|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH v2 3/6] tools/dm_restrict: Ask QEMU to chroot
> -----Original Message----- > From: George Dunlap [mailto:george.dunlap@xxxxxxxxxx] > Sent: 24 September 2018 10:50 > To: Paul Durrant <Paul.Durrant@xxxxxxxxxx>; xen-devel@xxxxxxxxxxxxxxxxxxxx > Cc: Anthony Perard <anthony.perard@xxxxxxxxxx>; Ian Jackson > <Ian.Jackson@xxxxxxxxxx>; Wei Liu <wei.liu2@xxxxxxxxxx> > Subject: Re: [Xen-devel] [PATCH v2 3/6] tools/dm_restrict: Ask QEMU to > chroot > > On 09/24/2018 09:20 AM, Paul Durrant wrote: > >> -----Original Message----- > >> From: Xen-devel [mailto:xen-devel-bounces@xxxxxxxxxxxxxxxxxxxx] On > Behalf > >> Of George Dunlap > >> Sent: 21 September 2018 18:04 > >> To: xen-devel@xxxxxxxxxxxxxxxxxxxx > >> Cc: Anthony Perard <anthony.perard@xxxxxxxxxx>; Ian Jackson > >> <Ian.Jackson@xxxxxxxxxx>; Wei Liu <wei.liu2@xxxxxxxxxx>; George Dunlap > >> <George.Dunlap@xxxxxxxxxx> > >> Subject: [Xen-devel] [PATCH v2 3/6] tools/dm_restrict: Ask QEMU to > chroot > >> > >> When dm_restrict is enabled, ask QEMU to chroot into an empty > directory. > >> > >> * Create /var/run/qemu/root-domid (deleting the old one if it's there) > >> * Pass the -chroot option to QEMU > >> > >> Rather than running `rm -rf` on the directory before creating it > >> (since there is no library function to do this), simply rmdir the > >> directory, relying on the fact that the previous QEMU instance, if > >> properly restcirted, shouldn't have been able to write anything > > > > ^ typo... 'restricted' > > Oops -- fixed, thanks. > > >> diff --git a/docs/designs/qemu-deprivilege.md b/docs/designs/qemu- > >> deprivilege.md > >> index 1e731c16aa..df5bb07d7c 100644 > >> --- a/docs/designs/qemu-deprivilege.md > >> +++ b/docs/designs/qemu-deprivilege.md > >> @@ -58,12 +58,6 @@ FIXME: Double-check the correctness of the above > >> > >> '''Testing status''': Tested > >> > >> -# Restrictions / improvements still to do > >> - > >> -This lists potential restrictions still to do. It is meant to be > >> -listed in order of ease of implementation, with low-hanging fruit > >> -first. > >> - > >> ## Chroot > >> > >> '''Description''': Qemu runs in its own chroot, such that even if it > >> @@ -81,6 +75,12 @@ Then adds the following to the qemu command-line: > >> > >> '''Tested''': Not tested > > > > ^ should this change to 'tested' now? > > I sort of went back and forth here between whether this should mean 'a > test it available' (i.e., depriv-process-checker.sh checks it) and 'this > is actively being tested' (i.e., by osstest). Here I ended up going > with the second option, but that makes a weird dependency between > xen.git and osstest. > > One option, I suppose, would be to change this to "Test implemented" or > something. > Ok, 'Test implemented' sounds good. Paul > -George _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |