From mboxrd@z Thu Jan  1 00:00:00 1970
From: Anthony PERARD <anthony.perard@citrix.com>
Subject: Re: [PATCH 05/16] xen: defer call to xen_restrict until
 just before os_setup_post
Date: Mon, 23 Apr 2018 15:28:22 +0100
Message-ID: <20180423142822.GA1980@perard>
References: <1524156319-11465-1-git-send-email-ian.jackson@eu.citrix.com>
 <1524156319-11465-6-git-send-email-ian.jackson@eu.citrix.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Return-path: <xen-devel-bounces@lists.xenproject.org>
Received: from all-amaz-eas1.inumbo.com ([34.197.232.57])
 by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from
 <srs0=l+ue=hm=citrix.com=prvs=644fc49e2=anthony.perard@srs-us1.protection.inumbo.net>)
 id 1fAcSH-0005Ng-NM
 for xen-devel@lists.xenproject.org; Mon, 23 Apr 2018 14:28:33 +0000
Content-Disposition: inline
In-Reply-To: <1524156319-11465-6-git-send-email-ian.jackson@eu.citrix.com>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
To: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Juergen Gross <jgross@suse.com>, Stefano Stabellini <sstabellini@kernel.org>, Eduardo Habkost <ehabkost@redhat.com>, "Michael S. Tsirkin" <mst@redhat.com>, qemu-devel@nongnu.org, Ross Lagerwall <ross.lagerwall@citrix.com>, xen-devel@lists.xenproject.org, Paolo Bonzini <pbonzini@redhat.com>, Richard Henderson <rth@twiddle.net>
List-Id: xen-devel@lists.xenproject.org

