[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH 28/28] libxl: xsrestrict QEMU
On Tue, 22 Dec 2015, Ian Jackson wrote: > If QEMU supports xsrestrict, pass xsrestrict=on to it (by default). > > XXX We need to do this only if xenstored supports it, and AFAICT there > is not a particularly easy way to test this. Should we open a new > test xenstore connection to query this information ? We could do this > once per libxl ctx. > > Allow the user to specify that xsrestrict should be on, in which case > if it qemu cannot be depriv'd, we fail. > > When qemu is depriv'd it still needs write access to the physmap > records in xenstore. It will be running with the privilege of the > domain, so we need to allow the domain write access to > /local/domain/$LIBXL_TOOLSTACK_DOMID/device-model/$DOMID/physmap QEMU also needs to be able to write to "state" under /local/domain/$LIBXL_TOOLSTACK_DOMID/device-model/$DOMID I guess theoretically it might be possible to restrict the xenstore connection on the QEMU side only after switching to the "running" state, however that's not how it was done in the early implementation at least: http://marc.info/?i=1433173614-19716-2-git-send-email-stefano.stabellini%40eu.citrix.com _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |