From: Paul Durrant <paul.durrant@citrix.com>
To: qemu-devel@nongnu.org, xen-devel@lists.xenproject.org
Cc: Paul Durrant <paul.durrant@citrix.com>,
Stefano Stabellini <sstabellini@kernel.org>,
Anthony Perard <anthony.perard@citrix.com>,
Paolo Bonzini <pbonzini@redhat.com>
Subject: [Qemu-devel] [PATCH v3] xen: use libxendevice model to restrict operations
Date: Tue, 21 Mar 2017 18:27:57 +0000 [thread overview]
Message-ID: <1490120877-3731-1-git-send-email-paul.durrant@citrix.com> (raw)
This patch adds a command-line option (-xen-domid-restrict) which will
use the new libxendevicemodel API to restrict devicemodel [1] operations
to the specified domid. (Such operations are not applicable to the xenpv
machine type).
This patch also adds a tracepoint to allow successful enabling of the
restriction to be monitored.
[1] I.e. operations issued by libxendevicemodel. Operation issued by other
xen libraries (e.g. libxenforeignmemory) are currently still unrestricted
but this will be rectified by subsequent patches.
Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
---
Cc: Stefano Stabellini <sstabellini@kernel.org>
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
NOTE: This is already re-based on Juergen Gross's patch "xen: use 5 digit
xen versions" and so should not be applied until after that patch
has been applied.
v2:
- Log errno in tracepoint
---
hw/xen/trace-events | 1 +
include/hw/xen/xen.h | 1 +
include/hw/xen/xen_common.h | 20 ++++++++++++++++++++
qemu-options.hx | 7 +++++++
vl.c | 8 ++++++++
xen-hvm.c | 8 ++++++++
6 files changed, 45 insertions(+)
diff --git a/hw/xen/trace-events b/hw/xen/trace-events
index c4fb6f1..5615dce 100644
--- a/hw/xen/trace-events
+++ b/hw/xen/trace-events
@@ -11,3 +11,4 @@ xen_map_portio_range(uint32_t id, uint64_t start_addr, uint64_t end_addr) "id: %
xen_unmap_portio_range(uint32_t id, uint64_t start_addr, uint64_t end_addr) "id: %u start: %#"PRIx64" end: %#"PRIx64
xen_map_pcidev(uint32_t id, uint8_t bus, uint8_t dev, uint8_t func) "id: %u bdf: %02x.%02x.%02x"
xen_unmap_pcidev(uint32_t id, uint8_t bus, uint8_t dev, uint8_t func) "id: %u bdf: %02x.%02x.%02x"
+xen_domid_restrict(int err) "err: %u"
diff --git a/include/hw/xen/xen.h b/include/hw/xen/xen.h
index 2b1733b..7efcdaa 100644
--- a/include/hw/xen/xen.h
+++ b/include/hw/xen/xen.h
@@ -21,6 +21,7 @@ enum xen_mode {
extern uint32_t xen_domid;
extern enum xen_mode xen_mode;
+extern bool xen_domid_restrict;
extern bool xen_allowed;
diff --git a/include/hw/xen/xen_common.h b/include/hw/xen/xen_common.h
index df098c7..4f3bd35 100644
--- a/include/hw/xen/xen_common.h
+++ b/include/hw/xen/xen_common.h
@@ -152,6 +152,13 @@ static inline int xendevicemodel_set_mem_type(
return xc_hvm_set_mem_type(dmod, domid, mem_type, first_pfn, nr);
}
+static inline int xendevicemodel_restrict(
+ xendevicemodel_handle *dmod, domid_t domid)
+{
+ errno = ENOTTY;
+ return -1;
+}
+
#else /* CONFIG_XEN_CTRL_INTERFACE_VERSION >= 40900 */
#include <xendevicemodel.h>
@@ -206,6 +213,19 @@ static inline int xen_modified_memory(domid_t domid, uint64_t first_pfn,
return xendevicemodel_modified_memory(xen_dmod, domid, first_pfn, nr);
}
+static inline int xen_restrict(domid_t domid)
+{
+ int rc = xendevicemodel_restrict(xen_dmod, domid);
+
+ trace_xen_domid_restrict(errno);
+
+ if (errno == ENOTTY) {
+ return 0;
+ }
+
+ return rc;
+}
+
/* Xen 4.2 through 4.6 */
#if CONFIG_XEN_CTRL_INTERFACE_VERSION < 40701
diff --git a/qemu-options.hx b/qemu-options.hx
index 99af8ed..d380f7d 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -3354,6 +3354,11 @@ DEF("xen-attach", 0, QEMU_OPTION_xen_attach,
"-xen-attach attach to existing xen domain\n"
" xend will use this when starting QEMU\n",
QEMU_ARCH_ALL)
+DEF("xen-domid-restrict", 0, QEMU_OPTION_xen_domid_restrict,
+ "-xen-domid-restrict restrict set of available xen operations\n"
+ " to specified domain id. (Does not affect\n
+ " xenpv machine type).\n",
+ QEMU_ARCH_ALL)
STEXI
@item -xen-domid @var{id}
@findex -xen-domid
@@ -3366,6 +3371,8 @@ Warning: should not be used when xend is in use (XEN only).
