* [PATCH v5 00/26 (PARTIAL POSTING)] qemu restrict final fixes @ 2017-10-10 17:41 Ian Jackson 2017-10-10 17:41 ` [PATCH 04/26] xentoolcore, _restrict_all: Introduce new library and implementation Ian Jackson 2017-10-10 17:41 ` [PATCH 24/26] libxl: dm_restrict: Support uid range user Ian Jackson 0 siblings, 2 replies; 6+ messages in thread From: Ian Jackson @ 2017-10-10 17:41 UTC (permalink / raw) To: xen-devel; +Cc: Ross Lagerwall, Stefano Stabellini, Wei Liu These two patches [PATCH 04/26] xentoolcore, _restrict_all: Introduce new library and [PATCH 24/26] libxl: dm_restrict: Support uid range user need fixes. See the commit messages. I am not resending the unchanged patches. I intend to push the whole series tomorrow. Thanks, Ian. _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 04/26] xentoolcore, _restrict_all: Introduce new library and implementation 2017-10-10 17:41 [PATCH v5 00/26 (PARTIAL POSTING)] qemu restrict final fixes Ian Jackson @ 2017-10-10 17:41 ` Ian Jackson 2017-10-10 17:41 ` [PATCH 24/26] libxl: dm_restrict: Support uid range user Ian Jackson 1 sibling, 0 replies; 6+ messages in thread From: Ian Jackson @ 2017-10-10 17:41 UTC (permalink / raw) To: xen-devel; +Cc: Ross Lagerwall, Stefano Stabellini, Wei Liu, Ian Jackson In practice, qemu opens a great many fds. Tracking them all down and playing whack-a-mole is unattractive. It is also potentially fragile in that future changes might accidentally undo our efforts. Instead, we are going to teach all the Xen libraries how to register their fds so that they can be neutered with one qemu call. Right now, nothing will go wrong if some tries to link without -ltoolcore, but that will stop working as soon as the first other Xen library starts to register. So this patch will be followed by the stubdom build update, and should be followed by a MINIOS_UPSTREAM_REVISION updated. Sadly qemu upstream's configuration arrangements are too crude, being keyed solely off the Xen version number. So they cannot provide forward/backward build compatibility across changes in xen-unstable, like this one. qemu patches to link against xentoolcore should be applied in qemu upstream so avoid the qemu build breaking against the released version of Xen 4.10. Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com> --- v5: Fix lock() call to actually call pthread_mutex_lock! Spotted by Anthony Perard. v3: Change %.o %.opic rules for extra dependency to $(LIB_OBJS) and $(PIC_OBJS) instead. (Report from Ross Lagerwall.) v2: Remove obsolete "xxx" comment. No longer claim to provide idempotency. Add paragraphs to commit message about compatibility. Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> --- .gitignore | 4 + tools/Rules.mk | 6 ++ tools/libs/Makefile | 1 + tools/libs/toolcore/Makefile | 101 ++++++++++++++++++++ tools/libs/toolcore/handlereg.c | 77 ++++++++++++++++ tools/libs/toolcore/include/xentoolcore.h | 73 +++++++++++++++ tools/libs/toolcore/include/xentoolcore_internal.h | 102 +++++++++++++++++++++ tools/libs/toolcore/libxentoolcore.map | 7 ++ tools/libs/toolcore/xentoolcore.pc.in | 9 ++ 9 files changed, 380 insertions(+) create mode 100644 tools/libs/toolcore/Makefile create mode 100644 tools/libs/toolcore/handlereg.c create mode 100644 tools/libs/toolcore/include/xentoolcore.h create mode 100644 tools/libs/toolcore/include/xentoolcore_internal.h create mode 100644 tools/libs/toolcore/libxentoolcore.map create mode 100644 tools/libs/toolcore/xentoolcore.pc.in diff --git a/.gitignore b/.gitignore index f36ddd2..95f40f1 100644 --- a/.gitignore +++ b/.gitignore @@ -73,6 +73,7 @@ stubdom/libxencall-* stubdom/libxenevtchn-* stubdom/libxenforeignmemory-* stubdom/libxengnttab-* +stubdom/libxentoolcore-* stubdom/libxentoollog-* stubdom/lwip-* stubdom/lwip/ @@ -98,6 +99,8 @@ tools/config.cache config/Tools.mk config/Stubdom.mk config/Docs.mk +tools/libs/toolcore/headers.chk +tools/libs/toolcore/xentoolcore.pc tools/libs/toollog/headers.chk tools/libs/toollog/xentoollog.pc tools/libs/evtchn/headers.chk @@ -352,6 +355,7 @@ tools/include/xen-foreign/arm64.h .git tools/misc/xen-hptool tools/misc/xen-mfndump +tools/libs/toolcore/include/_*.h tools/libxc/_*.[ch] tools/libxl/_*.[ch] tools/libxl/testidl diff --git a/tools/Rules.mk b/tools/Rules.mk index dbc7635..5e1c7cb 100644 --- a/tools/Rules.mk +++ b/tools/Rules.mk @@ -10,6 +10,7 @@ export _INSTALL := $(INSTALL) INSTALL = $(XEN_ROOT)/tools/cross-install XEN_INCLUDE = $(XEN_ROOT)/tools/include +XEN_LIBXENTOOLCORE = $(XEN_ROOT)/tools/libs/toolcore XEN_LIBXENTOOLLOG = $(XEN_ROOT)/tools/libs/toollog XEN_LIBXENEVTCHN = $(XEN_ROOT)/tools/libs/evtchn XEN_LIBXENGNTTAB = $(XEN_ROOT)/tools/libs/gnttab @@ -102,6 +103,11 @@ SHDEPS_libxentoollog = LDLIBS_libxentoollog = $(SHDEPS_libxentoollog) $(XEN_LIBXENTOOLLOG)/libxentoollog$(libextension) SHLIB_libxentoollog = $(SHDEPS_libxentoollog) -Wl,-rpath-link=$(XEN_LIBXENTOOLLOG) +CFLAGS_libxentoolcore = -I$(XEN_LIBXENTOOLCORE)/include $(CFLAGS_xeninclude) +SHDEPS_libxentoolcore = +LDLIBS_libxentoolcore = $(SHDEPS_libxentoolcore) $(XEN_LIBXENTOOLCORE)/libxentoolcore$(libextension) +SHLIB_libxentoolcore = $(SHDEPS_libxentoolcore) -Wl,-rpath-link=$(XEN_LIBXENTOOLCORE) + CFLAGS_libxenevtchn = -I$(XEN_LIBXENEVTCHN)/include $(CFLAGS_xeninclude) SHDEPS_libxenevtchn = LDLIBS_libxenevtchn = $(SHDEPS_libxenevtchn) $(XEN_LIBXENEVTCHN)/libxenevtchn$(libextension) diff --git a/tools/libs/Makefile b/tools/libs/Makefile index 2035873..ea9a64d 100644 --- a/tools/libs/Makefile +++ b/tools/libs/Makefile @@ -2,6 +2,7 @@ XEN_ROOT = $(CURDIR)/../.. include $(XEN_ROOT)/tools/Rules.mk SUBDIRS-y := +SUBDIRS-y += toolcore SUBDIRS-y += toollog SUBDIRS-y += evtchn SUBDIRS-y += gnttab diff --git a/tools/libs/toolcore/Makefile b/tools/libs/toolcore/Makefile new file mode 100644 index 0000000..73db0bd --- /dev/null +++ b/tools/libs/toolcore/Makefile @@ -0,0 +1,101 @@ +XEN_ROOT = $(CURDIR)/../../.. +include $(XEN_ROOT)/tools/Rules.mk + +MAJOR = 1 +MINOR = 0 +SHLIB_LDFLAGS += -Wl,--version-script=libxentoolcore.map + +CFLAGS += -Werror -Wmissing-prototypes +CFLAGS += -I./include + +SRCS-y += handlereg.c + +LIB_OBJS := $(patsubst %.c,%.o,$(SRCS-y)) +PIC_OBJS := $(patsubst %.c,%.opic,$(SRCS-y)) + +LIB := libxentoolcore.a +ifneq ($(nosharedlibs),y) +LIB += libxentoolcore.so +endif + +PKG_CONFIG := xentoolcore.pc +PKG_CONFIG_VERSION := $(MAJOR).$(MINOR) + +ifneq ($(CONFIG_LIBXC_MINIOS),y) +PKG_CONFIG_INST := $(PKG_CONFIG) +$(PKG_CONFIG_INST): PKG_CONFIG_PREFIX = $(prefix) +$(PKG_CONFIG_INST): PKG_CONFIG_INCDIR = $(includedir) +$(PKG_CONFIG_INST): PKG_CONFIG_LIBDIR = $(libdir) +endif + +PKG_CONFIG_LOCAL := $(foreach pc,$(PKG_CONFIG),$(PKG_CONFIG_DIR)/$(pc)) + +$(PKG_CONFIG_LOCAL): PKG_CONFIG_PREFIX = $(XEN_ROOT) +$(PKG_CONFIG_LOCAL): PKG_CONFIG_INCDIR = $(XEN_LIBXENTOOLCORE)/include +$(PKG_CONFIG_LOCAL): PKG_CONFIG_LIBDIR = $(CURDIR) + +AUTOINCS=include/_xentoolcore_list.h + +.PHONY: all +all: build + +.PHONY: build +build: + $(MAKE) libs + +.PHONY: libs +libs: headers.chk $(LIB) $(PKG_CONFIG_INST) $(PKG_CONFIG_LOCAL) + +$(LIB_OBJS): $(AUTOINCS) +$(PIC_OBJS): $(AUTOINCS) + +headers.chk: $(wildcard include/*.h) $(AUTOINCS) + +include/_xentoolcore_list.h: $(XEN_INCLUDE)/xen-external/bsd-sys-queue-h-seddery $(XEN_INCLUDE)/xen-external/bsd-sys-queue.h + $(PERL) $^ --prefix=xentoolcore >$@.new + $(call move-if-changed,$@.new,$@) + +libxentoolcore.a: $(LIB_OBJS) + $(AR) rc $@ $^ + +libxentoolcore.so: libxentoolcore.so.$(MAJOR) + $(SYMLINK_SHLIB) $< $@ +libxentoolcore.so.$(MAJOR): libxentoolcore.so.$(MAJOR).$(MINOR) + $(SYMLINK_SHLIB) $< $@ + +libxentoolcore.so.$(MAJOR).$(MINOR): $(PIC_OBJS) libxentoolcore.map + $(CC) $(LDFLAGS) -Wl,$(SONAME_LDFLAG) -Wl,libxentoolcore.so.$(MAJOR) $(SHLIB_LDFLAGS) -o $@ $(PIC_OBJS) $(APPEND_LDFLAGS) + +.PHONY: install +install: build + $(INSTALL_DIR) $(DESTDIR)$(libdir) + $(INSTALL_DIR) $(DESTDIR)$(includedir) + $(INSTALL_SHLIB) libxentoolcore.so.$(MAJOR).$(MINOR) $(DESTDIR)$(libdir) + $(INSTALL_DATA) libxentoolcore.a $(DESTDIR)$(libdir) + $(SYMLINK_SHLIB) libxentoolcore.so.$(MAJOR).$(MINOR) $(DESTDIR)$(libdir)/libxentoolcore.so.$(MAJOR) + $(SYMLINK_SHLIB) libxentoolcore.so.$(MAJOR) $(DESTDIR)$(libdir)/libxentoolcore.so + $(INSTALL_DATA) include/xentoolcore.h $(DESTDIR)$(includedir) + $(INSTALL_DATA) xentoolcore.pc $(DESTDIR)$(PKG_INSTALLDIR) + +.PHONY: uinstall +uninstall: + rm -f $(DESTDIR)$(PKG_INSTALLDIR)/xentoolcore.pc + rm -f $(DESTDIR)$(includedir)/xentoolcore.h + rm -f $(DESTDIR)$(libdir)/libxentoolcore.so + rm -f $(DESTDIR)$(libdir)/libxentoolcore.so.$(MAJOR) + rm -f $(DESTDIR)$(libdir)/libxentoolcore.so.$(MAJOR).$(MINOR) + rm -f $(DESTDIR)$(libdir)/libxentoolcore.a + +.PHONY: TAGS +TAGS: + etags -t *.c *.h + +.PHONY: clean +clean: + rm -rf *.rpm $(LIB) *~ $(DEPS_RM) $(LIB_OBJS) $(PIC_OBJS) + rm -f libxentoolcore.so.$(MAJOR).$(MINOR) libxentoolcore.so.$(MAJOR) + rm -f headers.chk + rm -f xentoolcore.pc + +.PHONY: distclean +distclean: clean diff --git a/tools/libs/toolcore/handlereg.c b/tools/libs/toolcore/handlereg.c new file mode 100644 index 0000000..5a854b2 --- /dev/null +++ b/tools/libs/toolcore/handlereg.c @@ -0,0 +1,77 @@ +/* + * handlreg.c + * + * implementation of xentoolcore_restrict_all + * + * Copyright (c) 2017 Citrix + * Part of a generic logging interface used by various dom0 userland libraries. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; + * version 2.1 of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; If not, see <http://www.gnu.org/licenses/>. + */ + +#include "xentoolcore_internal.h" + +#include <pthread.h> +#include <assert.h> + +static pthread_mutex_t handles_lock = PTHREAD_MUTEX_INITIALIZER; +static XENTOOLCORE_LIST_HEAD(, Xentoolcore__Active_Handle) handles; + +static void lock(void) { + int e = pthread_mutex_lock(&handles_lock); + assert(!e); +} + +static void unlock(void) { + int e = pthread_mutex_unlock(&handles_lock); + assert(!e); +} + +void xentoolcore__register_active_handle(Xentoolcore__Active_Handle *ah) { + lock(); + XENTOOLCORE_LIST_INSERT_HEAD(&handles, ah, entry); + unlock(); +} + +void xentoolcore__deregister_active_handle(Xentoolcore__Active_Handle *ah) { + lock(); + XENTOOLCORE_LIST_REMOVE(ah, entry); + unlock(); +} + +int xentoolcore_restrict_all(uint32_t domid) { + int r; + Xentoolcore__Active_Handle *ah; + + lock(); + XENTOOLCORE_LIST_FOREACH(ah, &handles, entry) { + r = ah->restrict_callback(ah, domid); + if (r) goto out; + } + + r = 0; + out: + unlock(); + return r; +} + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * tab-width: 4 + * indent-tabs-mode: nil + * End: + */ diff --git a/tools/libs/toolcore/include/xentoolcore.h b/tools/libs/toolcore/include/xentoolcore.h new file mode 100644 index 0000000..32e2af1 --- /dev/null +++ b/tools/libs/toolcore/include/xentoolcore.h @@ -0,0 +1,73 @@ +/* + * xentoolcore.h + * + * Copyright (c) 2017 Citrix + * + * Common features used/provided by all Xen tools libraries + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; + * version 2.1 of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; If not, see <http://www.gnu.org/licenses/>. + */ + +#ifndef XENTOOLCORE_H +#define XENTOOLCORE_H + +#include <stdint.h> + +/* + * int xentoolcore_restrict_all(uint32_t domid); + * + * Arranges that Xen library handles (fds etc.) which are currently held + * by Xen libraries, can no longer be used other than to affect domid. + * + * If this cannot be achieved, returns -1 and sets errno. + * If called again with the same domid, it may succeed, or it may + * fail (even though such a call is potentially meaningful). + * (If called again with a different domid, it will necessarily fail.) + * + * ==================================================================== + * IMPORTANT - IMPLEMENTATION STATUS + * + * This function will be implemented insofar as it appears necessary + * for the purposes of running a deprivileged qemu. + * + * However, this function is NOT implemented for all Xen libraries. + * For each use case of this function, the designer must evaluate and + * audit whether the implementation is sufficient in their specific + * context. + * + * Of course, patches to extend the implementation are very welcome. + * ==================================================================== + * + * Thread safe. + * + * We expect that no callers do the following: + * - in one thread call xen_somelibrary_open|close + * - in another thread call fork + * - in the child of the fork, before exec, call + * xen_some[other]library_open|close or xentoolcore_restrict_all + * + */ +int xentoolcore_restrict_all(uint32_t domid); + +#endif /* XENTOOLCORE_H */ + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * tab-width: 4 + * indent-tabs-mode: nil + * End: + */ diff --git a/tools/libs/toolcore/include/xentoolcore_internal.h b/tools/libs/toolcore/include/xentoolcore_internal.h new file mode 100644 index 0000000..670e29d --- /dev/null +++ b/tools/libs/toolcore/include/xentoolcore_internal.h @@ -0,0 +1,102 @@ +/* + * xentoolcore_internal.h + * + * Interfaces of xentoolcore directed internally at other Xen libraries + * + * Copyright (c) 2017 Citrix + * + * Common code used by all Xen tools libraries + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; + * version 2.1 of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; If not, see <http://www.gnu.org/licenses/>. + */ + +#ifndef XENTOOLCORE_INTERNAL_H +#define XENTOOLCORE_INTERNAL_H + +#include "xentoolcore.h" +#include "_xentoolcore_list.h" + +/*---------- active handle registration ----------*/ + +/* + * This is all to support xentoolcore_restrict_all + * + * Any libxl library that opens a Xen control handle of any kind which + * might allow manipulation of dom0, of other domains, or of the whole + * machine, must: + * I. arrange that their own datastructure contains a + * Xentoolcore__Active_Handle + * + * II. during the "open handle" function + * 1. allocate the memory for the own datastructure and initialise it + * 2. set Xentoolcore__Active_Handle.restrict_callback + * 3. call xentoolcore__register_active_handle + * 3a. if the open fails, call xentoolcore__deregister_active_handle + * 4. ONLY THEN actually open the relevant fd or whatever + * + * III. during the "close handle" function + * 1. FIRST close the relevant fd or whatever + * 2. call xentoolcore__deregister_active_handle + * + * IV. in the restrict_callback function + * * Arrange that the fd (or other handle) can no longer by used + * other than with respect to domain domid. + * * Future attempts to manipulate other domains (or the whole + * host) via this handle must cause an error return (and + * perhaps a log message), not a crash + * * If selective restriction is not possible, the handle must + * be completely invalidated so that it is not useable; + * subsequent manipulations may not crash + * * The restrict_callback function should not normally fail + * if this can be easily avoided - it is better to make the + * handle nonfunction instead. + * * NB that restrict_callback might be called again. That must + * work properly: if the domid is the same, it is idempotent. + * If the domid is different. then either the handle must be + * completely invalidated, or restrict_callback must fail.) + * + * Thread safety: + * xentoolcore__[de]register_active_handle are threadsafe + * but MUST NOT be called within restrict_callback + * + * Fork safety: + * Libraries which use these functions do not on that account + * need to take any special care over forks occurring in + * other threads, provided that they obey the rules above. + */ + +typedef struct Xentoolcore__Active_Handle Xentoolcore__Active_Handle; + +typedef int Xentoolcore__Restrict_Callback(Xentoolcore__Active_Handle*, + uint32_t domid); + +struct Xentoolcore__Active_Handle { + Xentoolcore__Restrict_Callback *restrict_callback; + XENTOOLCORE_LIST_ENTRY(Xentoolcore__Active_Handle) entry; +}; + +void xentoolcore__register_active_handle(Xentoolcore__Active_Handle*); +void xentoolcore__deregister_active_handle(Xentoolcore__Active_Handle*); + +#endif /* XENTOOLCORE_INTERNAL_H */ + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * tab-width: 4 + * indent-tabs-mode: nil + * End: + */ diff --git a/tools/libs/toolcore/libxentoolcore.map b/tools/libs/toolcore/libxentoolcore.map new file mode 100644 index 0000000..eb5d251 --- /dev/null +++ b/tools/libs/toolcore/libxentoolcore.map @@ -0,0 +1,7 @@ +VERS_1.0 { + global: + xentoolcore_restrict_all; + xentoolcore__register_active_handle; + xentoolcore__deregister_active_handle; + local: *; /* Do not expose anything by default */ +}; diff --git a/tools/libs/toolcore/xentoolcore.pc.in b/tools/libs/toolcore/xentoolcore.pc.in new file mode 100644 index 0000000..55ff4e2 --- /dev/null +++ b/tools/libs/toolcore/xentoolcore.pc.in @@ -0,0 +1,9 @@ +prefix=@@prefix@@ +includedir=@@incdir@@ +libdir=@@libdir@@ + +Name: Xentoolcore +Description: Central support for Xen Hypervisor userland libraries +Version: @@version@@ +Cflags: -I${includedir} +Libs: @@libsflag@@${libdir} -lxentoolcore -- 2.1.4 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 24/26] libxl: dm_restrict: Support uid range user 2017-10-10 17:41 [PATCH v5 00/26 (PARTIAL POSTING)] qemu restrict final fixes Ian Jackson 2017-10-10 17:41 ` [PATCH 04/26] xentoolcore, _restrict_all: Introduce new library and implementation Ian Jackson @ 2017-10-10 17:41 ` Ian Jackson 1 sibling, 0 replies; 6+ messages in thread From: Ian Jackson @ 2017-10-10 17:41 UTC (permalink / raw) To: xen-devel; +Cc: Ross Lagerwall, Stefano Stabellini, Wei Liu, Ian Jackson Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com> --- v5: Use -runas <uid>:<gid>, as suggested on qemu-devel by Markus Armbruster v3: Use -runas <uid>.<gid>, as suggested on qemu-devel by Markus Armbruster squash! libxl: dm_restrict: Support uid range user --- docs/man/xl.cfg.pod.5.in | 11 ++++++++++- tools/libxl/libxl_dm.c | 32 ++++++++++++++++++++++++++++++++ tools/libxl/libxl_internal.h | 1 + 3 files changed, 43 insertions(+), 1 deletion(-) diff --git a/docs/man/xl.cfg.pod.5.in b/docs/man/xl.cfg.pod.5.in index ee84511..cb32d04 100644 --- a/docs/man/xl.cfg.pod.5.in +++ b/docs/man/xl.cfg.pod.5.in @@ -2243,7 +2243,16 @@ For example, cdrom insert will fail. =item You must create user(s) for qemu to run as. -Currently, you should either create + +Ideally, set aside a range of 32752 uids +(from N to N+32751) +and create a user +whose name is B<xen-qemuuser-range-base> +and whose uid is N +and whose gid is a plain unprivileged gid. +libxl will use one such user for each domid. + +Alternatively, either create B<xen-qemuuser-domid$domid> for every $domid from 1 to 32751 inclusive, or diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c index b1e6796..0a5b0f8 100644 --- a/tools/libxl/libxl_dm.c +++ b/tools/libxl/libxl_dm.c @@ -23,6 +23,7 @@ #include <xen/hvm/e820.h> #include <sys/types.h> #include <pwd.h> +#include <grp.h> static const char *libxl_tapif_script(libxl__gc *gc) { @@ -753,6 +754,9 @@ libxl__detect_gfx_passthru_kind(libxl__gc *gc, * userlookup_helper_getpwnam(libxl__gc*, const char *user, * struct passwd **pwd_r); * + * userlookup_helper_getpwuid(libxl__gc*, uid_t uid, + * struct passwd **pwd_r); + * * returns 1 if the user was found, 0 if it was not, -1 on error */ #define DEFINE_USERLOOKUP_HELPER(NAME,SPEC_TYPE,STRUCTNAME,SYSCONF) \ @@ -791,6 +795,7 @@ libxl__detect_gfx_passthru_kind(libxl__gc *gc, } DEFINE_USERLOOKUP_HELPER(getpwnam, const char*, passwd, _SC_GETPW_R_SIZE_MAX); +DEFINE_USERLOOKUP_HELPER(getpwuid, uid_t, passwd, _SC_GETPW_R_SIZE_MAX); /* colo mode */ enum { @@ -951,6 +956,7 @@ static int libxl__build_device_model_args_new(libxl__gc *gc, uint64_t ram_size; const char *path, *chardev; char *user = NULL; + struct passwd *user_base; dm_args = flexarray_make(gc, 16, 1); dm_envs = flexarray_make(gc, 16, 1); @@ -1660,6 +1666,32 @@ static int libxl__build_device_model_args_new(libxl__gc *gc, if (ret > 0) goto end_search; + ret = userlookup_helper_getpwnam(gc, LIBXL_QEMU_USER_RANGE_BASE, + &user_base); + if (ret < 0) + return ret; + if (ret > 0) { + struct passwd *user_clash; + uid_t intended_uid = user_base->pw_uid + guest_domid; + ret = userlookup_helper_getpwuid(gc, intended_uid, &user_clash); + if (ret < 0) + return ret; + if (ret > 0) { + LOGD(ERROR, guest_domid, + "wanted to use uid %ld (%s + %d) but that is user %s !", + (long)intended_uid, LIBXL_QEMU_USER_RANGE_BASE, + guest_domid, user_clash->pw_name); + return ERROR_FAIL; + } + LOGD(DEBUG, guest_domid, "using uid %ld", (long)intended_uid); + flexarray_append(dm_args, "-runas"); + flexarray_append(dm_args, + GCSPRINTF("%ld:%ld", (long)intended_uid, + (long)user_base->pw_gid)); + user = NULL; /* we have taken care of it */ + goto end_search; + } + user = LIBXL_QEMU_USER_SHARED; ret = userlookup_helper_getpwnam(gc, user, 0); if (ret < 0) diff --git a/tools/libxl/libxl_internal.h b/tools/libxl/libxl_internal.h index 530183f..6d51d47 100644 --- a/tools/libxl/libxl_internal.h +++ b/tools/libxl/libxl_internal.h @@ -4314,6 +4314,7 @@ _hidden int libxl__read_sysfs_file_contents(libxl__gc *gc, #define LIBXL_QEMU_USER_PREFIX "xen-qemuuser" #define LIBXL_QEMU_USER_BASE LIBXL_QEMU_USER_PREFIX"-domid" #define LIBXL_QEMU_USER_SHARED LIBXL_QEMU_USER_PREFIX"-shared" +#define LIBXL_QEMU_USER_RANGE_BASE LIBXL_QEMU_USER_PREFIX"-range-base" static inline bool libxl__acpi_defbool_val(const libxl_domain_build_info *b_info) { -- 2.1.4 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH v2 00/24] Provide some actual restriction of qemu @ 2017-10-09 15:57 Ian Jackson 2017-10-09 15:57 ` [PATCH 04/26] xentoolcore, _restrict_all: Introduce new library and implementation Ian Jackson 0 siblings, 1 reply; 6+ messages in thread From: Ian Jackson @ 2017-10-09 15:57 UTC (permalink / raw) To: xen-devel; +Cc: Ross Lagerwall, Stefano Stabellini, Wei Liu With this series, it is possible to run qemu in a way that I think really does not have global privilege any more. I have verified that it runs as a non-root user. I have checked all of its fds and they are either privcmd (which I have arranged to neuter), or /dev/null, or harmless sockets and pipes, or evtchn. Unfortunately