[PATCH for-4.12 v2 0/8] tools: Depriv fd checking, internal fd access

From: Ian Jackson <ian.jackson@eu.citrix.com>
To: xen-devel@lists.xenproject.org
Cc: "Anthony Perard" <anthony.perard@citrix.com>,
	"Andrew Cooper" <andrew.cooper3@citrix.com>,
	"Ian Jackson" <Ian.Jackson@eu.citrix.com>,
	"Wei Liu" <wei.liu2@citrix.com>,
	"Roger Pau Monné" <roger.pau@citrix.com>
Subject: [PATCH for-4.12 v2 0/8] tools: Depriv fd checking, internal fd access
Date: Mon, 11 Jun 2018 15:13:16 +0100	[thread overview]
Message-ID: <1528726404-14924-1-git-send-email-ian.jackson@eu.citrix.com> (raw)

From: Ian Jackson <Ian.Jackson@eu.citrix.com>

This series provides the support in xen.git for auditing whether qemu
file descriptors are deprivileged, as expected with libxl
dm_restrict=1.

The approach I have chosen is to fish the descriptors out of qemu (by
using debugging facilities), and try to make hypercalls etc. using
them.

To take making a hypercall as an example: this is not easily done
without libxc.  So I need to make libxc make a hypercall with a
different fd - actually, a different open-file.  I do this by using
dup2 to overwrite libxc's fd with the one stolen from qemu.  That
means I need to know libxc's fd number.  Hence the handle access
patches in this series.

Compared to v2, this fixes the issues identified, and also, as
promised, introduces the actual descriptor checking utility here in
xen.git.  Building it out-of-tree is quite tiresome and anyway the
utility might be useful for other purposes.

This is not 4.11 material.  qemu depriv is not covered by support in
4.11 anyway.  In 4.12 I want it to be supported, and, therefore,
tested and audited.  If it becomes fully supported there, it might be
worth backporting some of these patches.

The utility `fishdescriptor', referred to, is part of the Debian
package chiark-scripts.deb.  A newish version of that package is
needed.  That will be dealt with fully in the corresponding osstest
patches.

Ian Jackson (8):
  libxc: Drop declarations of osdep_privcmd_open and _close
  libxc: Provide access to internal handles
  tools: xencall, xengnttab, xengntshr: Provide access to internal fds
  libxl: Provide better error message when qemu restrict user not found
  tools/tests/depriv: New test utility for deprivilege auditing
  tools/tests: Allow a test subdir to have `install' and `uninstall'
    targets
  tools/tests/depriv: Install depriv-fd-checker in our private libexec
    directory
  tools/tests/depriv-fd-checker: Support checking of Linux tun devices

 .gitignore                             |   1 +
 tools/libs/call/core.c                 |   5 +
 tools/libs/call/include/xencall.h      |   8 +
 tools/libs/call/libxencall.map         |   6 +
 tools/libs/gnttab/gntshr_core.c        |   6 +
 tools/libs/gnttab/gnttab_core.c        |   5 +
 tools/libs/gnttab/include/xengnttab.h  |  17 ++
 tools/libs/gnttab/libxengnttab.map     |   6 +
 tools/libxc/include/xenctrl.h          |  10 +
 tools/libxc/xc_private.c               |  15 ++
 tools/libxc/xc_private.h               |   3 -
 tools/libxl/libxl_dm.c                 |   5 +-
 tools/tests/Makefile                   |   7 +-
 tools/tests/depriv/Makefile            |  51 ++++
 tools/tests/depriv/depriv-fd-checker.c | 433 +++++++++++++++++++++++++++++++++
 tools/tests/mce-test/Makefile          |   2 +
 tools/tests/mem-sharing/Makefile       |   2 +
 tools/tests/xen-access/Makefile        |   2 +
 tools/tests/xenstore/Makefile          |   2 +
 19 files changed, 576 insertions(+), 10 deletions(-)
 create mode 100644 tools/tests/depriv/Makefile
 create mode 100644 tools/tests/depriv/depriv-fd-checker.c

-- 
2.1.4

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel