[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 1/2] xen: Implement ioctl to restrict privcmd to a specific domain



On Tue, 2014-08-05 at 14:45 +0100, David Vrabel wrote:
> On 05/08/14 14:42, Konrad Rzeszutek Wilk wrote:
> > 
> >  - Some of these hypercalls don't have an ABI so we can't depend
> >    on them being stable. How do you want to handle that?
> 
> We are not going any further with this series because of this.
> 
> David

Well, this is partially true. We agree the patches as they are cannot be
accepted however in the long term we'd like to find a solution.

The current ABI from user-space to kernel defined by these patches is
perfectly fine (just two ioctl to restrict event channel/privcmd to a
specific domain).

For the implementation we were looking at different approaches:
- add an additional target field in vcpu structure to restrict to a
target for a particular vCPU with some additional hypercalls (like
multicall) that restrict contained hypercalls to a domain;
- an additional hypercall to do domctl but with restriction (this
probably require less changes to current patches);
- using flask. This looks easy to implement but currently code does not
deals well with vCPUs as labels are attached to domains.

Frediano



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.