struct client {
long eph_count, eph_count_max;
domid_t cli_id;
xen_tmem_client_t info;
- bool_t shared_auth_required;
/* For save/restore/migration. */
bool_t was_frozen;
struct list_head persistent_invalidated_list;
Having an off by default option allowing guests to join _any_ shared pool is not very secure. Lets eliminate tmem_shared_auth bootup option (which was disabled by default) and have the code force this by default. Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> --- docs/misc/tmem-internals.html | 6 ++---- docs/misc/xen-command-line.markdown | 3 --- xen/common/tmem.c | 4 ++-- xen/common/tmem_xen.c | 3 --- xen/include/xen/tmem_xen.h | 7 ------- 5 files changed, 4 insertions(+), 19 deletions(-)