[PATCH for-4.12 v2 0/8] tools: Depriv fd checking, internal fd access

[PATCH for-4.12 v2 0/8] tools: Depriv fd checking, internal fd access

[Ian Jackson]

From: Ian Jackson <Ian.Jackson@eu.citrix.com>

This series provides the support in xen.git for auditing whether qemu
file descriptors are deprivileged, as expected with libxl
dm_restrict=1.

The approach I have chosen is to fish the descriptors out of qemu (by
using debugging facilities), and try to make hypercalls etc. using
them.

To take making a hypercall as an example: this is not easily done
without libxc.  So I need to make libxc make a hypercall with a
different fd - actually, a different open-file.  I do this by using
dup2 to overwrite libxc's fd with the one stolen from qemu.  That
means I need to know libxc's fd number.  Hence the handle access
patches in this series.

Compared to v2, this fixes the issues identified, and also, as
promised, introduces the actual descriptor checking utility here in
xen.git.  Building it out-of-tree is quite tiresome and anyway the
utility might be useful for other purposes.

This is not 4.11 material.  qemu depriv is not covered by support in
4.11 anyway.  In 4.12 I want it to be supported, and, therefore,
tested and audited.  If it becomes fully supported there, it might be
worth backporting some of these patches.

The utility `fishdescriptor', referred to, is part of the Debian
package chiark-scripts.deb.  A newish version of that package is
needed.  That will be dealt with fully in the corresponding osstest
patches.

Ian Jackson (8):
  libxc: Drop declarations of osdep_privcmd_open and _close
  libxc: Provide access to internal handles
  tools: xencall, xengnttab, xengntshr: Provide access to internal fds
  libxl: Provide better error message when qemu restrict user not found
  tools/tests/depriv: New test utility for deprivilege auditing
  tools/tests: Allow a test subdir to have `install' and `uninstall'
    targets
  tools/tests/depriv: Install depriv-fd-checker in our private libexec
    directory
  tools/tests/depriv-fd-checker: Support checking of Linux tun devices

 .gitignore                             |   1 +
 tools/libs/call/core.c                 |   5 +
 tools/libs/call/include/xencall.h      |   8 +
 tools/libs/call/libxencall.map         |   6 +
 tools/libs/gnttab/gntshr_core.c        |   6 +
 tools/libs/gnttab/gnttab_core.c        |   5 +
 tools/libs/gnttab/include/xengnttab.h  |  17 ++
 tools/libs/gnttab/libxengnttab.map     |   6 +
 tools/libxc/include/xenctrl.h          |  10 +
 tools/libxc/xc_private.c               |  15 ++
 tools/libxc/xc_private.h               |   3 -
 tools/libxl/libxl_dm.c                 |   5 +-
 tools/tests/Makefile                   |   7 +-
 tools/tests/depriv/Makefile            |  51 ++++
 tools/tests/depriv/depriv-fd-checker.c | 433 +++++++++++++++++++++++++++++++++
 tools/tests/mce-test/Makefile          |   2 +
 tools/tests/mem-sharing/Makefile       |   2 +
 tools/tests/xen-access/Makefile        |   2 +
 tools/tests/xenstore/Makefile          |   2 +
 19 files changed, 576 insertions(+), 10 deletions(-)
 create mode 100644 tools/tests/depriv/Makefile
 create mode 100644 tools/tests/depriv/depriv-fd-checker.c

-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

[PATCH v2 1/8] libxc: Drop declarations of osdep_privcmd_open and _close

[Ian Jackson]

These functions are no longer defined or used anywhere.  The
declarations should have been deleted when the definitions were.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
---
 tools/libxc/xc_private.h | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/tools/libxc/xc_private.h b/tools/libxc/xc_private.h
index 03bc9a7..25bae8a 100644
--- a/tools/libxc/xc_private.h
+++ b/tools/libxc/xc_private.h
@@ -103,9 +103,6 @@ struct xc_interface_core {
     xendevicemodel_handle *dmod;
 };
 
-int osdep_privcmd_open(xc_interface *xch);
-int osdep_privcmd_close(xc_interface *xch);
-
 void *osdep_alloc_hypercall_buffer(xc_interface *xch, int npages);
 void osdep_free_hypercall_buffer(xc_interface *xch, void *ptr, int npages);
 
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

[PATCH v2 2/8] libxc: Provide access to internal handles

[Ian Jackson]

In order to support auditing of qemu depriv, my audit tool wants to
know the fd of a privcmd handle on which it can easily make
hypercalls.  xencall provides such a handle, but has no cooked
facilities for making hypercalls.  So I open a libxc handle.  That
means I need to get the privcmd fd out of the libxc handle.

ISTM that it is best to do this by providing an interface to get the
underlying library handles for a libxc handle.  This kind of interface
is quite common elsewhere and has not caused problems.

libxc is not a stable API so the downside risk of providing this
access is not significant.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>

---
v2: Actually provide the fmem and dmod handle functions that the
    declarations in the .h file promise.
---
 tools/libxc/include/xenctrl.h | 10 ++++++++++
 tools/libxc/xc_private.c      | 15 +++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/tools/libxc/include/xenctrl.h b/tools/libxc/include/xenctrl.h
index 408fa1c..d7733aa 100644
--- a/tools/libxc/include/xenctrl.h
+++ b/tools/libxc/include/xenctrl.h
@@ -183,6 +183,16 @@ enum xc_open_flags {
  */
 int xc_interface_close(xc_interface *xch);
 
+/**
+ * Return the handles which xch has opened and will use for
+ * hypercalls, foreign memory accesses and device model operations.
+ * These may be used with the corresponding libraries so long as the
+ * xch itself remains open.
+ */
+struct xencall_handle *xc_interface_xcall_handle(xc_interface *xch);
+struct xenforeignmemory_handle *xc_interface_fmem_handle(xc_interface *xch);
+struct xendevicemodel_handle *xc_interface_dmod_handle(xc_interface *xch);
+
 /*
  * HYPERCALL SAFE MEMORY BUFFER
  *
diff --git a/tools/libxc/xc_private.c b/tools/libxc/xc_private.c
index fcda981..5a2efe7 100644
--- a/tools/libxc/xc_private.c
+++ b/tools/libxc/xc_private.c
@@ -104,6 +104,21 @@ int xc_interface_close(xc_interface *xch)
     return rc;
 }
 
+xencall_handle *xc_interface_xcall_handle(xc_interface *xch)
+{
+    return xch->xcall;
+}
+
+struct xenforeignmemory_handle *xc_interface_fmem_handle(xc_interface *xch)
+{
+    return xch->fmem;
+}
+
+struct xendevicemodel_handle *xc_interface_dmod_handle(xc_interface *xch)
+{
+    return xch->dmod;
+}
+
 static pthread_key_t errbuf_pkey;
 static pthread_once_t errbuf_pkey_once = PTHREAD_ONCE_INIT;
 
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

[PATCH v2 3/8] tools: xencall, xengnttab, xengntshr: Provide access to internal fds

[Ian Jackson]

I want this to support my qemu depriv descriptor audit tool.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
CC: Andrew Cooper <andrew.cooper3@citrix.com>
---
v2: Fix ABI breakage.
---
 tools/libs/call/core.c                |  5 +++++
 tools/libs/call/include/xencall.h     |  8 ++++++++
 tools/libs/call/libxencall.map        |  6 ++++++
 tools/libs/gnttab/gntshr_core.c       |  6 ++++++
 tools/libs/gnttab/gnttab_core.c       |  5 +++++
 tools/libs/gnttab/include/xengnttab.h | 17 +++++++++++++++++
 tools/libs/gnttab/libxengnttab.map    |  6 ++++++
 7 files changed, 53 insertions(+)

diff --git a/tools/libs/call/core.c b/tools/libs/call/core.c
index f3a3400..c155bd4 100644
--- a/tools/libs/call/core.c
+++ b/tools/libs/call/core.c
@@ -81,6 +81,11 @@ int xencall_close(xencall_handle *xcall)
     return rc;
 }
 
+int xencall_fd(xencall_handle *xcall)
+{
+    return xcall->fd;
+}
+
 int xencall0(xencall_handle *xcall, unsigned int op)
 {
     privcmd_hypercall_t call = {
diff --git a/tools/libs/call/include/xencall.h b/tools/libs/call/include/xencall.h
index bafacdd..24bcafb 100644
--- a/tools/libs/call/include/xencall.h
+++ b/tools/libs/call/include/xencall.h
@@ -74,6 +74,14 @@ xencall_handle *xencall_open(struct xentoollog_logger *logger,
 int xencall_close(xencall_handle *xcall);
 
 /*
+ * Return the fd used internally by xencall.  selecting on it is not
+ * useful.  But it could be useful for unusual use cases; perhaps,
+ * passing to other programs, calling ioctls on directly, or maybe
+ * calling fcntl.
+ */
+int xencall_fd(xencall_handle *xcall);
+
+/*
  * Call hypercalls with varying numbers of arguments.
  *
  * On success the return value of the hypercall is the return value of
diff --git a/tools/libs/call/libxencall.map b/tools/libs/call/libxencall.map
index 2f96144..c6a0181 100644
--- a/tools/libs/call/libxencall.map
+++ b/tools/libs/call/libxencall.map
@@ -17,3 +17,9 @@ VERS_1.0 {
 		xencall_free_buffer_pages;
 	local: *; /* Do not expose anything by default */
 };
+
+VERS_1.1 {
+	global:
+		xencall_fd;
+		
+} VERS_1.0;
diff --git a/tools/libs/gnttab/gntshr_core.c b/tools/libs/gnttab/gntshr_core.c
index 7f6bf9d..1117e29 100644
--- a/tools/libs/gnttab/gntshr_core.c
+++ b/tools/libs/gnttab/gntshr_core.c
@@ -64,6 +64,12 @@ int xengntshr_close(xengntshr_handle *xgs)
     free(xgs);
     return rc;
 }
+
+int xengntshr_fd(xengntshr_handle *xgs)
+{
+    return xgs->fd;
+}
+
 void *xengntshr_share_pages(xengntshr_handle *xcg, uint32_t domid,
                             int count, uint32_t *refs, int writable)
 {
diff --git a/tools/libs/gnttab/gnttab_core.c b/tools/libs/gnttab/gnttab_core.c
index 98f1591..bd075f8 100644
--- a/tools/libs/gnttab/gnttab_core.c
+++ b/tools/libs/gnttab/gnttab_core.c
@@ -75,6 +75,11 @@ int xengnttab_close(xengnttab_handle *xgt)
     return rc;
 }
 
+int xengnttab_fd(xengnttab_handle *xgt)
+{
+    return xgt->fd;
+}
+
 int xengnttab_set_max_grants(xengnttab_handle *xgt, uint32_t count)
 {
     return osdep_gnttab_set_max_grants(xgt, count);
diff --git a/tools/libs/gnttab/include/xengnttab.h b/tools/libs/gnttab/include/xengnttab.h
index 35be6c1..91d4cd5 100644
--- a/tools/libs/gnttab/include/xengnttab.h
+++ b/tools/libs/gnttab/include/xengnttab.h
@@ -149,6 +149,15 @@ xengnttab_handle *xengnttab_open(struct xentoollog_logger *logger,
  */
 int xengnttab_close(xengnttab_handle *xgt);
 
+
+/*
+ * Return the fd used internally by xengnttab.  selecting on it is not
+ * useful.  But it could be useful for unusual use cases; perhaps,
+ * passing to other programs, calling ioctls on directly, or maybe
+ * calling fcntl.
+ */
+int xengnttab_fd(xengnttab_handle *xgt);
+
 /**
  * Memory maps a grant reference from one domain to a local address range.
  * Mappings should be unmapped with xengnttab_unmap.  Logs errors.
@@ -334,6 +343,14 @@ xengntshr_handle *xengntshr_open(struct xentoollog_logger *logger,
  */
 int xengntshr_close(xengntshr_handle *xgs);
 
+/*
+ * Return the fd used internally by xengntshr.  selecting on it is not
+ * useful.  But it could be useful for unusual use cases; perhaps,
+ * passing to other programs, calling ioctls on directly, or maybe
+ * calling fcntl.
+ */
+int xengntshr_fd(xengntshr_handle *xgs);
+
 /**
  * Allocates and shares pages with another domain.
  *
diff --git a/tools/libs/gnttab/libxengnttab.map b/tools/libs/gnttab/libxengnttab.map
index f78da22..d5da388 100644
--- a/tools/libs/gnttab/libxengnttab.map
+++ b/tools/libs/gnttab/libxengnttab.map
@@ -26,3 +26,9 @@ VERS_1.1 {
     global:
         xengnttab_grant_copy;
 } VERS_1.0;
+
+VERS_1.2 {
+    global:
+		xengnttab_fd;
+		xengntshr_fd;
+} VERS_1.1;
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

[PATCH v2 4/8] libxl: Provide better error message when qemu restrict user not found

[Ian Jackson]

Add mention of LIBXL_QEMU_USER_RANGE_BASE, in case that is what the
user was intending.

Cc: Anthony Perard <anthony.perard@citrix.com>
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
---
 tools/libxl/libxl_dm.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c
index 18ada69..7289509 100644
--- a/tools/libxl/libxl_dm.c
+++ b/tools/libxl/libxl_dm.c
@@ -1699,8 +1699,9 @@ static int libxl__build_device_model_args_new(libxl__gc *gc,
         }
 
         LOGD(ERROR, guest_domid,
-             "Could not find user %s%d or %s, cannot restrict",
-             LIBXL_QEMU_USER_BASE, guest_domid, LIBXL_QEMU_USER_SHARED);
+ "Could not find user %s%d or %s or range base pseudo-user %s, cannot restrict",
+             LIBXL_QEMU_USER_BASE, guest_domid, LIBXL_QEMU_USER_SHARED,
+             LIBXL_QEMU_USER_RANGE_BASE);
         return ERROR_INVAL;
 
 end_search:
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

[PATCH v2 5/8] tools/tests/depriv: New test utility for deprivilege auditing

[Ian Jackson]

I have chosen to licence this utility as LGPL-v2.1-only, similar to
other LGPL elements of the Xen tools, because it may want to be moved
into or combined with osstest or some other project at some point in
the future, so it wants a licence compatible with osstest's AGPLv3+.

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
---
v2: New patch
---
 .gitignore                             |   1 +
 tools/tests/depriv/Makefile            |  42 ++++
 tools/tests/depriv/depriv-fd-checker.c | 399 +++++++++++++++++++++++++++++++++
 3 files changed, 442 insertions(+)
 create mode 100644 tools/tests/depriv/Makefile
 create mode 100644 tools/tests/depriv/depriv-fd-checker.c

