From: Stefano Stabellini <sstabellini@kernel.org>
To: peter.maydell@linaro.org
Cc: stefanha@gmail.com, sstabellini@kernel.org, stefanha@redhat.com,
anthony.perard@citrix.com, xen-devel@lists.xenproject.org,
qemu-devel@nongnu.org, Paul Durrant <paul.durrant@citrix.com>
Subject: [Qemu-devel] [PATCH 08/21] xen: additionally restrict xenforeignmemory operations
Date: Tue, 25 Apr 2017 11:35:00 -0700 [thread overview]
Message-ID: <1493145313-31311-8-git-send-email-sstabellini@kernel.org> (raw)
In-Reply-To: <1493145313-31311-1-git-send-email-sstabellini@kernel.org>
From: Paul Durrant <paul.durrant@citrix.com>
Commit f0f272baf3a7 "xen: use libxendevice model to restrict operations"
added a command-line option (-xen-domid-restrict) to limit operations
using the libxendevicemodel API to a specified domid. The commit also
noted that the restriction would be extended to cover operations issued
via other xen libraries by subsequent patches.
My recent Xen patch [1] added a call to the xenforeignmemory API to allow
it to be restricted. This patch now makes use of that new call when the
-xen-domid-restrict option is passed.
[1] http://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=5823d6eb
Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
---
include/hw/xen/xen_common.h | 134 ++++++++++++++++++++++++++------------------
1 file changed, 78 insertions(+), 56 deletions(-)
diff --git a/include/hw/xen/xen_common.h b/include/hw/xen/xen_common.h
index 0fcbba8..e00ddd7 100644
--- a/include/hw/xen/xen_common.h
+++ b/include/hw/xen/xen_common.h
@@ -26,6 +26,58 @@ extern xc_interface *xen_xc;
* We don't support Xen prior to 4.2.0.
*/
+/* Xen 4.2 through 4.6 */
+#if CONFIG_XEN_CTRL_INTERFACE_VERSION < 40701
+
+typedef xc_interface xenforeignmemory_handle;
+typedef xc_evtchn xenevtchn_handle;
+typedef xc_gnttab xengnttab_handle;
+
+#define xenevtchn_open(l, f) xc_evtchn_open(l, f);
+#define xenevtchn_close(h) xc_evtchn_close(h)
+#define xenevtchn_fd(h) xc_evtchn_fd(h)
+#define xenevtchn_pending(h) xc_evtchn_pending(h)
+#define xenevtchn_notify(h, p) xc_evtchn_notify(h, p)
+#define xenevtchn_bind_interdomain(h, d, p) xc_evtchn_bind_interdomain(h, d, p)
+#define xenevtchn_unmask(h, p) xc_evtchn_unmask(h, p)
+#define xenevtchn_unbind(h, p) xc_evtchn_unbind(h, p)
+
+#define xengnttab_open(l, f) xc_gnttab_open(l, f)
+#define xengnttab_close(h) xc_gnttab_close(h)
+#define xengnttab_set_max_grants(h, n) xc_gnttab_set_max_grants(h, n)
+#define xengnttab_map_grant_ref(h, d, r, p) xc_gnttab_map_grant_ref(h, d, r, p)
+#define xengnttab_unmap(h, a, n) xc_gnttab_munmap(h, a, n)
+#define xengnttab_map_grant_refs(h, c, d, r, p) \
+ xc_gnttab_map_grant_refs(h, c, d, r, p)
+#define xengnttab_map_domain_grant_refs(h, c, d, r, p) \
+ xc_gnttab_map_domain_grant_refs(h, c, d, r, p)
+
+#define xenforeignmemory_open(l, f) xen_xc
+#define xenforeignmemory_close(h)
+
+static inline void *xenforeignmemory_map(xc_interface *h, uint32_t dom,
+ int prot, size_t pages,
+ const xen_pfn_t arr[/*pages*/],
+ int err[/*pages*/])
+{
+ if (err)
+ return xc_map_foreign_bulk(h, dom, prot, arr, err, pages);
+ else
+ return xc_map_foreign_pages(h, dom, prot, arr, pages);
+}
+
+#define xenforeignmemory_unmap(h, p, s) munmap(p, s * XC_PAGE_SIZE)
+
+#else /* CONFIG_XEN_CTRL_INTERFACE_VERSION >= 40701 */
+
+#include <xenevtchn.h>
+#include <xengnttab.h>
+#include <xenforeignmemory.h>
+
+#endif
+
+extern xenforeignmemory_handle *xen_fmem;
+
#if CONFIG_XEN_CTRL_INTERFACE_VERSION < 40900
typedef xc_interface xendevicemodel_handle;
@@ -158,6 +210,13 @@ static inline int xendevicemodel_restrict(
return -1;
}
+static inline int xenforeignmemory_restrict(
+ xenforeignmemory_handle *fmem, domid_t domid)
+{
+ errno = ENOTTY;
+ return -1;
+}
+
#else /* CONFIG_XEN_CTRL_INTERFACE_VERSION >= 40900 */
#undef XC_WANT_COMPAT_DEVICEMODEL_API
@@ -215,69 +274,32 @@ static inline int xen_modified_memory(domid_t domid, uint64_t first_pfn,
static inline int xen_restrict(domid_t domid)
{
- int rc = xendevicemodel_restrict(xen_dmod, domid);
+ int rc;
- trace_xen_domid_restrict(errno);
+ /* Attempt to restrict devicemodel operations */
+ rc = xendevicemodel_restrict(xen_dmod, domid);
+ trace_xen_domid_restrict(rc ? errno : 0);
- if (errno == ENOTTY) {
- return 0;
+ if (rc < 0) {
+ /*
+ * If errno is ENOTTY then restriction is not implemented so
+ * there's no point in trying to restrict other types of
+ * operation, but it should not be treated as a failure.
+ */
+ if (errno == ENOTTY) {
+ return 0;
+ }
+
+ return rc;
}
- return rc;
-}
-
-/* Xen 4.2 through 4.6 */
-#if CONFIG_XEN_CTRL_INTERFACE_VERSION < 40701
-
-typedef xc_interface xenforeignmemory_handle;
-typedef xc_evtchn xenevtchn_handle;
-typedef xc_gnttab xengnttab_handle;
-
-#define xenevtchn_open(l, f) xc_evtchn_open(l, f);
-#define xenevtchn_close(h) xc_evtchn_close(h)
-#define xenevtchn_fd(h) xc_evtchn_fd(h)
-#define xenevtchn_pending(h) xc_evtchn_pending(h)
-#define xenevtchn_notify(h, p) xc_evtchn_notify(h, p)
-#define xenevtchn_bind_interdomain(h, d, p) xc_evtchn_bind_interdomain(h, d, p)
-#define xenevtchn_unmask(h, p) xc_evtchn_unmask(h, p)
-#define xenevtchn_unbind(h, p) xc_evtchn_unbind(h, p)
-
-#define xengnttab_open(l, f) xc_gnttab_open(l, f)
-#define xengnttab_close(h) xc_gnttab_close(h)
-#define xengnttab_set_max_grants(h, n) xc_gnttab_set_max_grants(h, n)
-#define xengnttab_map_grant_ref(h, d, r, p) xc_gnttab_map_grant_ref(h, d, r, p)
-#define xengnttab_unmap(h, a, n) xc_gnttab_munmap(h, a, n)
-#define xengnttab_map_grant_refs(h, c, d, r, p) \
