oxenstored: permissions not checked on root node

ISSUE DESCRIPTION

In the Ocaml xenstored implementation, the internal representation of the tree has special cases for the root node, because this node has no parent.
Unfortunately, permissions were not checked for certain operations on the root node.
Unprivileged guests can get and modify permissions, list, and delete the root node. Deleting the whole xenstore tree is a hostwide denial of service. Depending on the circumstances, the vulnerability can also be leveraged into an ability to gain write access to any part of xenstore.

IMPACT

A guest administrator can deny service to the whole system simply by deleting the whole of xenstore.
Additionally, depending on other software in use, privilege escalation may be possible. With the default “xl” toolstack, a guest administrator can escalate their privilege to that of the host.

VULNERABLE SYSTEMS

All systems using oxenstored are vulnerable. Building and using oxenstored is the default in the upstream Xen distribution, if the Ocaml compiler is available.
The impact depends on the toolstack and other management software in use. Systems using libxl (for example, via “xl” or libvirt) are vulnerable to privilege escalation.
Systems using C xenstored are not vulnerable, no matter what toolstack or management software is in use.