diff --git a/.gitignore b/.gitignore
index 7004349..5b8448d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -237,6 +237,7 @@ tools/python/build/*
 tools/security/secpol_tool
 tools/security/xen/*
 tools/security/xensec_tool
+tools/tests/depriv/depriv-fd-checker
 tools/tests/x86_emulator/*.bin
 tools/tests/x86_emulator/*.tmp
 tools/tests/x86_emulator/3dnow*.[ch]
diff --git a/tools/tests/depriv/Makefile b/tools/tests/depriv/Makefile
new file mode 100644
index 0000000..2af1e29
--- /dev/null
+++ b/tools/tests/depriv/Makefile
@@ -0,0 +1,42 @@
+XEN_ROOT=$(CURDIR)/../../..
+include $(XEN_ROOT)/tools/Rules.mk
+
+CFLAGS += -Werror -Wno-declaration-after-statement
+
+CFLAGS += $(CFLAGS_xeninclude)
+CFLAGS += $(CFLAGS_libxenctrl)
+CFLAGS += $(CFLAGS_libxencall)
+CFLAGS += $(CFLAGS_libxenevtchn)
+CFLAGS += $(CFLAGS_libxengnttab)
+CFLAGS += $(CFLAGS_libxenforeignmemory)
+CFLAGS += $(CFLAGS_libxendevicemodel)
+CFLAGS += $(CFLAGS_libxentoolcore)
+CFLAGS += $(CFLAGS_libxentoollog)
+
+LDLIBS += $(LDLIBS_xeninclude)
+LDLIBS += $(LDLIBS_libxenctrl)
+LDLIBS += $(LDLIBS_libxencall)
+LDLIBS += $(LDLIBS_libxenevtchn)
+LDLIBS += $(LDLIBS_libxengnttab)
+LDLIBS += $(LDLIBS_libxenforeignmemory)
+LDLIBS += $(LDLIBS_libxendevicemodel)
+LDLIBS += $(LDLIBS_libxentoolcore)
+LDLIBS += $(LDLIBS_libxentoollog)
+
+TARGETS-y := depriv-fd-checker
+TARGETS := $(TARGETS-y)
+
+.PHONY: all
+all: build
+
+.PHONY: build
+build: $(TARGETS)
+
+.PHONY: clean
+clean:
+	$(RM) *.o $(TARGETS) *~ $(DEPS_RM)
+
+.PHONY: distclean
+distclean: clean
+
+-include $(DEPS_INCLUDE)
diff --git a/tools/tests/depriv/depriv-fd-checker.c b/tools/tests/depriv/depriv-fd-checker.c
new file mode 100644
index 0000000..67a3674
--- /dev/null
+++ b/tools/tests/depriv/depriv-fd-checker.c
@@ -0,0 +1,399 @@
+/*
+ * depriv-fd-checker
+ *
+ * utility to check whether file descriptor(s) are deprivileged
+ *
+ * usage:
+ *  .../depriv-fd-checker CLASS FD X-INFO [CLASS FD X-INFO...]
+ *
+ * CLASS is one of:
+ *    privcmd gntdev evtchn     FD should be appropriate Xen control fd
+ *    readonly                  FD is expected to be readonly
+ *    appendonly                FD is expected to be append write only
+ *
+ * In each case FD is probably a reference to an open-file stolen
+ * from another process, eg by the use of fishdescriptor.
+ *
+ * X-INFO is simply appended to the discursive reportage.
+ *
+ * It is an error if depriv-fd-checker cannot open the control
+ * facilities itself, or something goes wrong with checking, or an FD
+ * is entirely the wrong kind for the specified CLASS.  Otherwise:
+ *
+ * depriv-fd-checker will perhaps print, for each triplet:
+ *   CLASS checking FD INFORMATION... X-INFO
+ * and in any case print, for each triplet:
+ *   CLASS pass|fail FD INFORMATION... X-INFO
+ *
+ * "pass" means that the descriptor was restricted as expected.
+ * "fail" means that the descriptor was unrestricted.
+ */
+/*
+ * Copyright (C)2018 Citrix Systems R&D
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; version 2.1 of the
+ * License.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; If not, see
+ * <http://www.gnu.org/licenses/>.
+ */
+
+#include <stdlib.h>
+#include <errno.h>
+#include <string.h>
+#include <stdio.h>
+#include <assert.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <poll.h>
+
+#include <err.h>
+
+#include <xenctrl.h>
+#include <xencall.h>
+#include <xengnttab.h>
+#include <xenevtchn.h>
+
+/*
+ * Every class needs setup.  setup is called once per class at program
+ * startup.
+ *
+ * Then it can have
+ *     open test getfd close
+ * In which case the core code will for every fd
+ *     open test getfd dup2 test close
+ * And test should call blocked or succeeded and then immediately
+ * return, or error out
+ *
+ * Or it can have
+ *     check
+ * which should call report, or error out
+ *
+ * Errors: use trouble for simple syscall errors.  Or use err or errx
+ * and maybe print fd_desc and test_which, according to the comments
+ * in struct classinfo.
+ */
+
+static xentoollog_logger *logger;
+
+static int object_fd;
+static const char *classname;
+static const char *fd_desc;
+static const char *test_which;
+
+static const char *test_wh_unrest = "test (unrestricted)";
+static const char *test_wh_rest   = "test (restricted)";
+
+
+static void trouble(const char *what) __attribute__((noreturn));
+static void trouble(const char *what) {
+    fprintf(stderr,
+	    "trouble: %s %s %d (%s) %s: %s\n",
+	    classname, test_which, object_fd, fd_desc, what, strerror(errno));
+    exit(-1);
+}
+
+static void report(const char *pass_or_fail, const char *what,
+		   const char *notes) {
+    printf("%s %s %d %s (%s) %s\n",
+	   classname, pass_or_fail,
+	   object_fd, what, notes, fd_desc);
+    if (ferror(stdout) || fflush(stdout)) err(16,"stdout");
+}
+
+static void succeeded(const char *what) {
+    if (test_which == test_wh_unrest) {
+	/* ok */
+	test_which = 0;
+    } else if (test_which == test_wh_rest) {
+	report("fail",what,"unexpectedly succeeded");
+	test_which = 0;
+    } else {
+	abort();
+    }
+}
+
+static void blocked(const char *what) {
+    if (test_which == test_wh_rest) {
+	/* yay */
+	report("pass", what,"blocked");
+	test_which = 0;
+    } else if (test_which == test_wh_unrest) {
+	err(4,"test blocked on unrestricted fd: %s {%s}",what,test_which);
+    } else {
+	abort();
+    }
+}
+
+/* privcmd */
+
+static xc_interface *xch;
+static void setup_privcmd(void) { }
+static void open_privcmd(void) {
+    xch = xc_interface_open(logger,0,0);
+    if (!xch) trouble("xc_interface_open");
+}
+static void test_privcmd(void) {
+    int r = xc_get_online_cpus(xch);
+    if (r>0)
+	succeeded("xc_get_online_cpus");
+    else if (r==0)
+	errx(-1,"xc_get_online_cpus{%s, %s}=0", test_which, fd_desc);
+    else if (errno==EPERM || errno==EACCES)
+	blocked("xc_get_online_cpus");
+    else
+	trouble("xc_get_online_cpus");
+}
+static int getfd_privcmd(void) {
+    return xencall_fd(xc_interface_xcall_handle(xch));
+}
+static void close_privcmd(void) {
+    xc_interface_close(xch);
+}
+
+/* gntdev */
+
+static xengntshr_handle *xgs;
+static uint32_t gntshr_gref;
+static xengnttab_handle *xgt;
+static void setup_gntdev(void) {
+    void *r;
+    xgs = xengntshr_open(logger,0);
+    if (!xgs) trouble("xengntshr_open");
+    r = xengntshr_share_pages(xgs, 0, 1, &gntshr_gref, 1);
+    if (!r || r==(void*)-1) trouble("xengntshr_share_pages");
+    memset(r, 0x55, XC_PAGE_SIZE);
+}
+static void open_gntdev(void) {
+    xgt = xengnttab_open(logger,0);
+    if (!xgt) trouble("xengnttab_open");
+}
+static void test_gntdev(void) {