- xc_gnttab_map_grant_refs(h, c, d, r, p)
-#define xengnttab_map_domain_grant_refs(h, c, d, r, p) \
- xc_gnttab_map_domain_grant_refs(h, c, d, r, p)
-
-#define xenforeignmemory_open(l, f) xen_xc
-#define xenforeignmemory_close(h)
+ /* Restrict foreignmemory operations */
+ rc = xenforeignmemory_restrict(xen_fmem, domid);
+ trace_xen_domid_restrict(rc ? errno : 0);
-static inline void *xenforeignmemory_map(xc_interface *h, uint32_t dom,
- int prot, size_t pages,
- const xen_pfn_t arr[/*pages*/],
- int err[/*pages*/])
-{
- if (err)
- return xc_map_foreign_bulk(h, dom, prot, arr, err, pages);
- else
- return xc_map_foreign_pages(h, dom, prot, arr, pages);
+ return rc;
}
-#define xenforeignmemory_unmap(h, p, s) munmap(p, s * XC_PAGE_SIZE)
-
-#else /* CONFIG_XEN_CTRL_INTERFACE_VERSION >= 40701 */
-
-#include <xenevtchn.h>
-#include <xengnttab.h>
-#include <xenforeignmemory.h>
-
-#endif
-
-extern xenforeignmemory_handle *xen_fmem;
-
void destroy_hvm_domain(bool reboot);
/* shutdown/destroy current domain because of an error */
--
1.9.1
WARNING: multiple messages have this Message-ID (diff)
From: Stefano Stabellini <sstabellini@kernel.org>
To: peter.maydell@linaro.org
Cc: sstabellini@kernel.org, stefanha@gmail.com,
qemu-devel@nongnu.org, Paul Durrant <paul.durrant@citrix.com>,
stefanha@redhat.com, anthony.perard@citrix.com,
xen-devel@lists.xenproject.org
Subject: [PATCH 08/21] xen: additionally restrict xenforeignmemory operations
Date: Tue, 25 Apr 2017 11:35:00 -0700 [thread overview]
Message-ID: <1493145313-31311-8-git-send-email-sstabellini@kernel.org> (raw)
In-Reply-To: <1493145313-31311-1-git-send-email-sstabellini@kernel.org>
From: Paul Durrant <paul.durrant@citrix.com>
Commit f0f272baf3a7 "xen: use libxendevice model to restrict operations"
added a command-line option (-xen-domid-restrict) to limit operations
using the libxendevicemodel API to a specified domid. The commit also
noted that the restriction would be extended to cover operations issued
via other xen libraries by subsequent patches.
My recent Xen patch [1] added a call to the xenforeignmemory API to allow
it to be restricted. This patch now makes use of that new call when the
-xen-domid-restrict option is passed.
[1] http://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=5823d6eb
Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
---
include/hw/xen/xen_common.h | 134 ++++++++++++++++++++++++++------------------
1 file changed, 78 insertions(+), 56 deletions(-)
diff --git a/include/hw/xen/xen_common.h b/include/hw/xen/xen_common.h
index 0fcbba8..e00ddd7 100644
--- a/include/hw/xen/xen_common.h
+++ b/include/hw/xen/xen_common.h
@@ -26,6 +26,58 @@ extern xc_interface *xen_xc;
* We don't support Xen prior to 4.2.0.
*/
+/* Xen 4.2 through 4.6 */
+#if CONFIG_XEN_CTRL_INTERFACE_VERSION < 40701
+
+typedef xc_interface xenforeignmemory_handle;
+typedef xc_evtchn xenevtchn_handle;
+typedef xc_gnttab xengnttab_handle;
+
+#define xenevtchn_open(l, f) xc_evtchn_open(l, f);
+#define xenevtchn_close(h) xc_evtchn_close(h)
+#define xenevtchn_fd(h) xc_evtchn_fd(h)
+#define xenevtchn_pending(h) xc_evtchn_pending(h)
+#define xenevtchn_notify(h, p) xc_evtchn_notify(h, p)
+#define xenevtchn_bind_interdomain(h, d, p) xc_evtchn_bind_interdomain(h, d, p)
+#define xenevtchn_unmask(h, p) xc_evtchn_unmask(h, p)
+#define xenevtchn_unbind(h, p) xc_evtchn_unbind(h, p)
+
+#define xengnttab_open(l, f) xc_gnttab_open(l, f)
+#define xengnttab_close(h) xc_gnttab_close(h)
+#define xengnttab_set_max_grants(h, n) xc_gnttab_set_max_grants(h, n)
+#define xengnttab_map_grant_ref(h, d, r, p) xc_gnttab_map_grant_ref(h, d, r, p)
+#define xengnttab_unmap(h, a, n) xc_gnttab_munmap(h, a, n)
+#define xengnttab_map_grant_refs(h, c, d, r, p) \
+ xc_gnttab_map_grant_refs(h, c, d, r, p)
+#define xengnttab_map_domain_grant_refs(h, c, d, r, p) \
+ xc_gnttab_map_domain_grant_refs(h, c, d, r, p)
+
+#define xenforeignmemory_open(l, f) xen_xc
+#define xenforeignmemory_close(h)
+
+static inline void *xenforeignmemory_map(xc_interface *h, uint32_t dom,
+ int prot, size_t pages,
+ const xen_pfn_t arr[/*pages*/],
+ int err[/*pages*/])
+{
+ if (err)
+ return xc_map_foreign_bulk(h, dom, prot, arr, err, pages);
+ else
+ return xc_map_foreign_pages(h, dom, prot, arr, pages);
+}
+
+#define xenforeignmemory_unmap(h, p, s) munmap(p, s * XC_PAGE_SIZE)
+
+#else /* CONFIG_XEN_CTRL_INTERFACE_VERSION >= 40701 */
+
+#include <xenevtchn.h>
+#include <xengnttab.h>
+#include <xenforeignmemory.h>
+
+#endif
+
+extern xenforeignmemory_handle *xen_fmem;
+
#if CONFIG_XEN_CTRL_INTERFACE_VERSION < 40900
typedef xc_interface xendevicemodel_handle;
@@ -158,6 +210,13 @@ static inline int xendevicemodel_restrict(
return -1;
}
+static inline int xenforeignmemory_restrict(
+ xenforeignmemory_handle *fmem, domid_t domid)
+{
+ errno = ENOTTY;
+ return -1;
+}
+
#else /* CONFIG_XEN_CTRL_INTERFACE_VERSION >= 40900 */
#undef XC_WANT_COMPAT_DEVICEMODEL_API
@@ -215,69 +274,32 @@ static inline int xen_modified_memory(domid_t domid, uint64_t first_pfn,
static inline int xen_restrict(domid_t domid)
{
- int rc = xendevicemodel_restrict(xen_dmod, domid);
+ int rc;
- trace_xen_domid_restrict(errno);
+ /* Attempt to restrict devicemodel operations */
+ rc = xendevicemodel_restrict(xen_dmod, domid);
+ trace_xen_domid_restrict(rc ? errno : 0);
- if (errno == ENOTTY) {
- return 0;
+ if (rc < 0) {
+ /*
+ * If errno is ENOTTY then restriction is not implemented so
+ * there's no point in trying to restrict other types of
+ * operation, but it should not be treated as a failure.