@findex -xen-attach
Attach to existing xen domain.
xend will use this when starting QEMU (XEN only).
+@findex -xen-domid-restrict
+Restrict set of available xen operations to specified domain id (XEN only).
ETEXI
DEF("no-reboot", 0, QEMU_OPTION_no_reboot, \
diff --git a/vl.c b/vl.c
index 0b4ed52..f46e070 100644
--- a/vl.c
+++ b/vl.c
@@ -205,6 +205,7 @@ static NotifierList machine_init_done_notifiers =
bool xen_allowed;
uint32_t xen_domid;
enum xen_mode xen_mode = XEN_EMULATE;
+bool xen_domid_restrict;
static int has_defaults = 1;
static int default_serial = 1;
@@ -3933,6 +3934,13 @@ int main(int argc, char **argv, char **envp)
}
xen_mode = XEN_ATTACH;
break;
+ case QEMU_OPTION_xen_domid_restrict:
+ if (!(xen_available())) {
+ error_report("Option not supported for this target");
+ exit(1);
+ }
+ xen_domid_restrict = true;
+ break;
case QEMU_OPTION_trace:
g_free(trace_file);
trace_file = trace_opt_parse(optarg);
diff --git a/xen-hvm.c b/xen-hvm.c
index 4b928cf..335e263 100644
--- a/xen-hvm.c
+++ b/xen-hvm.c
@@ -1226,6 +1226,14 @@ void xen_hvm_init(PCMachineState *pcms, MemoryRegion **ram_memory)
goto err;
}
+ if (xen_domid_restrict) {
+ rc = xen_restrict(xen_domid);
+ if (rc < 0) {
+ error_report("failed to restrict: error %d", errno);
+ goto err;
+ }
+ }
+
xen_create_ioreq_server(xen_domid, &state->ioservid);
state->exit.notify = xen_exit_notifier;
--
2.1.4
WARNING: multiple messages have this Message-ID (diff)
From: Paul Durrant <paul.durrant@citrix.com>
To: qemu-devel@nongnu.org, xen-devel@lists.xenproject.org
Cc: Anthony Perard <anthony.perard@citrix.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Paul Durrant <paul.durrant@citrix.com>,
Stefano Stabellini <sstabellini@kernel.org>
Subject: [PATCH v3] xen: use libxendevice model to restrict operations
Date: Tue, 21 Mar 2017 18:27:57 +0000 [thread overview]
Message-ID: <1490120877-3731-1-git-send-email-paul.durrant@citrix.com> (raw)
This patch adds a command-line option (-xen-domid-restrict) which will
use the new libxendevicemodel API to restrict devicemodel [1] operations
to the specified domid. (Such operations are not applicable to the xenpv
machine type).
This patch also adds a tracepoint to allow successful enabling of the
restriction to be monitored.
[1] I.e. operations issued by libxendevicemodel. Operation issued by other
xen libraries (e.g. libxenforeignmemory) are currently still unrestricted
but this will be rectified by subsequent patches.
Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
---
Cc: Stefano Stabellini <sstabellini@kernel.org>
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
NOTE: This is already re-based on Juergen Gross's patch "xen: use 5 digit
xen versions" and so should not be applied until after that patch
has been applied.