+    char mybuf[XC_PAGE_SIZE];
+    memset(mybuf, 0xaa, XC_PAGE_SIZE);
+    xengnttab_grant_copy_segment_t seg;
+    seg.source.foreign.ref = gntshr_gref;
+    seg.source.foreign.offset = 0;
+    seg.source.foreign.domid = 0;
+    seg.dest.virt = mybuf;
+    seg.len = 1;
+    seg.flags = GNTCOPY_source_gref;
+    for (;;) {
+	seg.status = 0;
+	int r = xengnttab_grant_copy(xgt,1,&seg);
+	if (r<0) {
+	    if (errno==EPERM || errno==EACCES || errno==ENOTTY)
+		blocked("xengnttab_grant_copy");
+	    else
+		trouble("xengnttab_grant_copy");
+	} else if (r==0) {
+	    if (seg.status==GNTST_okay)
+		succeeded("xengnttab_grant_copy okay");
+	    else if (seg.status==GNTST_eagain)
+		continue;
+	    else errx(-1,"xengnttab_grant_copy=%d {%s, %s} but .status=%d",
+		      r, test_which, fd_desc,(int)seg.status);
+	} else {
+	    errx(-1,"xengnttab_grant_copy=%d {%s, %s}",
+		 r, test_which, fd_desc);
+	}
+	break;
+    }
+}
+static int getfd_gntdev(void) {
+    return xengnttab_fd(xgt);
+}
+static void close_gntdev(void) {
+    xengnttab_close(xgt);
+}
+
+/* evtchn */
+
+static xenevtchn_handle *xce_recip, *xce;
+static void setup_evtchn(void) {
+    xce_recip = xenevtchn_open(logger, 0);
+    if (!xce_recip) err(-1,"xenevtchn_open (donor)");
+}
+static void open_evtchn(void) {
+    xce = xenevtchn_open(logger, 0);
+    if (!xce) err(-1,"xenevtchn_open");
+}
+static void test_evtchn(void) {
+    xenevtchn_port_or_error_t
+        recip_port=-1, test_unbound_port=-1, test_send_port=-1;
+
+    recip_port = xenevtchn_bind_unbound_port(xce_recip, 0);
+    if (recip_port < 0) trouble("xenevtchn_bind_unbound_port");
+
+    test_unbound_port = xenevtchn_bind_unbound_port(xce, 0);
+    if (test_unbound_port >= 0) {
+        succeeded("xenevtchn_bind_unbound_port");
+        goto out;
+    }
+
+    test_send_port = xenevtchn_bind_interdomain(xce, 0, recip_port);
+    /* bind_interdomain marks the channel pending */
+    struct pollfd pfd;
+    for (;;) {
+        pfd.fd = xenevtchn_fd(xce_recip);
+        pfd.events = POLLIN;
+        pfd.revents = 0;
+        int r = poll(&pfd,1,0);
+        if (r>=0) break;
+        if (errno!=EINTR) err(-1,"poll(xce_recip)");
+    }
+    if (pfd.revents & POLLIN) {
+        xenevtchn_port_or_error_t p3 = xenevtchn_pending(xce_recip);
+        if (p3 < 0) err(-1,"xenevtchn_pending(check)");
+        if (p3 != recip_port)
+            errx(-1,"xenevtchn_pending=%d expected %d",p3,recip_port);
+        xenevtchn_unmask(xce_recip, recip_port);
+    }
+
+    if (test_send_port>=0 && (pfd.revents & POLLIN)) {
+        succeeded("xenevtchn_bind_interdomain/poll");
+        /* we make no attempt to undo what we did to this stolen fd;
+         * the rightful owner will see a spurious event on test_send_port */
+    } else if (test_send_port==-1 && !(pfd.revents & POLLIN) &&
+               (errno==EPERM || errno==EACCES || errno==ENOTTY)) {
+	blocked("xenevtchn_notify");
+    } else {
+        err(-1,"%s %s xenevtchn_bind_interdomain=%d .revents=0x%x",
+             test_which, fd_desc, test_send_port, pfd.revents);
+    }
+
+ out:
+    if (recip_port        > 0) xenevtchn_unbind(xce, recip_port);
+    if (test_unbound_port > 0) xenevtchn_unbind(xce, test_unbound_port);
+    if (test_send_port    > 0) xenevtchn_unbind(xce, test_send_port);
+}
+static int getfd_evtchn(void) {
+    return xenevtchn_fd(xce);
+}
+static void close_evtchn(void) {
+    xenevtchn_close(xce);
+}
+
+/* fcntl */
+
+#define CHECK_FCNTL(openmode)				\
+    int r = fcntl(object_fd, F_GETFL);			\
+    if (r < 0) trouble("fcntl F_GETFL");		\
+    int m = r & (O_RDONLY | O_WRONLY | O_RDWR);		\
+							\
+    char mbuf[100 + 30*3];				\
+    snprintf(mbuf,sizeof(mbuf),				\
+	     "F_GETFL=%#o m=%#o " #openmode "=%#o",	\
+	     r,m,(int)openmode);			\
+							\
+    if (m != openmode) {				\
+	report("fail", #openmode, mbuf);		\
+	return;						\
+    }
+
+/* readonly */
+
+static void setup_readonly(void) { }
+static void check_readonly(void) {
+    CHECK_FCNTL(O_RDONLY);
+    report("pass", "fcntl", mbuf);
+}
+
+/* appendonly */
+
+static void setup_appendonly(void) { }
+static void check_appendonly(void) {
+    CHECK_FCNTL(O_WRONLY);
+    if (!(r & O_APPEND)) {
+	report("fail", "O_APPEND", mbuf);
+	return;
+    }
+    report("pass", "fcntl", mbuf);
+}
+
+/* class table and main program */
+
+#define DEFCLASS(cl) \
+    { #cl, setup_##cl, 0, open_##cl, test_##cl, getfd_##cl, close_##cl }
+#define DEFCHECK(meth) \
+    { #meth, setup_##meth, check_##meth }
+
+static const struct classinfo {
+    const char *name;     /* errors: print fd_desc   test_which */
+    void (*setup)(void);  /*               best not   best not  */
+    void (*check)(void);  /*               must       may       */
+    void (*open)(void);   /*               must       may       */
+    void (*test)(void);   /*               must       must      */
+    int (*getfd)(void);   /*               must       may       */
+    void (*close)(void);  /*               must       may       */
+} classinfos[] = {
+    DEFCLASS(privcmd),
+    DEFCLASS(gntdev),
+    DEFCLASS(evtchn),
+    DEFCHECK(readonly),
+    DEFCHECK(appendonly),
+    { 0 }
+};
+
+int main(int argc, char **argv) {
+    const struct classinfo *cli;
+    int r;
+
+    argv++;
+
+    logger = (xentoollog_logger*)xtl_createlogger_stdiostream
+	(stderr, XTL_NOTICE, XTL_STDIOSTREAM_HIDE_PROGRESS);
+
+    fd_desc = "setup";
+    test_which = "setup";
+    for (cli = classinfos; cli->name; cli++)
+	cli->setup();
+
+    while ((classname = *argv++)) {
+	if (!*argv) errx(8,"need fd after class");
+	object_fd = atoi(*argv++);
+
+	fd_desc = *argv++;
+	if (!fd_desc) errx(8,"need info after fd");
+
+	for (cli = classinfos; cli->name; cli++)
+	    if (!strcmp(cli->name, classname))
+		goto found;
+	report("fail","unknown class","");
+	continue;
+
+    found:
+	if (cli->check) {
+	    report("checking","check","in progress");
+	    test_which = "check";
+	    cli->check();
+	} else {
+	    test_which = "open";
+	    report("checking","dup-hack","in progress");
+                                                  cli->open();
+
+	    test_which = test_wh_unrest;          cli->test();
+	    assert(!test_which);
+
+	    test_which = "getfd"; int intern_fd = cli->getfd();
+	    r = dup2(object_fd, intern_fd);
+	    if (r != intern_fd) err(-1, "dup2");
+
+	    test_which = test_wh_rest;             cli->test();
+	    assert(!test_which);
+
+	    test_which = "close";                  cli->close();
+	}
+    }
+
+    return 0;
+}
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

[PATCH v2 6/8] tools/tests: Allow a test subdir to have `install' and `uninstall' targets

[Ian Jackson]

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
---
v2: New patch
---
 tools/tests/Makefile             | 7 ++-----
 tools/tests/depriv/Makefile      | 2 ++
 tools/tests/mce-test/Makefile    | 2 ++
 tools/tests/mem-sharing/Makefile | 2 ++
 tools/tests/xen-access/Makefile  | 2 ++
 tools/tests/xenstore/Makefile    | 2 ++
 6 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/tools/tests/Makefile b/tools/tests/Makefile
index f6942a9..26c46b4 100644
--- a/tools/tests/Makefile
+++ b/tools/tests/Makefile
@@ -13,11 +13,8 @@ endif
 SUBDIRS-$(CONFIG_X86) += x86_emulator
 SUBDIRS-y += xen-access
 SUBDIRS-y += xenstore
+SUBDIRS-y += depriv
 SUBDIRS-$(CONFIG_HAS_PCI) += vpci
 
 .PHONY: all clean install distclean uninstall
-all clean distclean: %: subdirs-%
-
-install:
-
-uninstall:
+all clean distclean install uninstall: %: subdirs-%
diff --git a/tools/tests/depriv/Makefile b/tools/tests/depriv/Makefile
index 2af1e29..643d2c5 100644
--- a/tools/tests/depriv/Makefile
+++ b/tools/tests/depriv/Makefile
@@ -39,4 +39,6 @@ clean:
 .PHONY: distclean
 distclean: clean
 
