Xen project Mailing List

Re: [Xen-devel] [PATCH 05/16] xen: defer call to xen_restrict until just before os_setup_post

To: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>

From: Anthony PERARD <anthony.perard@xxxxxxxxxx>

Date: Mon, 23 Apr 2018 15:28:22 +0100

Cc: Juergen Gross <jgross@xxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Eduardo Habkost <ehabkost@xxxxxxxxxx>, "Michael S. Tsirkin" <mst@xxxxxxxxxx>, qemu-devel@xxxxxxxxxx, Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Paolo Bonzini <pbonzini@xxxxxxxxxx>, Richard Henderson <rth@xxxxxxxxxxx>

Delivery-date: Mon, 23 Apr 2018 14:28:38 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Thu, Apr 19, 2018 at 05:45:08PM +0100, Ian Jackson wrote: > We need to restrict *all* the control fds that qemu opens. Looking in > /proc/PID/fd shows there are many; their allocation seems scattered > throughout Xen support code in qemu. > > We must postpone the restrict call until roughly the same time as qemu > changes its uid, chroots (if applicable), and so on. > > There doesn't seem to be an appropriate hook already. The RunState > change hook fires at different times depending on exactly what mode > qemu is operating in. > > And it appears that no-one but the Xen code wants a hook at this phase > of execution. So, introduce a bare call to a new function > xen_setup_post, just before os_setup_post. Also provide the > appropriate stub for when Xen compilation is disabled. > > We do the restriction before rather than after os_setup_post, because > xen_restrict may need to open /dev/null, and os_setup_post might have > called chroot. > > Currently this does not work with migration, because when running as > the Xen device model qemu needs to signal to the toolstack that it is > ready. It currently does this using xenstore, and for incoming > migration (but not for ordinary startup) that happens after > os_setup_post. > > It is correct that this happens late: we want the incoming migration > stream to be processed by a restricted qemu. The fix for this will be > to do the startup notification a different way, without using > xenstore. (QMP is probably a reasonable choice.) > > So for now this restriction feature cannot be used in conjunction with > migration. (Note that this is not a regression in this patch, because > previously the -xen-restrict-domid call was, in fact, simply > ineffective!) We will revisit this in the Xen 4.11 release cycle. > > Signed-off-by: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx> Acked-by: Anthony PERARD <anthony.perard@xxxxxxxxxx> -- Anthony PERARD _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.