+ */
+ if (errno == ENOTTY) {
+ return 0;
+ }
+
+ return rc;
}
- return rc;
-}
-
-/* Xen 4.2 through 4.6 */
-#if CONFIG_XEN_CTRL_INTERFACE_VERSION < 40701
-
-typedef xc_interface xenforeignmemory_handle;
-typedef xc_evtchn xenevtchn_handle;
-typedef xc_gnttab xengnttab_handle;
-
-#define xenevtchn_open(l, f) xc_evtchn_open(l, f);
-#define xenevtchn_close(h) xc_evtchn_close(h)
-#define xenevtchn_fd(h) xc_evtchn_fd(h)
-#define xenevtchn_pending(h) xc_evtchn_pending(h)
-#define xenevtchn_notify(h, p) xc_evtchn_notify(h, p)
-#define xenevtchn_bind_interdomain(h, d, p) xc_evtchn_bind_interdomain(h, d, p)
-#define xenevtchn_unmask(h, p) xc_evtchn_unmask(h, p)
-#define xenevtchn_unbind(h, p) xc_evtchn_unbind(h, p)
-
-#define xengnttab_open(l, f) xc_gnttab_open(l, f)
-#define xengnttab_close(h) xc_gnttab_close(h)
-#define xengnttab_set_max_grants(h, n) xc_gnttab_set_max_grants(h, n)
-#define xengnttab_map_grant_ref(h, d, r, p) xc_gnttab_map_grant_ref(h, d, r, p)
-#define xengnttab_unmap(h, a, n) xc_gnttab_munmap(h, a, n)
-#define xengnttab_map_grant_refs(h, c, d, r, p) \
- xc_gnttab_map_grant_refs(h, c, d, r, p)
-#define xengnttab_map_domain_grant_refs(h, c, d, r, p) \
- xc_gnttab_map_domain_grant_refs(h, c, d, r, p)
-
-#define xenforeignmemory_open(l, f) xen_xc
-#define xenforeignmemory_close(h)
+ /* Restrict foreignmemory operations */
+ rc = xenforeignmemory_restrict(xen_fmem, domid);
+ trace_xen_domid_restrict(rc ? errno : 0);
-static inline void *xenforeignmemory_map(xc_interface *h, uint32_t dom,
- int prot, size_t pages,
- const xen_pfn_t arr[/*pages*/],
- int err[/*pages*/])
-{
- if (err)
- return xc_map_foreign_bulk(h, dom, prot, arr, err, pages);
- else
- return xc_map_foreign_pages(h, dom, prot, arr, pages);
+ return rc;
}
-#define xenforeignmemory_unmap(h, p, s) munmap(p, s * XC_PAGE_SIZE)
-
-#else /* CONFIG_XEN_CTRL_INTERFACE_VERSION >= 40701 */
-
-#include <xenevtchn.h>
-#include <xengnttab.h>
-#include <xenforeignmemory.h>
-
-#endif
-
-extern xenforeignmemory_handle *xen_fmem;
-
void destroy_hvm_domain(bool reboot);
/* shutdown/destroy current domain because of an error */
--
1.9.1
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2017-04-25 18:35 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-25 18:34 [Qemu-devel] [PULL 0/21] Please pull xen-20170421-v2-tag for 2.10 Stefano Stabellini
2017-04-25 18:34 ` Stefano Stabellini
2017-04-25 18:34 ` [Qemu-devel] [PATCH 01/21] xen: make use of xen_xc implicit in xen_common.h inlines Stefano Stabellini
2017-04-25 18:34 ` Stefano Stabellini
2017-04-25 18:34 ` [Qemu-devel] [PATCH 02/21] xen: rename xen_modified_memory() to xen_hvm_modified_memory() Stefano Stabellini
2017-04-25 18:34 ` Stefano Stabellini
2017-04-25 18:34 ` [Qemu-devel] [PATCH 03/21] xen: create wrappers for all other uses of xc_hvm_XXX() functions Stefano Stabellini
2017-04-25 18:34 ` Stefano Stabellini
2017-04-25 18:34 ` [Qemu-devel] [PATCH 04/21] configure: detect presence of libxendevicemodel Stefano Stabellini
2017-04-25 18:34 ` Stefano Stabellini
2017-04-25 18:34 ` [Qemu-devel] [PATCH 05/21] xen: use libxendevicemodel when available Stefano Stabellini
2017-04-25 18:34 ` Stefano Stabellini
2017-04-25 18:34 ` [Qemu-devel] [PATCH 06/21] xen: use 5 digit xen versions Stefano Stabellini
2017-04-25 18:34 ` Stefano Stabellini
2017-04-25 18:34 ` [Qemu-devel] [PATCH 07/21] xen: use libxendevice model to restrict operations Stefano Stabellini
2017-04-25 18:34 ` Stefano Stabellini
2017-04-25 18:35 ` Stefano Stabellini [this message]
2017-04-25 18:35 ` [PATCH 08/21] xen: additionally restrict xenforeignmemory operations Stefano Stabellini
2017-04-25 18:35 ` [Qemu-devel] [PATCH 09/21] configure: use pkg-config for obtaining xen version Stefano Stabellini
2017-04-25 18:35 ` Stefano Stabellini
2018-12-11 10:34 ` Peter Maydell
2018-12-11 10:34 ` [Qemu-devel] " Peter Maydell
2018-12-11 10:43 ` Daniel P. Berrangé
2018-12-11 10:43 ` Daniel P. Berrangé
2019-01-02 21:21 ` Stefano Stabellini
2019-01-02 21:21 ` [Qemu-devel] " Stefano Stabellini
2017-04-25 18:35 ` [Qemu-devel] [PATCH 10/21] xen: import ring.h from xen Stefano Stabellini
2017-04-25 18:35 ` Stefano Stabellini
2017-04-26 1:52 ` [Qemu-devel] " Philippe Mathieu-Daudé
2017-04-26 1:52 ` Philippe Mathieu-Daudé
2017-04-25 18:35 ` [Qemu-devel] [PATCH 11/21] 9p: introduce a type for the 9p header Stefano Stabellini
2017-04-25 18:35 ` Stefano Stabellini
2017-04-25 18:35 ` [Qemu-devel] [PATCH 12/21] xen/9pfs: introduce Xen 9pfs backend Stefano Stabellini
2017-04-25 18:35 ` Stefano Stabellini
2017-04-25 18:35 ` [Qemu-devel] [PATCH 13/21] xen/9pfs: connect to the frontend Stefano Stabellini
2017-04-25 18:35 ` Stefano Stabellini
2017-04-25 18:35 ` [Qemu-devel] [PATCH 14/21] xen/9pfs: receive requests from " Stefano Stabellini
2017-04-25 18:35 ` Stefano Stabellini
2017-04-25 18:35 ` [Qemu-devel] [PATCH 15/21] xen/9pfs: implement in/out_iov_from_pdu and vmarshal/vunmarshal Stefano Stabellini
2017-04-25 18:35 ` Stefano Stabellini
2017-04-25 18:35 ` [Qemu-devel] [PATCH 16/21] xen/9pfs: send responses back to the frontend Stefano Stabellini
2017-04-25 18:35 ` Stefano Stabellini
2017-04-25 18:35 ` [Qemu-devel] [PATCH 17/21] xen/9pfs: build and register Xen 9pfs backend Stefano Stabellini
2017-04-25 18:35 ` Stefano Stabellini
2017-04-25 18:35 ` [Qemu-devel] [PATCH 18/21] add xen-9p-backend to MAINTAINERS under Xen Stefano Stabellini
2017-04-25 18:35 ` Stefano Stabellini
2017-04-25 18:35 ` [Qemu-devel] [PATCH 19/21] move xen-common.c to hw/xen/ Stefano Stabellini
2017-04-25 18:35 ` Stefano Stabellini
2017-04-25 18:35 ` [Qemu-devel] [PATCH 20/21] move xen-hvm.c to hw/i386/xen/ Stefano Stabellini
2017-04-25 18:35 ` Stefano Stabellini
2017-04-25 18:35 ` [Qemu-devel] [PATCH 21/21] move xen-mapcache.c " Stefano Stabellini
2017-04-25 18:35 ` Stefano Stabellini
2017-04-26 10:39 ` [Qemu-devel] [PULL 0/21] Please pull xen-20170421-v2-tag for 2.10 Peter Maydell
2017-04-26 10:39 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1493145313-31311-8-git-send-email-sstabellini@kernel.org \
--to=sstabellini@kernel.org \
--cc=anthony.perard@citrix.com \
--cc=paul.durrant@citrix.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@gmail.com \
--cc=stefanha@redhat.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.