[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 3/8] xen: defer call to xen_restrict until just before os_setup_post

To: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, <qemu-devel@xxxxxxxxxx>
From: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
Date: Fri, 13 Oct 2017 09:37:02 +0100
Cc: Anthony PERARD <anthony.perard@xxxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 13 Oct 2017 08:37:33 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 10/09/2017 05:01 PM, Ian Jackson wrote:

We need to restrict *all* the control fds that qemu opens.  Looking in
/proc/PID/fd shows there are many; their allocation seems scattered
throughout Xen support code in qemu.

We must postpone the restrict call until roughly the same time as qemu
changes its uid, chroots (if applicable), and so on.

There doesn't seem to be an appropriate hook already.  The RunState
change hook fires at different times depending on exactly what mode
qemu is operating in.

And it appears that no-one but the Xen code wants a hook at this phase
of execution.  So, introduce a bare call to a new function
xen_setup_post, just before os_setup_post.  Also provide the
appropriate stub for when Xen compilation is disabled.

We do the restriction before rather than after os_setup_post, because
xen_restrict may need to open /dev/null, and os_setup_post might have
called chroot.

This works for normally starting a VM but doesn't seem to work whenresuming/migrating.


Here is the order of selected operations when starting a VM normally:
    VNC server running on 127.0.0.1:5901
    xen_change_state_handler()
    xenstore_record_dm_state: running
    xen_setup_post()
    xentoolcore_restrict_all: rc = 0
    os_setup_post()
    main_loop()

Here is the order of selected operations when starting QEMU with-incoming fd:... :

    VNC server running on 127.0.0.1:5902
    migration_fd_incoming()
    xen_setup_post()
    xentoolcore_restrict_all: rc = 0
    os_setup_post()
    main_loop()
    migration_set_incoming_channel()
    migrate_set_state()
    xen_change_state_handler()
    xenstore_record_dm_state: running
    error recording dm state
    qemu exited with code 1

The issue is that QEMU needs xenstore access to write "running" but thisis after it has already been restricted. Moving xen_setup_post() intoxen_change_state_handler() works fine. The only issue is that in themigration case, it executes after os_setup_post() so QEMU might bechrooted in which case opening /dev/null to restrict fds doesn't work(unless its new root has a /dev/null).


--
Ross Lagerwall

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH 3/8] xen: defer call to xen_restrict until just before os_setup_post
  - From: Ian Jackson
- Re: [Xen-devel] [PATCH 3/8] xen: defer call to xen_restrict until just before os_setup_post
  - From: Andrew Cooper

References:
- [Xen-devel] [PATCH v4 0/8] xen: xen-domid-restrict improvements
  - From: Ian Jackson
- [Xen-devel] [PATCH 3/8] xen: defer call to xen_restrict until just before os_setup_post
  - From: Ian Jackson

Prev by Date: Re: [Xen-devel] [PATCH] x86/vpt: fix a bug in pt_update_irq()
Next by Date: Re: [Xen-devel] [PATCH 1/3] x86/dom0: use dom0_paging_pages to account for the memory used by IOMMU pt
Previous by thread: Re: [Xen-devel] [PATCH 3/8] xen: defer call to xen_restrict until just before os_setup_post
Next by thread: Re: [Xen-devel] [PATCH 3/8] xen: defer call to xen_restrict until just before os_setup_post
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.