WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-devel] [PATCH 3 of 7] xen: allows more hypercalls from stubdoms

from [Stefano Stabellini] [Permanent Link][Original]
To: Keir Fraser <Keir.Fraser@xxxxxxxxxxxxx>
Subject: Re: [Xen-devel] [PATCH 3 of 7] xen: allows more hypercalls from stubdoms
From: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
Date: Tue, 13 Oct 2009 15:24:31 +0100
Cc: "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>, Stefano Stabellini <Stefano.Stabellini@xxxxxxxxxxxxx>
Delivery-date: Tue, 13 Oct 2009 07:24:37 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <C6FA31F0.1749D%keir.fraser@xxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <C6FA31F0.1749D%keir.fraser@xxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Alpine 2.00 (DEB 1167 2008-08-23) 
On Tue, 13 Oct 2009, Keir Fraser wrote:
> On 13/10/2009 13:00, "Stefano Stabellini" <Stefano.Stabellini@xxxxxxxxxxxxx>
> wrote:
> 
> >> This kind of thing, for example, while we're talking about least
> >> privilege... I think it's wrong-headed in the first place for this kind of
> >> control-plane activity to be going on in qemu. Surely it belongs in the
> >> toolstack? Yes, I know it's a pain in the bum that this means modifying
> >> multiple toolstacks! :-)
> >> 
> > 
> > I agree with you that we need to redesign these hypercalls, but I am a
> > fan of "doing one thing at a time" so I think we should decouple this
> > goal from the other one of making passthrough work with stubdom for the
> > moment.
> > This way we could first let people test it as it is, fix some bugs that
> > probably still affect the code, fix pci coldplug and add MSI-X support,
> > then redesign the hypercalls.
> 
> Perhaps acceptable then if the changes are placed in clear ifdef'ed regions.
> This ifdef would be default-disabled for a stable release, if the hypercalls
> are not redone by then.
> 


This is the updated version of the patch, with all the controversial
changes ifdef'ed.


Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

---

diff -r 0035117b3a88 Config.mk
--- a/Config.mk Tue Oct 13 14:38:45 2009 +0100
+++ b/Config.mk Tue Oct 13 15:23:05 2009 +0100
@@ -2,6 +2,10 @@
 
 # A debug build of Xen and tools?
 debug ?= y
+
+# Allow some delicate passthrough related hypercalls to be made from a
+# stubdom
+privileged_stubdoms ?= y
 
 XEN_COMPILE_ARCH    ?= $(shell uname -m | sed -e s/i.86/x86_32/ \
                          -e s/i86pc/x86_32/ -e s/amd64/x86_64/)
@@ -114,6 +118,10 @@
 CFLAGS += -g
 endif
 
+ifeq ($(privileged_stubdoms),y)
+CFLAGS += -DPRIVILEGED_STUBDOMS
+endif
+
 CFLAGS += -fno-strict-aliasing
 
 CFLAGS += -std=gnu99
diff -r 0035117b3a88 xen/arch/x86/irq.c
--- a/xen/arch/x86/irq.c        Tue Oct 13 14:38:45 2009 +0100
+++ b/xen/arch/x86/irq.c        Tue Oct 13 15:23:05 2009 +0100
@@ -1340,7 +1340,11 @@
     ASSERT(spin_is_locked(&pcidevs_lock));
     ASSERT(spin_is_locked(&d->event_lock));
 
+#ifdef PRIVILEGED_STUBDOMS
+    if ( !IS_PRIV_FOR(current->domain, d) )
+#else
     if ( !IS_PRIV(current->domain) )
+#endif
         return -EPERM;
 
     if ( pirq < 0 || pirq >= d->nr_pirqs || irq < 0 || irq >= nr_irqs )
diff -r 0035117b3a88 xen/arch/x86/physdev.c
--- a/xen/arch/x86/physdev.c    Tue Oct 13 14:38:45 2009 +0100
+++ b/xen/arch/x86/physdev.c    Tue Oct 13 15:23:05 2009 +0100
@@ -34,9 +34,6 @@
     struct msi_info _msi;
     void *map_data = NULL;
 
