From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53847) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dzmOK-0004bU-IR for qemu-devel@nongnu.org; Wed, 04 Oct 2017 12:19:25 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dzmOJ-0004zy-1t for qemu-devel@nongnu.org; Wed, 04 Oct 2017 12:19:24 -0400 Received: from smtp02.citrix.com ([66.165.176.63]:9557) by eggs.gnu.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.71) (envelope-from ) id 1dzmOI-0004yD-P5 for qemu-devel@nongnu.org; Wed, 04 Oct 2017 12:19:22 -0400 From: Ian Jackson Date: Wed, 4 Oct 2017 17:18:03 +0100 Message-ID: <1507133891-26013-1-git-send-email-ian.jackson@eu.citrix.com> MIME-Version: 1.0 Content-Type: text/plain Subject: [Qemu-devel] [PATCH v2 0/*] xen: xen-domid-restrict improvements List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: Ross Lagerwall , Anthony PERARD , xen-devel@lists.xenproject.org, Juergen Gross , Stefano Stabellini (Resending this because 1. I got the CC for xen-devel wrong; 2. I got the subject wrong: there are actually 8 patches; 3. I mangled Anthony's name in theheaders. Sorry for the noise.) I have been working on trying to get qemu, when running as a Xen device model, to _actually_ not have power equivalent to root. I think I have achieved this, with some limitations (which will be discussed in my series against xen.git. However, there are changes to qemu needed. In particular * The -xen-domid-restrict option does not work properly right now. It only restricts a small subset of the descriptors qemu has open. I am introducing a new library call in the Xen libraries for this, xentoolcore_restrict_all. * We need to call a different function on domain shutdown. * The restriction operation needs to be done at a slightly different time, necessitating a new hook. * Additionally, in the future, we intend to be able to set aside a uid range for these qemus to run in, and that involves being able to tell qemu to drop privilege by numeric uid and gid. Thanks very much to Anthony Perard for his review of the first, RFC, version, and for helping out with configure. At least the first patch of this, "xen: link against xentoolcore", will very likely be necessary, since the corresponding xen.git series is likely to make Xen 4.10. Ian. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ian Jackson Subject: [PATCH v2 0/*] xen: xen-domid-restrict improvements Date: Wed, 4 Oct 2017 17:18:03 +0100 Message-ID: <1507133891-26013-1-git-send-email-ian.jackson@eu.citrix.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dzmOK-00078j-Jt for xen-devel@lists.xenproject.org; Wed, 04 Oct 2017 16:19:24 +0000 List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" To: qemu-devel@nongnu.org Cc: Anthony PERARD , Ross Lagerwall , Stefano Stabellini , Juergen Gross , xen-devel@lists.xenproject.org List-Id: xen-devel@lists.xenproject.org KFJlc2VuZGluZyB0aGlzIGJlY2F1c2UgMS4gSSBnb3QgdGhlIENDIGZvciB4ZW4tZGV2ZWwgd3Jv bmc7IDIuIEkgZ290CnRoZSBzdWJqZWN0IHdyb25nOiB0aGVyZSBhcmUgYWN0dWFsbHkgOCBwYXRj aGVzOyAzLiBJIG1hbmdsZWQKQW50aG9ueSdzIG5hbWUgaW4gdGhlaGVhZGVycy4gIFNvcnJ5IGZv ciB0aGUgbm9pc2UuKQoKSSBoYXZlIGJlZW4gd29ya2luZyBvbiB0cnlpbmcgdG8gZ2V0IHFlbXUs IHdoZW4gcnVubmluZyBhcyBhIFhlbgpkZXZpY2UgbW9kZWwsIHRvIF9hY3R1YWxseV8gbm90IGhh dmUgcG93ZXIgZXF1aXZhbGVudCB0byByb290LgoKSSB0aGluayBJIGhhdmUgYWNoaWV2ZWQgdGhp cywgd2l0aCBzb21lIGxpbWl0YXRpb25zICh3aGljaCB3aWxsIGJlCmRpc2N1c3NlZCBpbiBteSBz ZXJpZXMgYWdhaW5zdCB4ZW4uZ2l0LgoKSG93ZXZlciwgdGhlcmUgYXJlIGNoYW5nZXMgdG8gcWVt dSBuZWVkZWQuICBJbiBwYXJ0aWN1bGFyCgogKiBUaGUgLXhlbi1kb21pZC1yZXN0cmljdCBvcHRp b24gZG9lcyBub3Qgd29yayBwcm9wZXJseSByaWdodCBub3cuCiAgIEl0IG9ubHkgcmVzdHJpY3Rz IGEgc21hbGwgc3Vic2V0IG9mIHRoZSBkZXNjcmlwdG9ycyBxZW11IGhhcyBvcGVuLgogICBJIGFt IGludHJvZHVjaW5nIGEgbmV3IGxpYnJhcnkgY2FsbCBpbiB0aGUgWGVuIGxpYnJhcmllcyBmb3Ig dGhpcywKICAgeGVudG9vbGNvcmVfcmVzdHJpY3RfYWxsLgoKICogV2UgbmVlZCB0byBjYWxsIGEg ZGlmZmVyZW50IGZ1bmN0aW9uIG9uIGRvbWFpbiBzaHV0ZG93bi4KCiAqIFRoZSByZXN0cmljdGlv biBvcGVyYXRpb24gbmVlZHMgdG8gYmUgZG9uZSBhdCBhIHNsaWdodGx5IGRpZmZlcmVudAogICB0 aW1lLCBuZWNlc3NpdGF0aW5nIGEgbmV3IGhvb2suCgogKiBBZGRpdGlvbmFsbHksIGluIHRoZSBm dXR1cmUsIHdlIGludGVuZCB0byBiZSBhYmxlIHRvIHNldCBhc2lkZQogICBhIHVpZCByYW5nZSBm b3IgdGhlc2UgcWVtdXMgdG8gcnVuIGluLCBhbmQgdGhhdCBpbnZvbHZlcyBiZWluZwogICBhYmxl IHRvIHRlbGwgcWVtdSB0byBkcm9wIHByaXZpbGVnZSBieSBudW1lcmljIHVpZCBhbmQgZ2lkLgoK VGhhbmtzIHZlcnkgbXVjaCB0byBBbnRob255IFBlcmFyZCBmb3IgaGlzIHJldmlldyBvZiB0aGUg Zmlyc3QsIFJGQywKdmVyc2lvbiwgYW5kIGZvciBoZWxwaW5nIG91dCB3aXRoIGNvbmZpZ3VyZS4K CkF0IGxlYXN0IHRoZSBmaXJzdCBwYXRjaCBvZiB0aGlzLCAieGVuOiBsaW5rIGFnYWluc3QgeGVu dG9vbGNvcmUiLAp3aWxsIHZlcnkgbGlrZWx5IGJlIG5lY2Vzc2FyeSwgc2luY2UgdGhlIGNvcnJl c3BvbmRpbmcgeGVuLmdpdCBzZXJpZXMKaXMgbGlrZWx5IHRvIG1ha2UgWGVuIDQuMTAuCgpJYW4u CgpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwpYZW4tZGV2 ZWwgbWFpbGluZyBsaXN0Clhlbi1kZXZlbEBsaXN0cy54ZW4ub3JnCmh0dHBzOi8vbGlzdHMueGVu Lm9yZy94ZW4tZGV2ZWwK