Tighten xenstore access for meminfo-writer

Set the permission only to the 'memory/meminfo' key (needs to be created first), not the whole 'memory' dir. And do it only if memory balancing is enabled. This avoids VM potentially messing with other keys (like static-max), or reporting meminfo when not expected to.
marmarek · Dec 27, 2022 · 8ce26eb · 8ce26eb
1 parent f8835ea
commit 8ce26eb
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/qubes/vm/qubesvm.py b/qubes/vm/qubesvm.py
@@ -2270,10 +2270,12 @@ def create_qdb_entries(self):
 
         # TODO: Currently the whole qmemman is quite Xen-specific, so stay with
         # xenstore for it until decided otherwise
-        if qmemman_present:
+        if qmemman_present and self.maxmem:
+            xs_basedir = f"/local/domain/{self.xid}"
+            self.app.vmm.xs.write('',
+                                  f"{xs_basedir}/memory/meminfo", "")
             self.app.vmm.xs.set_permissions('',
-                                            '/local/domain/{}/memory'.format(
-                                                self.xid),
+                                            f"{xs_basedir}/memory/meminfo",
                                             [{'dom': self.xid}])
 
         self.fire_event('domain-qdb-create')