-    if ( !IS_PRIV(current->domain) )
-        return -EPERM;
-
     if ( !map )
         return -EINVAL;
 
@@ -48,6 +45,16 @@
     if ( d == NULL )
     {
         ret = -ESRCH;
+        goto free_domain;
+    }
+
+#ifdef PRIVILEGED_STUBDOMS
+    if ( !IS_PRIV_FOR(current->domain, d) )
+#else
+    if ( !IS_PRIV(current->domain) )
+#endif
+    {
+        ret = -EPERM;
         goto free_domain;
     }
 
@@ -158,10 +165,7 @@
 static int physdev_unmap_pirq(struct physdev_unmap_pirq *unmap)
 {
     struct domain *d;
-    int ret;
-
-    if ( !IS_PRIV(current->domain) )
-        return -EPERM;
+    int ret = -ESRCH;
 
     if ( unmap->domid == DOMID_SELF )
         d = rcu_lock_domain(current->domain);
@@ -169,7 +173,17 @@
         d = rcu_lock_domain_by_id(unmap->domid);
 
     if ( d == NULL )
-        return -ESRCH;
+        goto free_domain;
+
+#ifdef PRIVILEGED_STUBDOMS
+    if ( !IS_PRIV_FOR(current->domain, d) )
+#else
+    if ( !IS_PRIV(current->domain) )
+#endif
+    {
+        ret = -EPERM;
+        goto free_domain;
+    }
 
     spin_lock(&pcidevs_lock);
     spin_lock(&d->event_lock);
@@ -177,6 +191,7 @@
     spin_unlock(&d->event_lock);
     spin_unlock(&pcidevs_lock);
 
+free_domain:
     rcu_unlock_domain(d);
 
     return ret;
diff -r 0035117b3a88 xen/common/domctl.c
--- a/xen/common/domctl.c       Tue Oct 13 14:38:45 2009 +0100
+++ b/xen/common/domctl.c       Tue Oct 13 15:23:05 2009 +0100
@@ -220,14 +220,38 @@
     long ret = 0;
     struct xen_domctl curop, *op = &curop;
 
-    if ( !IS_PRIV(current->domain) )
-        return -EPERM;
-
     if ( copy_from_guest(op, u_domctl, 1) )
         return -EFAULT;
 
     if ( op->interface_version != XEN_DOMCTL_INTERFACE_VERSION )
         return -EACCES;
+
+    switch ( op->cmd )
+    {
+        case XEN_DOMCTL_ioport_mapping:
+        case XEN_DOMCTL_memory_mapping:
+        case XEN_DOMCTL_bind_pt_irq:
+        case XEN_DOMCTL_unbind_pt_irq:
+        case XEN_DOMCTL_assign_device:
+        case XEN_DOMCTL_deassign_device:
+#ifdef PRIVILEGED_STUBDOMS
+            {
+                struct domain *d = get_domain_by_id(op->domain);
+                if ( !IS_PRIV_FOR(current->domain, d) )
+                {
+                    put_domain(d);
+                    return -EPERM;
+                }
+                put_domain(d);
+            }
+            break;
+#endif
+        default:
+            if ( !IS_PRIV(current->domain) )
+                return -EPERM;
+            break;
+    }
+
 
     if ( !domctl_lock_acquire() )
         return hypercall_create_continuation(

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-devel] [Patch] support of lock profiling in Xen, Juergen Gross
Next by Date:  Re: [Xen-devel] Problem with pv-ops dom0 and pci-stub to hide devices: improper device assignment specified, Konrad Rzeszutek Wilk
Previous by Thread:  Re: [Xen-devel] [PATCH 3 of 7] xen: allows more hypercalls from stubdoms, Samuel Thibault
Next by Thread:  Re: [Xen-devel] [PATCH 3 of 7] xen: allows more hypercalls from stubdoms, Samuel Thibault
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy