From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:53186)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <prvs=44560dde8=Ian.Jackson@citrix.com>)
	id 1e0XLe-0002Ng-Lj
	for qemu-devel@nongnu.org; Fri, 06 Oct 2017 14:27:47 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <prvs=44560dde8=Ian.Jackson@citrix.com>)
	id 1e0XLb-0002t0-IN
	for qemu-devel@nongnu.org; Fri, 06 Oct 2017 14:27:46 -0400
Received: from smtp02.citrix.com ([66.165.176.63]:43624)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.71)
	(envelope-from <prvs=44560dde8=Ian.Jackson@citrix.com>)
	id 1e0XLb-0002rk-CP
	for qemu-devel@nongnu.org; Fri, 06 Oct 2017 14:27:43 -0400
From: Ian Jackson <ian.jackson@eu.citrix.com>
Date: Fri, 6 Oct 2017 19:27:16 +0100
Message-ID: <1507314444-30835-1-git-send-email-ian.jackson@eu.citrix.com>
MIME-Version: 1.0
Content-Type: text/plain
Subject: [Qemu-devel] [PATCH v3 0/8] xen: xen-domid-restrict improvements
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: Ross Lagerwall <ross.lagerwall@citrix.com>, Anthony PERARD <anthony.perard@citrix.com>, Juergen Gross <jgross@suse.com>, Stefano Stabellini <sstabellini@kernel.org>, xen-devel@lists.xenproject.org

I have been working on trying to get qemu, when running as a Xen
device model, to _actually_ not have power equivalent to root.

I think I have achieved this, with some limitations (which are
discussed in my series against xen.git.

However, there are changes to qemu needed.  In particular

 * The -xen-domid-restrict option does not work properly right now.
   It only restricts a small subset of the descriptors qemu has open.
   I am introducing a new library call in the Xen libraries for this,
   xentoolcore_restrict_all.

 * We need to call a different function on domain shutdown.

 * The restriction operation needs to be done at a slightly different
   time, necessitating a new hook.

 * Additionally, in the future, we intend to be able to set aside
   a uid range for these qemus to run in, and that involves being
   able to tell qemu to drop privilege by numeric uid and gid.

Thanks to Anthony Perard, Peter Maydell and Ross Lagerwall for
assistance, review and testing.

At least the first patch of this, "xen: link against xentoolcore",
will very likely be necessary, since the corresponding xen.git series
is likely to make Xen 4.10.

Ian.

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ian Jackson <ian.jackson@eu.citrix.com>
Subject: [PATCH v3 0/8] xen: xen-domid-restrict improvements
Date: Fri, 6 Oct 2017 19:27:16 +0100
Message-ID: <1507314444-30835-1-git-send-email-ian.jackson@eu.citrix.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Return-path: <xen-devel-bounces@lists.xen.org>
Received: from mail6.bemta3.messagelabs.com ([195.245.230.39])
 by lists.xenproject.org with esmtp (Exim 4.84_2)
 (envelope-from <prvs=44560dde8=Ian.Jackson@citrix.com>)
 id 1e0XLd-0000uI-EP
 for xen-devel@lists.xenproject.org; Fri, 06 Oct 2017 18:27:45 +0000
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>
To: qemu-devel@nongnu.org
Cc: Anthony PERARD <anthony.perard@citrix.com>, Ross Lagerwall <ross.lagerwall@citrix.com>, Stefano Stabellini <sstabellini@kernel.org>, Juergen Gross <jgross@suse.com>, xen-devel@lists.xenproject.org
List-Id: xen-devel@lists.xenproject.org

SSBoYXZlIGJlZW4gd29ya2luZyBvbiB0cnlpbmcgdG8gZ2V0IHFlbXUsIHdoZW4gcnVubmluZyBh
cyBhIFhlbgpkZXZpY2UgbW9kZWwsIHRvIF9hY3R1YWxseV8gbm90IGhhdmUgcG93ZXIgZXF1aXZh
bGVudCB0byByb290LgoKSSB0aGluayBJIGhhdmUgYWNoaWV2ZWQgdGhpcywgd2l0aCBzb21lIGxp
bWl0YXRpb25zICh3aGljaCBhcmUKZGlzY3Vzc2VkIGluIG15IHNlcmllcyBhZ2FpbnN0IHhlbi5n
aXQuCgpIb3dldmVyLCB0aGVyZSBhcmUgY2hhbmdlcyB0byBxZW11IG5lZWRlZC4gIEluIHBhcnRp
Y3VsYXIKCiAqIFRoZSAteGVuLWRvbWlkLXJlc3RyaWN0IG9wdGlvbiBkb2VzIG5vdCB3b3JrIHBy
b3Blcmx5IHJpZ2h0IG5vdy4KICAgSXQgb25seSByZXN0cmljdHMgYSBzbWFsbCBzdWJzZXQgb2Yg
dGhlIGRlc2NyaXB0b3JzIHFlbXUgaGFzIG9wZW4uCiAgIEkgYW0gaW50cm9kdWNpbmcgYSBuZXcg
bGlicmFyeSBjYWxsIGluIHRoZSBYZW4gbGlicmFyaWVzIGZvciB0aGlzLAogICB4ZW50b29sY29y
ZV9yZXN0cmljdF9hbGwuCgogKiBXZSBuZWVkIHRvIGNhbGwgYSBkaWZmZXJlbnQgZnVuY3Rpb24g
b24gZG9tYWluIHNodXRkb3duLgoKICogVGhlIHJlc3RyaWN0aW9uIG9wZXJhdGlvbiBuZWVkcyB0
byBiZSBkb25lIGF0IGEgc2xpZ2h0bHkgZGlmZmVyZW50CiAgIHRpbWUsIG5lY2Vzc2l0YXRpbmcg
YSBuZXcgaG9vay4KCiAqIEFkZGl0aW9uYWxseSwgaW4gdGhlIGZ1dHVyZSwgd2UgaW50ZW5kIHRv
IGJlIGFibGUgdG8gc2V0IGFzaWRlCiAgIGEgdWlkIHJhbmdlIGZvciB0aGVzZSBxZW11cyB0byBy
dW4gaW4sIGFuZCB0aGF0IGludm9sdmVzIGJlaW5nCiAgIGFibGUgdG8gdGVsbCBxZW11IHRvIGRy
b3AgcHJpdmlsZWdlIGJ5IG51bWVyaWMgdWlkIGFuZCBnaWQuCgpUaGFua3MgdG8gQW50aG9ueSBQ
ZXJhcmQsIFBldGVyIE1heWRlbGwgYW5kIFJvc3MgTGFnZXJ3YWxsIGZvcgphc3Npc3RhbmNlLCBy
ZXZpZXcgYW5kIHRlc3RpbmcuCgpBdCBsZWFzdCB0aGUgZmlyc3QgcGF0Y2ggb2YgdGhpcywgInhl
bjogbGluayBhZ2FpbnN0IHhlbnRvb2xjb3JlIiwKd2lsbCB2ZXJ5IGxpa2VseSBiZSBuZWNlc3Nh
cnksIHNpbmNlIHRoZSBjb3JyZXNwb25kaW5nIHhlbi5naXQgc2VyaWVzCmlzIGxpa2VseSB0byBt
YWtlIFhlbiA0LjEwLgoKSWFuLgoKX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX18KWGVuLWRldmVsIG1haWxpbmcgbGlzdApYZW4tZGV2ZWxAbGlzdHMueGVuLm9y
ZwpodHRwczovL2xpc3RzLnhlbi5vcmcveGVuLWRldmVsCg==