From: Stefano Stabellini <sstabellini@kernel.org>
To: peter.maydell@linaro.org
Cc: stefanha@gmail.com, sstabellini@kernel.org, stefanha@redhat.com,
anthony.perard@citrix.com, xen-devel@lists.xenproject.org,
qemu-devel@nongnu.org, Paul Durrant <paul.durrant@citrix.com>
Subject: [Qemu-devel] [PULL 08/21] xen: additionally restrict xenforeignmemory operations
Date: Fri, 21 Apr 2017 13:14:49 -0700 [thread overview]
Message-ID: <1492805702-19690-8-git-send-email-sstabellini@kernel.org> (raw)
In-Reply-To: <1492805702-19690-1-git-send-email-sstabellini@kernel.org>
From: Paul Durrant <paul.durrant@citrix.com>
Commit f0f272baf3a7 "xen: use libxendevice model to restrict operations"
added a command-line option (-xen-domid-restrict) to limit operations
using the libxendevicemodel API to a specified domid. The commit also
noted that the restriction would be extended to cover operations issued
via other xen libraries by subsequent patches.
My recent Xen patch [1] added a call to the xenforeignmemory API to allow
it to be restricted. This patch now makes use of that new call when the
-xen-domid-restrict option is passed.
[1] http://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=5823d6eb
Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
---
include/hw/xen/xen_common.h | 134 ++++++++++++++++++++++++++------------------
1 file changed, 78 insertions(+), 56 deletions(-)
diff --git a/include/hw/xen/xen_common.h b/include/hw/xen/xen_common.h
index 0fcbba8..e00ddd7 100644
--- a/include/hw/xen/xen_common.h
+++ b/include/hw/xen/xen_common.h
@@ -26,6 +26,58 @@ extern xc_interface *xen_xc;
* We don't support Xen prior to 4.2.0.
*/
+/* Xen 4.2 through 4.6 */
+#if CONFIG_XEN_CTRL_INTERFACE_VERSION < 40701
+
+typedef xc_interface xenforeignmemory_handle;
+typedef xc_evtchn xenevtchn_handle;
+typedef xc_gnttab xengnttab_handle;
+
+#define xenevtchn_open(l, f) xc_evtchn_open(l, f);
+#define xenevtchn_close(h) xc_evtchn_close(h)
+#define xenevtchn_fd(h) xc_evtchn_fd(h)
+#define xenevtchn_pending(h) xc_evtchn_pending(h)
+#define xenevtchn_notify(h, p) xc_evtchn_notify(h, p)
+#define xenevtchn_bind_interdomain(h, d, p) xc_evtchn_bind_interdomain(h, d, p)
+#define xenevtchn_unmask(h, p) xc_evtchn_unmask(h, p)
+#define xenevtchn_unbind(h, p) xc_evtchn_unbind(h, p)
+
+#define xengnttab_open(l, f) xc_gnttab_open(l, f)
+#define xengnttab_close(h) xc_gnttab_close(h)
+#define xengnttab_set_max_grants(h, n) xc_gnttab_set_max_grants(h, n)
+#define xengnttab_map_grant_ref(h, d, r, p) xc_gnttab_map_grant_ref(h, d, r, p)
+#define xengnttab_unmap(h, a, n) xc_gnttab_munmap(h, a, n)
+#define xengnttab_map_grant_refs(h, c, d, r, p) \
+ xc_gnttab_map_grant_refs(h, c, d, r, p)
+#define xengnttab_map_domain_grant_refs(h, c, d, r, p) \
+ xc_gnttab_map_domain_grant_refs(h, c, d, r, p)
+
+#define xenforeignmemory_open(l, f) xen_xc
+#define xenforeignmemory_close(h)
+
+static inline void *xenforeignmemory_map(xc_interface *h, uint32_t dom,
+ int prot, size_t pages,
+ const xen_pfn_t arr[/*pages*/],
+ int err[/*pages*/])
+{
+ if (err)
+ return xc_map_foreign_bulk(h, dom, prot, arr, err, pages);
+ else
+ return xc_map_foreign_pages(h, dom, prot, arr, pages);
+}
+
+#define xenforeignmemory_unmap(h, p, s) munmap(p, s * XC_PAGE_SIZE)