+install uninstall:
+
 -include $(DEPS_INCLUDE)
diff --git a/tools/tests/mce-test/Makefile b/tools/tests/mce-test/Makefile
index 07a774a..1395df3 100644
--- a/tools/tests/mce-test/Makefile
+++ b/tools/tests/mce-test/Makefile
@@ -8,3 +8,5 @@ clean:
 
 distclean:
 	$(MAKE) -C tools distclean
+
+install uninstall:
diff --git a/tools/tests/mem-sharing/Makefile b/tools/tests/mem-sharing/Makefile
index 497696f..5cd96e4 100644
--- a/tools/tests/mem-sharing/Makefile
+++ b/tools/tests/mem-sharing/Makefile
@@ -27,3 +27,5 @@ memshrtool: memshrtool.o
 	$(CC) -o $@ $< $(LDFLAGS) $(LDLIBS_libxenctrl)
 
 -include $(DEPS_INCLUDE)
+
+install uninstall:
diff --git a/tools/tests/xen-access/Makefile b/tools/tests/xen-access/Makefile
index 0ca3f6f..131c9f3 100644
--- a/tools/tests/xen-access/Makefile
+++ b/tools/tests/xen-access/Makefile
@@ -28,4 +28,6 @@ distclean: clean
 xen-access: xen-access.o Makefile
 	$(CC) -o $@ $< $(LDFLAGS) $(LDLIBS_libxenctrl) $(LDLIBS_libxenguest) $(LDLIBS_libxenevtchn)
 
+install uninstall:
+
 -include $(DEPS_INCLUDE)
diff --git a/tools/tests/xenstore/Makefile b/tools/tests/xenstore/Makefile
index b37b90d..a367d88 100644
--- a/tools/tests/xenstore/Makefile
+++ b/tools/tests/xenstore/Makefile
@@ -24,4 +24,6 @@ distclean: clean
 xs-test: xs-test.o Makefile
 	$(CC) -o $@ $< $(LDFLAGS) $(LDLIBS_libxenstore)
 
+install uninstall:
+
 -include $(DEPS_INCLUDE)
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

[PATCH v2 7/8] tools/tests/depriv: Install depriv-fd-checker in our private libexec directory

[Ian Jackson]

osstest is going to want to call it, and should not be expected to
fish it out of the build tree.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
---
v2: New patch
---
 tools/tests/depriv/Makefile | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/tools/tests/depriv/Makefile b/tools/tests/depriv/Makefile
index 643d2c5..11e07b7 100644
--- a/tools/tests/depriv/Makefile
+++ b/tools/tests/depriv/Makefile
@@ -23,8 +23,9 @@ LDLIBS += $(LDLIBS_libxendevicemodel)
 LDLIBS += $(LDLIBS_libxentoolcore)
 LDLIBS += $(LDLIBS_libxentoollog)
 
-TARGETS-y := depriv-fd-checker
-TARGETS := $(TARGETS-y)
+INSTALL_PRIVBIN-y += depriv-fd-checker
+INSTALL_PRIVBIN := $(INSTALL_PRIVBIN-y)
+TARGETS += $(INSTALL_PRIVBIN)
 
 .PHONY: all
 all: build
@@ -39,6 +40,12 @@ clean:
 .PHONY: distclean
 distclean: clean
 
-install uninstall:
+install: all
+	$(INSTALL_DIR) $(DESTDIR)$(LIBEXEC_BIN)
+	$(INSTALL_PROG) $(INSTALL_PRIVBIN) $(DESTDIR)$(LIBEXEC_BIN)
+
+.PHONY: uninstall
+uninstall:
+	rm -f $(addprefix $(DESTDIR)$(LIBEXEC_BIN)/, $(INSTALL_PRIVBIN))
 
 -include $(DEPS_INCLUDE)
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

[PATCH v2 8/8] tools/tests/depriv-fd-checker: Support checking of Linux tun devices

[Ian Jackson]

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
---
v2: New patch
---
 tools/tests/depriv/depriv-fd-checker.c | 36 +++++++++++++++++++++++++++++++++-
 1 file changed, 35 insertions(+), 1 deletion(-)

diff --git a/tools/tests/depriv/depriv-fd-checker.c b/tools/tests/depriv/depriv-fd-checker.c
index 67a3674..e57390f 100644
--- a/tools/tests/depriv/depriv-fd-checker.c
+++ b/tools/tests/depriv/depriv-fd-checker.c
@@ -10,6 +10,7 @@
  *    privcmd gntdev evtchn     FD should be appropriate Xen control fd
  *    readonly                  FD is expected to be readonly
  *    appendonly                FD is expected to be append write only
+ #    tun                       FD is expected to be an open tun device
  *
  * In each case FD is probably a reference to an open-file stolen
  * from another process, eg by the use of fishdescriptor.
@@ -22,11 +23,14 @@
  *
  * depriv-fd-checker will perhaps print, for each triplet:
  *   CLASS checking FD INFORMATION... X-INFO
- * and in any case print, for each triplet:
+ * and in any case print, for each triplet, exactly one of:
  *   CLASS pass|fail FD INFORMATION... X-INFO
+ *   tun maybe FD IFNAME X-INFO
  *
  * "pass" means that the descriptor was restricted as expected.
  * "fail" means that the descriptor was unrestricted.
+ * "maybe" means that further information is printed, as detailed above,
+ *         and the caller should check that it is as expected
  */
 /*
  * Copyright (C)2018 Citrix Systems R&D
@@ -320,6 +324,35 @@ static void check_appendonly(void) {
     report("pass", "fcntl", mbuf);
 }
 