this needs a new "xentoolcore" library, which all the existing libraries register with so that the restrict call is effective. Also there are a number of lacunae. See the documentation patches. The series depends for its functionality on the corresponding qemu series. a 01/26] xen: Provide XEN_DMOP_remote_shutdown a 02/26] xen: x86 dm_op: add missing newline before a 03/26] tools: libxendevicemodel: Provide a* 04/26] xentoolcore, _restrict_all: Introduce new library and a 05/26] xentoolcore: Link into stubdoms + 06/26] xentoolcore: Link into minios (update a 07/26] tools: qemu-xen build: prepare to link against a 08/26] libxl: #include "xentoolcore_internal.h" a 09/26] tools: move CONTAINER_OF to xentoolcore_internal.h a 10/26] xentoolcore_restrict_all: Implement for a 11/26] xentoolcore_restrict_all: "Implement" for libxencall a 12/26] xentoolcore_restrict: Break out a 13/26] xentoolcore_restrict_all: Implement for a 14/26] xentoolcore_restrict_all: Declare problems due to no a 15/26] xentoolcore_restrict_all: "Implement" for xengnttab a 16/26] tools/xenstore: get_handle: use "goto err" error a 17/26] tools/xenstore: get_handle: Allocate struct before a 18/26] xentoolcore_restrict_all: "Implement" for xenstore a 19/26] xentoolcore, _restrict_all: Document implementation a 20/26] xl, libxl: Provide dm_restrict a 21/26] libxl: Rationalise calculation of user to run qemu as a 22/26] libxl: libxl__dm_runas_helper: return pwd a 23/26] libxl: userlookup_helper_getpwnam rename and turn into a* 24/26] libxl: dm_restrict: Support uid range user a 25/26] tools: xentoolcore_restrict_all: use domid_t + 26/26] xl: Document VGA problems arising from lack of physmap a = acked (or, reviewed, for hypervisor patches) * = modified (acks retained since minor changes only) + = new in v4 of the series (since the original v3 post) Thanks, Ian. _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 04/26] xentoolcore, _restrict_all: Introduce new library and implementation 2017-10-09 15:57 [PATCH v2 00/24] Provide some actual restriction of qemu Ian Jackson @ 2017-10-09 15:57 ` Ian Jackson 2017-10-10 11:45 ` Anthony PERARD 0 siblings, 1 reply; 6+ messages in thread From: Ian Jackson @ 2017-10-09 15:57 UTC (permalink / raw) To: xen-devel; +Cc: Ross Lagerwall, Stefano Stabellini, Wei Liu, Ian Jackson In practice, qemu opens a great many fds. Tracking them all down and playing whack-a-mole is unattractive. It is also potentially fragile in that future changes might accidentally undo our efforts. Instead, we are going to teach all the Xen libraries how to register their fds so that they can be neutered with one qemu call. Right now, nothing will go wrong if some tries to link without -ltoolcore, but that will stop working as soon as the first other Xen library starts to register. So this patch will be followed by the stubdom build update, and should be followed by a MINIOS_UPSTREAM_REVISION updated. Sadly qemu upstream's configuration arrangements are too crude, being keyed solely off the Xen version number. So they cannot provide forward/backward build compatibility across changes in xen-unstable, like this one. qemu patches to link against xentoolcore should be applied in qemu upstream so avoid the qemu build breaking against the released version of Xen 4.10. Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> Acked-by: Wei Liu <wei.liu2@citrix.com> --- v3: Change %.o %.opic rules for extra dependency to $(LIB_OBJS) and $(PIC_OBJS) instead. (Report from Ross Lagerwall.) v2: Remove obsolete "xxx" comment. No longer claim to provide idempotency. Add paragraphs to commit message about compatibility. Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> --- .gitignore | 4 + tools/Rules.mk | 6 ++ tools/libs/Makefile | 1 + tools/libs/toolcore/Makefile | 101 ++++++++++++++++++++ tools/libs/toolcore/handlereg.c | 77 ++++++++++++++++ tools/libs/toolcore/include/xentoolcore.h | 73 +++++++++++++++ tools/libs/toolcore/include/xentoolcore_internal.h | 102 +++++++++++++++++++++ tools/libs/toolcore/libxentoolcore.map | 7 ++ tools/libs/toolcore/xentoolcore.pc.in | 9 ++ 9 files changed, 380 insertions(+) create mode 100644 tools/libs/toolcore/Makefile create mode 100644 tools/libs/toolcore/handlereg.c create mode 100644 tools/libs/toolcore/include/xentoolcore.h create mode 100644 tools/libs/toolcore/include/xentoolcore_internal.h create mode 100644 tools/libs/toolcore/libxentoolcore.map create mode 100644 tools/libs/toolcore/xentoolcore.pc.in diff --git a/.gitignore b/.gitignore index f36ddd2..95f40f1 100644 --- a/.gitignore +++ b/.gitignore @@ -73,6 +73,7 @@ stubdom/libxencall-* stubdom/libxenevtchn-* stubdom/libxenforeignmemory-* stubdom/libxengnttab-* +stubdom/libxentoolcore-* stubdom/libxentoollog-* stubdom/lwip-* stubdom/lwip/ @@ -98,6 +99,8 @@ tools/config.cache config/Tools.mk config/Stubdom.mk config/Docs.mk +tools/libs/toolcore/headers.chk +tools/libs/toolcore/xentoolcore.pc tools/libs/toollog/headers.chk tools/libs/toollog/xentoollog.pc tools/libs/evtchn/headers.chk @@ -352,6 +355,7 @@ tools/include/xen-foreign/arm64.h .git tools/misc/xen-hptool tools/misc/xen-mfndump +tools/libs/toolcore/include/_*.h tools/libxc/_*.[ch] tools/libxl/_*.