v2:
- Log errno in tracepoint
---
hw/xen/trace-events | 1 +
include/hw/xen/xen.h | 1 +
include/hw/xen/xen_common.h | 20 ++++++++++++++++++++
qemu-options.hx | 7 +++++++
vl.c | 8 ++++++++
xen-hvm.c | 8 ++++++++
6 files changed, 45 insertions(+)
diff --git a/hw/xen/trace-events b/hw/xen/trace-events
index c4fb6f1..5615dce 100644
--- a/hw/xen/trace-events
+++ b/hw/xen/trace-events
@@ -11,3 +11,4 @@ xen_map_portio_range(uint32_t id, uint64_t start_addr, uint64_t end_addr) "id: %
xen_unmap_portio_range(uint32_t id, uint64_t start_addr, uint64_t end_addr) "id: %u start: %#"PRIx64" end: %#"PRIx64
xen_map_pcidev(uint32_t id, uint8_t bus, uint8_t dev, uint8_t func) "id: %u bdf: %02x.%02x.%02x"
xen_unmap_pcidev(uint32_t id, uint8_t bus, uint8_t dev, uint8_t func) "id: %u bdf: %02x.%02x.%02x"
+xen_domid_restrict(int err) "err: %u"
diff --git a/include/hw/xen/xen.h b/include/hw/xen/xen.h
index 2b1733b..7efcdaa 100644
--- a/include/hw/xen/xen.h
+++ b/include/hw/xen/xen.h
@@ -21,6 +21,7 @@ enum xen_mode {
extern uint32_t xen_domid;
extern enum xen_mode xen_mode;
+extern bool xen_domid_restrict;
extern bool xen_allowed;
diff --git a/include/hw/xen/xen_common.h b/include/hw/xen/xen_common.h
index df098c7..4f3bd35 100644
--- a/include/hw/xen/xen_common.h
+++ b/include/hw/xen/xen_common.h
@@ -152,6 +152,13 @@ static inline int xendevicemodel_set_mem_type(
return xc_hvm_set_mem_type(dmod, domid, mem_type, first_pfn, nr);
}
+static inline int xendevicemodel_restrict(
+ xendevicemodel_handle *dmod, domid_t domid)
+{
+ errno = ENOTTY;
+ return -1;
+}
+
#else /* CONFIG_XEN_CTRL_INTERFACE_VERSION >= 40900 */
#include <xendevicemodel.h>
@@ -206,6 +213,19 @@ static inline int xen_modified_memory(domid_t domid, uint64_t first_pfn,
return xendevicemodel_modified_memory(xen_dmod, domid, first_pfn, nr);
}
+static inline int xen_restrict(domid_t domid)
+{
+ int rc = xendevicemodel_restrict(xen_dmod, domid);
+
+ trace_xen_domid_restrict(errno);
+
+ if (errno == ENOTTY) {
+ return 0;
+ }
+
+ return rc;
+}
+
/* Xen 4.2 through 4.6 */
#if CONFIG_XEN_CTRL_INTERFACE_VERSION < 40701
diff --git a/qemu-options.hx b/qemu-options.hx
index 99af8ed..d380f7d 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -3354,6 +3354,11 @@ DEF("xen-attach", 0, QEMU_OPTION_xen_attach,
"-xen-attach attach to existing xen domain\n"
" xend will use this when starting QEMU\n",
QEMU_ARCH_ALL)
+DEF("xen-domid-restrict", 0, QEMU_OPTION_xen_domid_restrict,
+ "-xen-domid-restrict restrict set of available xen operations\n"
+ " to specified domain id. (Does not affect\n
+ " xenpv machine type).\n",
+ QEMU_ARCH_ALL)
STEXI
@item -xen-domid @var{id}
@findex -xen-domid
@@ -3366,6 +3371,8 @@ Warning: should not be used when xend is in use (XEN only).
@findex -xen-attach
Attach to existing xen domain.
xend will use this when starting QEMU (XEN only).
+@findex -xen-domid-restrict
+Restrict set of available xen operations to specified domain id (XEN only).
ETEXI
DEF("no-reboot", 0, QEMU_OPTION_no_reboot, \
diff --git a/vl.c b/vl.c
index 0b4ed52..f46e070 100644
--- a/vl.c
+++ b/vl.c
@@ -205,6 +205,7 @@ static NotifierList machine_init_done_notifiers =
bool xen_allowed;
uint32_t xen_domid;
enum xen_mode xen_mode = XEN_EMULATE;
+bool xen_domid_restrict;
static int has_defaults = 1;
static int default_serial = 1;
@@ -3933,6 +3934,13 @@ int main(int argc, char **argv, char **envp)
}
xen_mode = XEN_ATTACH;
break;
+ case QEMU_OPTION_xen_domid_restrict:
+ if (!(xen_available())) {
+ error_report("Option not supported for this target");
+ exit(1);
+ }
+ xen_domid_restrict = true;
+ break;
case QEMU_OPTION_trace:
g_free(trace_file);
trace_file = trace_opt_parse(optarg);
diff --git a/xen-hvm.c b/xen-hvm.c
index 4b928cf..335e263 100644
--- a/xen-hvm.c
+++ b/xen-hvm.c
@@ -1226,6 +1226,14 @@ void xen_hvm_init(PCMachineState *pcms, MemoryRegion **ram_memory)
goto err;
}
+ if (xen_domid_restrict) {
+ rc = xen_restrict(xen_domid);
+ if (rc < 0) {
+ error_report("failed to restrict: error %d", errno);
+ goto err;
+ }
+ }
+
xen_create_ioreq_server(xen_domid, &state->ioservid);
state->exit.notify = xen_exit_notifier;
--
2.1.4
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next reply other threads:[~2017-03-21 18:28 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-21 18:27 Paul Durrant [this message]
2017-03-21 18:27 ` [PATCH v3] xen: use libxendevice model to restrict operations Paul Durrant
2017-03-21 18:59 ` [Qemu-devel] " Stefano Stabellini
2017-03-21 18:59 ` Stefano Stabellini
2017-03-22 9:22 ` [Qemu-devel] " Paul Durrant
2017-03-22 9:22 ` Paul Durrant
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1490120877-3731-1-git-send-email-paul.durrant@citrix.com \
--to=paul.durrant@citrix.com \
--cc=anthony.perard@citrix.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=sstabellini@kernel.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.