[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] docs/qemu-deprivilege: Revise and update with status and future plans

To: Ian Jackson <ian.jackson@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>
From: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
Date: Wed, 28 Mar 2018 13:47:03 +0100
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Anthony Perard <anthony.perard@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 28 Mar 2018 12:48:12 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 03/27/2018 02:33 PM, Ian Jackson wrote:

George Dunlap writes ("Re: [PATCH] docs/qemu-deprivilege: Revise and update with 
status and future plans"):

Actually I think most of the user-facing stuff already in xl.cfg is
inappropriate for that man page.  It might make sense to have a separate
man page for it.


I wouldn't object to that.

On 03/26/2018 05:43 PM, Ian Jackson wrote:

No.  Firstly, in each case, all relevant descriptors are restricted.
This is the purpose of the xentoolcore__restrict_* stuff.  Secondly,
xenstore *is* covered - but the xs fd is squashed so as to be totally
unuseable: xs.c uses xentoolcore__restrict_by_dup2_null.


Ross already gave me some corrections on this; here is what I have:

8<---
'''Description''': Close and restrict Xen-related file descriptors.
Specifically:
  * Close all xenstore-related file descriptors
  * Make sure that extraneous `privcmd` and `evtchn` instances are
closed
  * Make sure that all open instances of `privcmd` and `evtchn` file
descriptors have had IOCTL_PRIVCMD_RESTRICT and
IOCTL_EVTCHN_RESTRICT_DOMID ioctls called on them, respectively.
--->8

It sounds like the last may be inaccurate for libxl?


I don't think anything closes any extraneous fds.  My approach in
the libxc layer was to register all fds and have the restrict call
iterate over all of them.  So, I guess, drop your 2nd bullet.

All of this is done by qemu calling xentoolcore_restrict_all, not by
libxl.

Maybe the "extraneous privcmd and evtchn fds" Ross means are ones
inherited by qemu from the toolstack.

IIRC I didn't mention anything about extraneous fds. I'm not sure wherethat part came from

Maybe this part shouldn't contain so much detail. Perhaps it could justrefer to the documentation for xentoolcore_restrict_all?

Note that file descriptors are not just closed, they are replaced with/dev/null. Also note that any gnttab and gntalloc file descriptors (usedby libxengnttab) are also replaced with /dev/null.


Regards,
--
Ross Lagerwall

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH] docs/qemu-deprivilege: Revise and update with status and future plans
  - From: George Dunlap

References:
- [Xen-devel] [PATCH] docs/qemu-deprivilege: Revise and update with status and future plans
  - From: George Dunlap
- Re: [Xen-devel] [PATCH] docs/qemu-deprivilege: Revise and update with status and future plans
  - From: Ian Jackson
- Re: [Xen-devel] [PATCH] docs/qemu-deprivilege: Revise and update with status and future plans
  - From: George Dunlap
- Re: [Xen-devel] [PATCH] docs/qemu-deprivilege: Revise and update with status and future plans
  - From: Ian Jackson

Prev by Date: Re: [Xen-devel] [PATCH] xen/acpi: off by one in read_acpi_id()
Next by Date: Re: [Xen-devel] [PATCH] docs/qemu-deprivilege: Revise and update with status and future plans
Previous by thread: Re: [Xen-devel] [PATCH] docs/qemu-deprivilege: Revise and update with status and future plans
Next by thread: Re: [Xen-devel] [PATCH] docs/qemu-deprivilege: Revise and update with status and future plans
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.