[ch] tools/libxl/testidl diff --git a/tools/Rules.mk b/tools/Rules.mk index dbc7635..5e1c7cb 100644 --- a/tools/Rules.mk +++ b/tools/Rules.mk @@ -10,6 +10,7 @@ export _INSTALL := $(INSTALL) INSTALL = $(XEN_ROOT)/tools/cross-install XEN_INCLUDE = $(XEN_ROOT)/tools/include +XEN_LIBXENTOOLCORE = $(XEN_ROOT)/tools/libs/toolcore XEN_LIBXENTOOLLOG = $(XEN_ROOT)/tools/libs/toollog XEN_LIBXENEVTCHN = $(XEN_ROOT)/tools/libs/evtchn XEN_LIBXENGNTTAB = $(XEN_ROOT)/tools/libs/gnttab @@ -102,6 +103,11 @@ SHDEPS_libxentoollog = LDLIBS_libxentoollog = $(SHDEPS_libxentoollog) $(XEN_LIBXENTOOLLOG)/libxentoollog$(libextension) SHLIB_libxentoollog = $(SHDEPS_libxentoollog) -Wl,-rpath-link=$(XEN_LIBXENTOOLLOG) +CFLAGS_libxentoolcore = -I$(XEN_LIBXENTOOLCORE)/include $(CFLAGS_xeninclude) +SHDEPS_libxentoolcore = +LDLIBS_libxentoolcore = $(SHDEPS_libxentoolcore) $(XEN_LIBXENTOOLCORE)/libxentoolcore$(libextension) +SHLIB_libxentoolcore = $(SHDEPS_libxentoolcore) -Wl,-rpath-link=$(XEN_LIBXENTOOLCORE) + CFLAGS_libxenevtchn = -I$(XEN_LIBXENEVTCHN)/include $(CFLAGS_xeninclude) SHDEPS_libxenevtchn = LDLIBS_libxenevtchn = $(SHDEPS_libxenevtchn) $(XEN_LIBXENEVTCHN)/libxenevtchn$(libextension) diff --git a/tools/libs/Makefile b/tools/libs/Makefile index 2035873..ea9a64d 100644 --- a/tools/libs/Makefile +++ b/tools/libs/Makefile @@ -2,6 +2,7 @@ XEN_ROOT = $(CURDIR)/../.. include $(XEN_ROOT)/tools/Rules.mk SUBDIRS-y := +SUBDIRS-y += toolcore SUBDIRS-y += toollog SUBDIRS-y += evtchn SUBDIRS-y += gnttab diff --git a/tools/libs/toolcore/Makefile b/tools/libs/toolcore/Makefile new file mode 100644 index 0000000..73db0bd --- /dev/null +++ b/tools/libs/toolcore/Makefile @@ -0,0 +1,101 @@ +XEN_ROOT = $(CURDIR)/../../.. +include $(XEN_ROOT)/tools/Rules.mk + +MAJOR = 1 +MINOR = 0 +SHLIB_LDFLAGS += -Wl,--version-script=libxentoolcore.map + +CFLAGS += -Werror -Wmissing-prototypes +CFLAGS += -I./include + +SRCS-y += handlereg.c + +LIB_OBJS := $(patsubst %.c,%.o,$(SRCS-y)) +PIC_OBJS := $(patsubst %.c,%.opic,$(SRCS-y)) + +LIB := libxentoolcore.a +ifneq ($(nosharedlibs),y) +LIB += libxentoolcore.so +endif + +PKG_CONFIG := xentoolcore.pc +PKG_CONFIG_VERSION := $(MAJOR).$(MINOR) + +ifneq ($(CONFIG_LIBXC_MINIOS),y) +PKG_CONFIG_INST := $(PKG_CONFIG) +$(PKG_CONFIG_INST): PKG_CONFIG_PREFIX = $(prefix) +$(PKG_CONFIG_INST): PKG_CONFIG_INCDIR = $(includedir) +$(PKG_CONFIG_INST): PKG_CONFIG_LIBDIR = $(libdir) +endif + +PKG_CONFIG_LOCAL := $(foreach pc,$(PKG_CONFIG),$(PKG_CONFIG_DIR)/$(pc)) + +$(PKG_CONFIG_LOCAL): PKG_CONFIG_PREFIX = $(XEN_ROOT) +$(PKG_CONFIG_LOCAL): PKG_CONFIG_INCDIR = $(XEN_LIBXENTOOLCORE)/include +$(PKG_CONFIG_LOCAL): PKG_CONFIG_LIBDIR = $(CURDIR) + +AUTOINCS=include/_xentoolcore_list.h + +.PHONY: all +all: build + +.PHONY: build +build: + $(MAKE) libs + +.PHONY: libs +libs: headers.chk $(LIB) $(PKG_CONFIG_INST) $(PKG_CONFIG_LOCAL) + +$(LIB_OBJS): $(AUTOINCS) +$(PIC_OBJS): $(AUTOINCS) + +headers.chk: $(wildcard include/*.h) $(AUTOINCS) + +include/_xentoolcore_list.h: $(XEN_INCLUDE)/xen-external/bsd-sys-queue-h-seddery $(XEN_INCLUDE)/xen-external/bsd-sys-queue.h + $(PERL) $^ --prefix=xentoolcore >$@.new + $(call move-if-changed,$@.new,$@) + +libxentoolcore.a: $(LIB_OBJS) + $(AR) rc $@ $^ + +libxentoolcore.so: libxentoolcore.so.$(MAJOR) + $(SYMLINK_SHLIB) $< $@ +libxentoolcore.so.$(MAJOR): libxentoolcore.so.$(MAJOR).$(MINOR) + $(SYMLINK_SHLIB) $< $@ + +libxentoolcore.so.$(MAJOR).$(MINOR): $(PIC_OBJS) libxentoolcore.map + $(CC) $(LDFLAGS) -Wl,$(SONAME_LDFLAG) -Wl,libxentoolcore.so.$(MAJOR) $(SHLIB_LDFLAGS) -o $@ $(PIC_OBJS) $(APPEND_LDFLAGS) + +.PHONY: install +install: build + $(INSTALL_DIR) $(DESTDIR)$(libdir) + $(INSTALL_DIR) $(DESTDIR)$(includedir) + $(INSTALL_SHLIB) libxentoolcore.so.$(MAJOR).$(MINOR) $(DESTDIR)$(libdir) + $(INSTALL_DATA) libxentoolcore.a $(DESTDIR)$(libdir) + $(SYMLINK_SHLIB) libxentoolcore.so.$(MAJOR).$(MINOR) $(DESTDIR)$(libdir)/libxentoolcore.so.$(MAJOR) + $(SYMLINK_SHLIB) libxentoolcore.so.$(MAJOR) $(DESTDIR)$(libdir)/libxentoolcore.so + $(INSTALL_DATA) include/xentoolcore.h $(DESTDIR)$(includedir) + $(INSTALL_DATA) xentoolcore.pc $(DESTDIR)$(PKG_INSTALLDIR) + +.PHONY: uinstall +uninstall: + rm -f $(DESTDIR)$(PKG_INSTALLDIR)/xentoolcore.pc + rm -f $(DESTDIR)$(includedir)/xentoolcore.h + rm -f $(DESTDIR)$(libdir)/libxentoolcore.so + rm -f $(DESTDIR)$(libdir)/libxentoolcore.so.$(MAJOR) + rm -f $(DESTDIR)$(libdir)/libxentoolcore.so.$(MAJOR).$(MINOR) + rm -f $(DESTDIR)$(libdir)/libxentoolcore.a + +.PHONY: TAGS +TAGS: + etags -t *.c *.h + +.PHONY: clean +clean: + rm -rf *.rpm $(LIB) *~ $(DEPS_RM) $(LIB_OBJS) $(PIC_OBJS) + rm -f libxentoolcore.so.$(MAJOR).$(MINOR) libxentoolcore.so.$(MAJOR) + rm -f headers.chk + rm -f xentoolcore.pc + +.PHONY: distclean +distclean: clean diff --git a/tools/libs/toolcore/handlereg.c b/tools/libs/toolcore/handlereg.c new file mode 100644 index 0000000..efeffb1 --- /dev/null +++ b/tools/libs/toolcore/handlereg.c @@ -0,0 +1,77 @@ +/* + * handlreg.c + * + * implementation of xentoolcore_restrict_all + * + * Copyright (c) 2017 Citrix + * Part of a generic logging interface used by various dom0 userland libraries. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; + * version 2.1 of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; If not, see <http://www.gnu.org/licenses/>. + */ + +#include "xentoolcore_internal.h" + +#include <pthread.h> +#include <assert.h> + +static pthread_mutex_t handles_lock = PTHREAD_MUTEX_INITIALIZER; +static XENTOOLCORE_LIST_HEAD(, Xentoolcore__Active_Handle) handles; + +static void lock(void) { + int e = pthread_mutex_unlock(&handles_lock); + assert(!e); +} + +static void unlock(void) { + int e = pthread_mutex_unlock(&handles_lock); + assert(!e); +} + +void xentoolcore__register_active_handle(Xentoolcore__Active_Handle *ah) { + lock(); + XENTOOLCORE_LIST_INSERT_HEAD(&handles, ah, entry); + unlock(); +} + +void xentoolcore__deregister_active_handle(Xentoolcore__Active_Handle *ah) { + lock(); + XENTOOLCORE_LIST_REMOVE(ah, entry); + unlock(); +} + +int xentoolcore_restrict_all(uint32_t domid) { + int r; + Xentoolcore__Active_Handle *ah; + + lock(); + XENTOOLCORE_LIST_FOREACH(ah, &handles, entry) { + r = ah->restrict_callback(ah, domid); + if (r) goto out; + } + + r = 0; + out: + unlock(); + return r; +} + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * tab-width: 4 + * indent-tabs-mode: nil + * End: + */ diff --git a/tools/libs/toolcore/include/xentoolcore.h b/tools/libs/toolcore/include/xentoolcore.h new file mode 100644 index 0000000..32e2af1 --- /dev/null +++ b/tools/libs/toolcore/include/xentoolcore.h @@ -0,0 +1,73 @@ +/* + * xentoolcore.h + * + * Copyright (c) 2017 Citrix + * + * Common features used/provided by all Xen tools libraries + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; + * version 2.1 of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; If not, see <http://www.gnu.org/licenses/>. + */ + +#ifndef XENTOOLCORE_H +#define XENTOOLCORE_H + +#include <stdint.h> + +/* + * int xentoolcore_restrict_all(uint32_t domid); + * + * Arranges that Xen library handles (fds etc.) which are currently held + * by Xen libraries, can no longer be used other than to affect domid. + * + * If this cannot be achieved, returns -1 and sets errno. + * If called again with the same domid, it may succeed, or it may + * fail (even though such a call is potentially meaningful). + * (If called again with a different domid, it will necessarily fail.) + * + * ==================================================================== + * IMPORTANT - IMPLEMENTATION STATUS + * + * This function will be implemented insofar as it appears necessary + * for the purposes of running a deprivileged qemu. + * + * However, this function is NOT implemented for all Xen libraries. + * For each use case of this function, the designer must evaluate and + * audit whether the implementation is sufficient in their specific + * context. + * + * Of course, patches to extend the implementation are very welcome. + * ==================================================================== + * + * Thread safe. + * + * We expect that no callers do the following: + * - in one thread call xen_somelibrary_open|close + * - in another thread call fork + * - in the child of the fork, before exec, call + * xen_some[other]library_open|close or xentoolcore_restrict_all + * + */ +int xentoolcore_restrict_all(uint32_t domid); + +#endif /* XENTOOLCORE_H */ + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * tab-width: 4 + * indent-tabs-mode: nil + * End: + */ diff --git a/tools/libs/toolcore/include/xentoolcore_internal.h b/tools/libs/toolcore/include/xentoolcore_internal.h new file mode 100644 index 0000000..670e29d --- /dev/null +++ b/tools/libs/toolcore/include/xentoolcore_internal.h @@ -0,0 +1,102 @@ +/* + * xentoolcore_internal.h + * + * Interfaces of xentoolcore directed internally at other Xen libraries + * + * Copyright (c) 2017 Citrix + * + * Common code used by all Xen tools libraries + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; + * version 2.1 of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; If not, see <http://www.gnu.org/licenses/>. + */ + +#ifndef XENTOOLCORE_INTERNAL_H +#define XENTOOLCORE_INTERNAL_H + +#include "xentoolcore.h" +#include "_xentoolcore_list.h" + +/*---------- active handle registration ----------*/ + +/* + * This is all to support xentoolcore_restrict_all + * + * Any libxl library that opens a Xen control handle of any kind which + * might allow manipulation of dom0, of other domains, or of the whole + * machine, must: + * I. arrange that their own datastructure contains a + * Xentoolcore__Active_Handle + * + * II. during the "open handle" function + * 1. allocate the memory for the own datastructure and initialise it + * 2. set Xentoolcore__Active_Handle.restrict_callback + * 3. call xentoolcore__register_active_handle + * 3a. if the open fails, call xentoolcore__deregister_active_handle + * 4. ONLY THEN actually open the relevant fd or whatever + * + * III. during the "close handle" function + * 1. FIRST close the relevant fd or whatever + * 2. call xentoolcore__deregister_active_handle + * + * IV. in the restrict_callback function + * * Arrange that the fd (or other handle) can no longer by used + * other than with respect to domain domid. + * * Future attempts to manipulate other domains (or the whole + * host) via this handle must cause an error return (and + * perhaps a log message), not a crash + * * If selective restriction is not possible, the handle must + * be completely invalidated so that it is not useable; + * subsequent manipulations may not crash + * * The restrict_callback function should not normally fail + * if this can be easily avoided - it is better to make the + * handle nonfunction instead. + * * NB that restrict_callback might be called again. That must + * work properly: if the domid is the same, it is idempotent. + * If the domid is different. then either the handle must be + * completely invalidated, or restrict_callback must fail.) + * + * Thread safety: + * xentoolcore__[de]register_active_handle are threadsafe + * but MUST NOT be called within restrict_callback + * + * Fork safety: + * Libraries which use these functions do not on that account + * need to take any special care over forks occurring in + * other threads, provided that they obey the rules above. + */ + +typedef struct Xentoolcore__Active_Handle Xentoolcore__Active_Handle; + +typedef int Xentoolcore__Restrict_Callback(Xentoolcore__Active_Handle*, + uint32_t domid); + +struct Xentoolcore__Active_Handle { + Xentoolcore__Restrict_Callback *restrict_callback; + XENTOOLCORE_LIST_ENTRY(Xentoolcore__Active_Handle) entry; +}; + +void xentoolcore__register_active_handle(Xentoolcore__Active_Handle*); +void xentoolcore__deregister_active_handle(Xentoolcore__Active_Handle*); + +#endif /* XENTOOLCORE_INTERNAL_H */ + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * tab-width: 4 + * indent-tabs-mode: nil + * End: + */ diff --git a/tools/libs/toolcore/libxentoolcore.map b/tools/libs/toolcore/libxentoolcore.map new file mode 100644 index 0000000..eb5d251 --- /dev/null +++ b/tools/libs/toolcore/libxentoolcore.map @@ -0,0 +1,7 @@ +VERS_1.0 { + global: + xentoolcore_restrict_all; + xentoolcore__register_active_handle; + xentoolcore__deregister_active_handle; + local: *; /* Do not expose anything by default */ +}; diff --git a/tools/libs/toolcore/xentoolcore.pc.in b/tools/libs/toolcore/xentoolcore.pc.in new file mode 100644 index 0000000..55ff4e2 --- /dev/null +++ b/tools/libs/toolcore/xentoolcore.pc.in @@ -0,0 +1,9 @@ +prefix=@@prefix@@ +includedir=@@incdir@@ +libdir=@@libdir@@ + +Name: Xentoolcore +Description: Central support for Xen Hypervisor userland libraries +Version: @@version@@ +Cflags: -I${includedir} +Libs: @@libsflag@@${libdir} -lxentoolcore -- 2.1.4 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 04/26] xentoolcore, _restrict_all: Introduce new library and implementation 2017-10-09 15:57 ` [PATCH 04/26] xentoolcore, _restrict_all: Introduce new library and implementation Ian Jackson @ 2017-10-10 11:45 ` Anthony PERARD 2017-10-10 17:18 ` Ian Jackson 0 siblings, 1 reply; 6+ messages in thread From: Anthony PERARD @ 2017-10-10 11:45 UTC (permalink / raw) To: Ian Jackson; +Cc: Ross Lagerwall, xen-devel, Wei Liu, Stefano Stabellini On Mon, Oct 09, 2017 at 04:57:06PM +0100, Ian Jackson wrote: > In practice, qemu opens a great many fds. Tracking them all down and > playing whack-a-mole is unattractive. It is also potentially fragile > in that future changes might accidentally undo our efforts. > > Instead, we are going to teach all the Xen libraries how to register > their fds so that they can be neutered with one qemu call. > > Right now, nothing will go wrong if some tries to link without > -ltoolcore, but that will stop working as soon as the first other Xen > library starts to register. So this patch will be followed by the > stubdom build update, and should be followed by a > MINIOS_UPSTREAM_REVISION updated. > > Sadly qemu upstream's configuration arrangements are too crude, being > keyed solely off the Xen version number. So they cannot provide > forward/backward build compatibility across changes in xen-unstable, > like this one. qemu patches to link against xentoolcore should be > applied in qemu upstream so avoid the qemu build breaking against the > released version of Xen 4.10. > > Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com> > Acked-by: Wei Liu <wei.liu2@citrix.com> > --- > diff --git a/tools/libs/toolcore/handlereg.c b/tools/libs/toolcore/handlereg.c > new file mode 100644 > index 0000000..efeffb1 > --- /dev/null > +++ b/tools/libs/toolcore/handlereg.c > +static pthread_mutex_t handles_lock = PTHREAD_MUTEX_INITIALIZER; > +static XENTOOLCORE_LIST_HEAD(, Xentoolcore__Active_Handle) handles; > + > +static void lock(void) { > + int e = pthread_mutex_unlock(&handles_lock); Shouldn't this call pthread_mutex_lock? Right now lock and unlock do the same thing. > + assert(!e); > +} > + > +static void unlock(void) { > + int e = pthread_mutex_unlock(&handles_lock); > + assert(!e); > +} > + -- Anthony PERARD _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 04/26] xentoolcore, _restrict_all: Introduce new library and implementation 2017-10-10 11:45 ` Anthony PERARD @ 2017-10-10 17:18 ` Ian Jackson 0 siblings, 0 replies; 6+ messages in thread From: Ian Jackson @ 2017-10-10 17:18 UTC (permalink / raw) To: Anthony PERARD; +Cc: Ross Lagerwall, xen-devel, Wei Liu, Stefano Stabellini Anthony PERARD writes ("Re: [Xen-devel] [PATCH 04/26] xentoolcore, _restrict_all: Introduce new library and implementation"): > On Mon, Oct 09, 2017 at 04:57:06PM +0100, Ian Jackson wrote: > > +static pthread_mutex_t handles_lock = PTHREAD_MUTEX_INITIALIZER; > > +static XENTOOLCORE_LIST_HEAD(, Xentoolcore__Active_Handle) handles; > > + > > +static void lock(void) { > > + int e = pthread_mutex_unlock(&handles_lock); > > Shouldn't this call pthread_mutex_lock? Right now lock and unlock do > the same thing. Wow. Sorry about that. We should definitely fix that. It's committed already but I will send a followup patch. Ian. _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-10-10 17:41 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-10-10 17:41 [PATCH v5 00/26 (PARTIAL POSTING)] qemu restrict final fixes Ian Jackson 2017-10-10 17:41 ` [PATCH 04/26] xentoolcore, _restrict_all: Introduce new library and implementation Ian Jackson 2017-10-10 17:41 ` [PATCH 24/26] libxl: dm_restrict: Support uid range user Ian Jackson -- strict thread matches above, loose matches on Subject: below -- 2017-10-09 15:57 [PATCH v2 00/24] Provide some actual restriction of qemu Ian Jackson 2017-10-09 15:57 ` [PATCH 04/26] xentoolcore, _restrict_all: Introduce new library and implementation Ian Jackson 2017-10-10 11:45 ` Anthony PERARD 2017-10-10 17:18 ` Ian Jackson
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).