T24gVGh1LCBBcHIgMTksIDIwMTggYXQgMDU6NDU6MDhQTSArMDEwMCwgSWFuIEphY2tzb24gd3Jv
dGU6Cj4gV2UgbmVlZCB0byByZXN0cmljdCAqYWxsKiB0aGUgY29udHJvbCBmZHMgdGhhdCBxZW11
IG9wZW5zLiAgTG9va2luZyBpbgo+IC9wcm9jL1BJRC9mZCBzaG93cyB0aGVyZSBhcmUgbWFueTsg
dGhlaXIgYWxsb2NhdGlvbiBzZWVtcyBzY2F0dGVyZWQKPiB0aHJvdWdob3V0IFhlbiBzdXBwb3J0
IGNvZGUgaW4gcWVtdS4KPiAKPiBXZSBtdXN0IHBvc3Rwb25lIHRoZSByZXN0cmljdCBjYWxsIHVu
dGlsIHJvdWdobHkgdGhlIHNhbWUgdGltZSBhcyBxZW11Cj4gY2hhbmdlcyBpdHMgdWlkLCBjaHJv
b3RzIChpZiBhcHBsaWNhYmxlKSwgYW5kIHNvIG9uLgo+IAo+IFRoZXJlIGRvZXNuJ3Qgc2VlbSB0
byBiZSBhbiBhcHByb3ByaWF0ZSBob29rIGFscmVhZHkuICBUaGUgUnVuU3RhdGUKPiBjaGFuZ2Ug
aG9vayBmaXJlcyBhdCBkaWZmZXJlbnQgdGltZXMgZGVwZW5kaW5nIG9uIGV4YWN0bHkgd2hhdCBt
b2RlCj4gcWVtdSBpcyBvcGVyYXRpbmcgaW4uCj4gCj4gQW5kIGl0IGFwcGVhcnMgdGhhdCBuby1v
bmUgYnV0IHRoZSBYZW4gY29kZSB3YW50cyBhIGhvb2sgYXQgdGhpcyBwaGFzZQo+IG9mIGV4ZWN1
dGlvbi4gIFNvLCBpbnRyb2R1Y2UgYSBiYXJlIGNhbGwgdG8gYSBuZXcgZnVuY3Rpb24KPiB4ZW5f
c2V0dXBfcG9zdCwganVzdCBiZWZvcmUgb3Nfc2V0dXBfcG9zdC4gIEFsc28gcHJvdmlkZSB0aGUK
PiBhcHByb3ByaWF0ZSBzdHViIGZvciB3aGVuIFhlbiBjb21waWxhdGlvbiBpcyBkaXNhYmxlZC4K
PiAKPiBXZSBkbyB0aGUgcmVzdHJpY3Rpb24gYmVmb3JlIHJhdGhlciB0aGFuIGFmdGVyIG9zX3Nl
dHVwX3Bvc3QsIGJlY2F1c2UKPiB4ZW5fcmVzdHJpY3QgbWF5IG5lZWQgdG8gb3BlbiAvZGV2L251
bGwsIGFuZCBvc19zZXR1cF9wb3N0IG1pZ2h0IGhhdmUKPiBjYWxsZWQgY2hyb290Lgo+IAo+IEN1
cnJlbnRseSB0aGlzIGRvZXMgbm90IHdvcmsgd2l0aCBtaWdyYXRpb24sIGJlY2F1c2Ugd2hlbiBy
dW5uaW5nIGFzCj4gdGhlIFhlbiBkZXZpY2UgbW9kZWwgcWVtdSBuZWVkcyB0byBzaWduYWwgdG8g
dGhlIHRvb2xzdGFjayB0aGF0IGl0IGlzCj4gcmVhZHkuICBJdCBjdXJyZW50bHkgZG9lcyB0aGlz
IHVzaW5nIHhlbnN0b3JlLCBhbmQgZm9yIGluY29taW5nCj4gbWlncmF0aW9uIChidXQgbm90IGZv
ciBvcmRpbmFyeSBzdGFydHVwKSB0aGF0IGhhcHBlbnMgYWZ0ZXIKPiBvc19zZXR1cF9wb3N0Lgo+
IAo+IEl0IGlzIGNvcnJlY3QgdGhhdCB0aGlzIGhhcHBlbnMgbGF0ZTogd2Ugd2FudCB0aGUgaW5j
b21pbmcgbWlncmF0aW9uCj4gc3RyZWFtIHRvIGJlIHByb2Nlc3NlZCBieSBhIHJlc3RyaWN0ZWQg
cWVtdS4gIFRoZSBmaXggZm9yIHRoaXMgd2lsbCBiZQo+IHRvIGRvIHRoZSBzdGFydHVwIG5vdGlm
aWNhdGlvbiBhIGRpZmZlcmVudCB3YXksIHdpdGhvdXQgdXNpbmcKPiB4ZW5zdG9yZS4gIChRTVAg
aXMgcHJvYmFibHkgYSByZWFzb25hYmxlIGNob2ljZS4pCj4gCj4gU28gZm9yIG5vdyB0aGlzIHJl
c3RyaWN0aW9uIGZlYXR1cmUgY2Fubm90IGJlIHVzZWQgaW4gY29uanVuY3Rpb24gd2l0aAo+IG1p
Z3JhdGlvbi4gIChOb3RlIHRoYXQgdGhpcyBpcyBub3QgYSByZWdyZXNzaW9uIGluIHRoaXMgcGF0
Y2gsIGJlY2F1c2UKPiBwcmV2aW91c2x5IHRoZSAteGVuLXJlc3RyaWN0LWRvbWlkIGNhbGwgd2Fz
LCBpbiBmYWN0LCBzaW1wbHkKPiBpbmVmZmVjdGl2ZSEpICBXZSB3aWxsIHJldmlzaXQgdGhpcyBp
biB0aGUgWGVuIDQuMTEgcmVsZWFzZSBjeWNsZS4KPiAKPiBTaWduZWQtb2ZmLWJ5OiBJYW4gSmFj
a3NvbiA8SWFuLkphY2tzb25AZXUuY2l0cml4LmNvbT4KCkFja2VkLWJ5OiBBbnRob255IFBFUkFS
RCA8YW50aG9ueS5wZXJhcmRAY2l0cml4LmNvbT4KCi0tIApBbnRob255IFBFUkFSRAoKX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWRldmVsIG1haWxp
bmcgbGlzdApYZW4tZGV2ZWxAbGlzdHMueGVucHJvamVjdC5vcmcKaHR0cHM6Ly9saXN0cy54ZW5w
cm9qZWN0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL3hlbi1kZXZlbA==