+
+#else /* CONFIG_XEN_CTRL_INTERFACE_VERSION >= 40701 */
+
+#include <xenevtchn.h>
+#include <xengnttab.h>
+#include <xenforeignmemory.h>
+
+#endif
+
+extern xenforeignmemory_handle *xen_fmem;
+
#if CONFIG_XEN_CTRL_INTERFACE_VERSION < 40900
typedef xc_interface xendevicemodel_handle;
@@ -158,6 +210,13 @@ static inline int xendevicemodel_restrict(
return -1;
}
+static inline int xenforeignmemory_restrict(
+ xenforeignmemory_handle *fmem, domid_t domid)
+{
+ errno = ENOTTY;
+ return -1;
+}
+
#else /* CONFIG_XEN_CTRL_INTERFACE_VERSION >= 40900 */
#undef XC_WANT_COMPAT_DEVICEMODEL_API
@@ -215,69 +274,32 @@ static inline int xen_modified_memory(domid_t domid, uint64_t first_pfn,
static inline int xen_restrict(domid_t domid)
{
- int rc = xendevicemodel_restrict(xen_dmod, domid);
+ int rc;
- trace_xen_domid_restrict(errno);
+ /* Attempt to restrict devicemodel operations */
+ rc = xendevicemodel_restrict(xen_dmod, domid);
+ trace_xen_domid_restrict(rc ? errno : 0);
- if (errno == ENOTTY) {
- return 0;
+ if (rc < 0) {
+ /*
+ * If errno is ENOTTY then restriction is not implemented so
+ * there's no point in trying to restrict other types of
+ * operation, but it should not be treated as a failure.
+ */
+ if (errno == ENOTTY) {
+ return 0;
+ }
+
+ return rc;
}
- return rc;
-}
-
-/* Xen 4.2 through 4.6 */
-#if CONFIG_XEN_CTRL_INTERFACE_VERSION < 40701
-
-typedef xc_interface xenforeignmemory_handle;
-typedef xc_evtchn xenevtchn_handle;
-typedef xc_gnttab xengnttab_handle;
-
-#define xenevtchn_open(l, f) xc_evtchn_open(l, f);
-#define xenevtchn_close(h) xc_evtchn_close(h)
-#define xenevtchn_fd(h) xc_evtchn_fd(h)
-#define xenevtchn_pending(h) xc_evtchn_pending(h)
-#define xenevtchn_notify(h, p) xc_evtchn_notify(h, p)
-#define xenevtchn_bind_interdomain(h, d, p) xc_evtchn_bind_interdomain(h, d, p)
-#define xenevtchn_unmask(h, p) xc_evtchn_unmask(h, p)
-#define xenevtchn_unbind(h, p) xc_evtchn_unbind(h, p)
-
-#define xengnttab_open(l, f) xc_gnttab_open(l, f)
-#define xengnttab_close(h) xc_gnttab_close(h)
-#define xengnttab_set_max_grants(h, n) xc_gnttab_set_max_grants(h, n)
-#define xengnttab_map_grant_ref(h, d, r, p) xc_gnttab_map_grant_ref(h, d, r, p)
-#define xengnttab_unmap(h, a, n) xc_gnttab_munmap(h, a, n)
-#define xengnttab_map_grant_refs(h, c, d, r, p) \
- xc_gnttab_map_grant_refs(h, c, d, r, p)
-#define xengnttab_map_domain_grant_refs(h, c, d, r, p) \
- xc_gnttab_map_domain_grant_refs(h, c, d, r, p)
-
-#define xenforeignmemory_open(l, f) xen_xc
-#define xenforeignmemory_close(h)
+ /* Restrict foreignmemory operations */
+ rc = xenforeignmemory_restrict(xen_fmem, domid);
+ trace_xen_domid_restrict(rc ? errno : 0);
-static inline void *xenforeignmemory_map(xc_interface *h, uint32_t dom,
- int prot, size_t pages,
- const xen_pfn_t arr[/*pages*/],
- int err[/*pages*/])
-{
- if (err)
- return xc_map_foreign_bulk(h, dom, prot, arr, err, pages);
- else
- return xc_map_foreign_pages(h, dom, prot, arr, pages);
+ return rc;
}
-#define xenforeignmemory_unmap(h, p, s) munmap(p, s * XC_PAGE_SIZE)
-
-#else /* CONFIG_XEN_CTRL_INTERFACE_VERSION >= 40701 */
-
-#include <xenevtchn.h>
-#include <xengnttab.h>
-#include <xenforeignmemory.h>
-
-#endif
-
-extern xenforeignmemory_handle *xen_fmem;
-
void destroy_hvm_domain(bool reboot);
/* shutdown/destroy current domain because of an error */
--
1.9.1
next prev parent reply other threads:[~2017-04-21 20:15 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-21 20:14 [Qemu-devel] [PULL 0/21] Please pull xen-20170421-tag for 2.10 Stefano Stabellini
2017-04-21 20:14 ` [Qemu-devel] [PULL 01/21] xen: make use of xen_xc implicit in xen_common.h inlines Stefano Stabellini
2017-04-21 20:14 ` [Qemu-devel] [PULL 02/21] xen: rename xen_modified_memory() to xen_hvm_modified_memory() Stefano Stabellini
2017-04-21 20:14 ` [Qemu-devel] [PULL 03/21] xen: create wrappers for all other uses of xc_hvm_XXX() functions Stefano Stabellini
2017-04-21 20:14 ` [Qemu-devel] [PULL 04/21] configure: detect presence of libxendevicemodel Stefano Stabellini
2017-04-21 20:14 ` [Qemu-devel] [PULL 05/21] xen: use libxendevicemodel when available Stefano Stabellini
2017-04-21 20:14 ` [Qemu-devel] [PULL 06/21] xen: use 5 digit xen versions Stefano Stabellini
2017-04-21 20:14 ` [Qemu-devel] [PULL 07/21] xen: use libxendevice model to restrict operations Stefano Stabellini
2017-04-21 20:14 ` Stefano Stabellini [this message]
2017-04-21 20:14 ` [Qemu-devel] [PULL 09/21] configure: use pkg-config for obtaining xen version Stefano Stabellini
2017-04-21 20:14 ` [Qemu-devel] [PULL 10/21] xen: import ring.h from xen Stefano Stabellini
2017-04-21 20:14 ` [Qemu-devel] [PULL 11/21] 9p: introduce a type for the 9p header Stefano Stabellini
2017-04-21 20:14 ` [Qemu-devel] [PULL 12/21] xen/9pfs: introduce Xen 9pfs backend Stefano Stabellini
2017-04-21 20:14 ` [Qemu-devel] [PULL 13/21] xen/9pfs: connect to the frontend Stefano Stabellini
2017-04-21 20:14 ` [Qemu-devel] [PULL 14/21] xen/9pfs: receive requests from " Stefano Stabellini
2017-04-21 20:14 ` [Qemu-devel] [PULL 15/21] xen/9pfs: implement in/out_iov_from_pdu and vmarshal/vunmarshal Stefano Stabellini
2017-04-21 20:14 ` [Qemu-devel] [PULL 16/21] xen/9pfs: send responses back to the frontend Stefano Stabellini
2017-04-21 20:14 ` [Qemu-devel] [PULL 17/21] xen/9pfs: build and register Xen 9pfs backend Stefano Stabellini
2017-04-21 20:14 ` [Qemu-devel] [PULL 18/21] add xen-9p-backend to MAINTAINERS under Xen Stefano Stabellini
2017-04-21 20:15 ` [Qemu-devel] [PULL 19/21] move xen-common.c to hw/xen/ Stefano Stabellini
2017-04-21 20:15 ` [Qemu-devel] [PULL 20/21] move xen-hvm.c to hw/i386/xen/ Stefano Stabellini
2017-04-21 20:15 ` [Qemu-devel] [PULL 21/21] move xen-mapcache.c " Stefano Stabellini
2017-04-24 10:31 ` [Qemu-devel] [PULL 0/21] Please pull xen-20170421-tag for 2.10 Peter Maydell
2017-04-24 21:25 ` Stefano Stabellini
2017-04-24 21:46 ` Peter Maydell
2017-04-24 23:44 ` Stefano Stabellini
2017-04-25 6:44 ` Greg Kurz
2017-04-25 7:31 ` Markus Armbruster
2017-04-25 17:18 ` Stefano Stabellini
2017-04-26 6:44 ` Markus Armbruster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1492805702-19690-8-git-send-email-sstabellini@kernel.org \
--to=sstabellini@kernel.org \
--cc=anthony.perard@citrix.com \
--cc=paul.durrant@citrix.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@gmail.com \
--cc=stefanha@redhat.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).