From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:45484)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <prvs=644fc49e2=anthony.perard@citrix.com>)
	id 1fAcSO-0005CA-Fe
	for qemu-devel@nongnu.org; Mon, 23 Apr 2018 10:28:41 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <prvs=644fc49e2=anthony.perard@citrix.com>)
	id 1fAcSL-0004kR-9E
	for qemu-devel@nongnu.org; Mon, 23 Apr 2018 10:28:40 -0400
Received: from smtp03.citrix.com ([162.221.156.55]:19905)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71)
	(envelope-from <prvs=644fc49e2=anthony.perard@citrix.com>)
	id 1fAcSK-0004gD-Um
	for qemu-devel@nongnu.org; Mon, 23 Apr 2018 10:28:37 -0400
Date: Mon, 23 Apr 2018 15:28:22 +0100
From: Anthony PERARD <anthony.perard@citrix.com>
Message-ID: <20180423142822.GA1980@perard>
References: <1524156319-11465-1-git-send-email-ian.jackson@eu.citrix.com>
	<1524156319-11465-6-git-send-email-ian.jackson@eu.citrix.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <1524156319-11465-6-git-send-email-ian.jackson@eu.citrix.com>
Subject: Re: [Qemu-devel] [PATCH 05/16] xen: defer call to xen_restrict
 until just before os_setup_post
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: qemu-devel@nongnu.org, Ross Lagerwall <ross.lagerwall@citrix.com>, Juergen Gross <jgross@suse.com>, Stefano Stabellini <sstabellini@kernel.org>, xen-devel@lists.xenproject.org, Paolo Bonzini <pbonzini@redhat.com>, Richard Henderson <rth@twiddle.net>, Eduardo Habkost <ehabkost@redhat.com>, "Michael S. Tsirkin" <mst@redhat.com>

On Thu, Apr 19, 2018 at 05:45:08PM +0100, Ian Jackson wrote:
> We need to restrict *all* the control fds that qemu opens.  Looking in
> /proc/PID/fd shows there are many; their allocation seems scattered
> throughout Xen support code in qemu.
> 
> We must postpone the restrict call until roughly the same time as qemu
> changes its uid, chroots (if applicable), and so on.
> 
> There doesn't seem to be an appropriate hook already.  The RunState
> change hook fires at different times depending on exactly what mode
> qemu is operating in.
> 
> And it appears that no-one but the Xen code wants a hook at this phase
> of execution.  So, introduce a bare call to a new function
> xen_setup_post, just before os_setup_post.  Also provide the
> appropriate stub for when Xen compilation is disabled.
> 
> We do the restriction before rather than after os_setup_post, because
> xen_restrict may need to open /dev/null, and os_setup_post might have
> called chroot.
> 
> Currently this does not work with migration, because when running as
> the Xen device model qemu needs to signal to the toolstack that it is
> ready.  It currently does this using xenstore, and for incoming
> migration (but not for ordinary startup) that happens after
> os_setup_post.
> 
> It is correct that this happens late: we want the incoming migration
> stream to be processed by a restricted qemu.  The fix for this will be
> to do the startup notification a different way, without using
> xenstore.  (QMP is probably a reasonable choice.)
> 
> So for now this restriction feature cannot be used in conjunction with
> migration.  (Note that this is not a regression in this patch, because
> previously the -xen-restrict-domid call was, in fact, simply
> ineffective!)  We will revisit this in the Xen 4.11 release cycle.
> 
> Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

Acked-by: Anthony PERARD <anthony.perard@citrix.com>

-- 
Anthony PERARD