+#if defined(__linux__)
+#include <sys/ioctl.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <linux/if.h>
+#include <linux/if_tun.h>
+
+/* linux tun */
+
+static void setup_tun(void) { }
+static void check_tun(void) {
+    struct ifreq ifr;
+    int r;
+
+    memset(&ifr,0,sizeof(ifr));
+    r = ioctl(object_fd, TUNGETIFF, (void*)&ifr);
+    if (r<0) trouble("TUNGETIFF");
+    printf("tun maybe %d %.*s %s\n", object_fd,
+           (int)IFNAMSIZ, ifr.ifr_ifrn.ifrn_name,
+           fd_desc);
+}
+
+#define PLATFORM_CLASSES \
+    DEFCHECK(tun),
+
+#else /* !defined(__linux__) */
+#define PLATFORM_CLASSES /* empty */
+#endif
+
 /* class table and main program */
 
 #define DEFCLASS(cl) \
@@ -341,6 +374,7 @@ static const struct classinfo {
     DEFCLASS(evtchn),
     DEFCHECK(readonly),
     DEFCHECK(appendonly),
+    PLATFORM_CLASSES
     { 0 }
 };
 
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH v2 3/8] tools: xencall, xengnttab, xengntshr: Provide access to internal fds

[Roger Pau Monné]

On Mon, Jun 11, 2018 at 03:13:19PM +0100, Ian Jackson wrote:
> I want this to support my qemu depriv descriptor audit tool.
> 
> Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
> CC: Andrew Cooper <andrew.cooper3@citrix.com>

Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>

> diff --git a/tools/libs/call/libxencall.map b/tools/libs/call/libxencall.map
> index 2f96144..c6a0181 100644
> --- a/tools/libs/call/libxencall.map
> +++ b/tools/libs/call/libxencall.map
> @@ -17,3 +17,9 @@ VERS_1.0 {
>  		xencall_free_buffer_pages;
>  	local: *; /* Do not expose anything by default */
>  };
> +
> +VERS_1.1 {
> +	global:
> +		xencall_fd;
> +		

^ Extra newline?

Thanks, Roger.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH v2 2/8] libxc: Provide access to internal handles

[Roger Pau Monné]

On Mon, Jun 11, 2018 at 03:13:18PM +0100, Ian Jackson wrote:
> In order to support auditing of qemu depriv, my audit tool wants to
> know the fd of a privcmd handle on which it can easily make
> hypercalls.  xencall provides such a handle, but has no cooked
> facilities for making hypercalls.  So I open a libxc handle.  That
> means I need to get the privcmd fd out of the libxc handle.
> 
> ISTM that it is best to do this by providing an interface to get the
> underlying library handles for a libxc handle.  This kind of interface
> is quite common elsewhere and has not caused problems.
> 
> libxc is not a stable API so the downside risk of providing this
> access is not significant.
> 
> Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
> Acked-by: Wei Liu <wei.liu2@citrix.com>

Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>

Thanks.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH v2 3/8] tools: xencall, xengnttab, xengntshr: Provide access to internal fds

[Ian Jackson]

Roger Pau Monné writes ("Re: [PATCH v2 3/8] tools: xencall, xengnttab, xengntshr: Provide access to internal fds"):
> On Mon, Jun 11, 2018 at 03:13:19PM +0100, Ian Jackson wrote:
> > I want this to support my qemu depriv descriptor audit tool.
> > 
> > Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
> > CC: Andrew Cooper <andrew.cooper3@citrix.com>
> 
> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>

Thanks.

> > diff --git a/tools/libs/call/libxencall.map b/tools/libs/call/libxencall.map
> > index 2f96144..c6a0181 100644
...
> > +VERS_1.1 {
> > +	global:
> > +		xencall_fd;
> > +		
> 
> ^ Extra newline?

Cor, you're eagle-eyed !  I have deleted that line.

Thanks,
Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH v2 6/8] tools/tests: Allow a test subdir to have `install' and `uninstall' targets

[Roger Pau Monné]

On Mon, Jun 11, 2018 at 03:13:22PM +0100, Ian Jackson wrote:
> Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>

Thanks

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH v2 7/8] tools/tests/depriv: Install depriv-fd-checker in our private libexec directory

[Roger Pau Monné]

On Mon, Jun 11, 2018 at 03:13:23PM +0100, Ian Jackson wrote:
> osstest is going to want to call it, and should not be expected to
> fish it out of the build tree.
> 
> Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>

Thanks

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH v2 3/8] tools: xencall, xengnttab, xengntshr: Provide access to internal fds

[Wei Liu]

On Mon, Jun 11, 2018 at 03:13:19PM +0100, Ian Jackson wrote:
> I want this to support my qemu depriv descriptor audit tool.
> 
> Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
> CC: Andrew Cooper <andrew.cooper3@citrix.com>

With Roger's comment addressed:

Acked-by: Wei Liu <wei.liu2@citrix.com>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH v2 6/8] tools/tests: Allow a test subdir to have `install' and `uninstall' targets

[Wei Liu]

On Mon, Jun 11, 2018 at 03:13:22PM +0100, Ian Jackson wrote:
> Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

Acked-by: Wei Liu <wei.liu2@citrix.com>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH v2 7/8] tools/tests/depriv: Install depriv-fd-checker in our private libexec directory

[Wei Liu]

On Mon, Jun 11, 2018 at 03:13:23PM +0100, Ian Jackson wrote:
> osstest is going to want to call it, and should not be expected to
> fish it out of the build tree.
> 
> Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

Acked-by: Wei Liu <wei.liu2@citrix.com>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH v2 5/8] tools/tests/depriv: New test utility for deprivilege auditing

[Wei Liu]

On Mon, Jun 11, 2018 at 03:13:21PM +0100, Ian Jackson wrote:
> I have chosen to licence this utility as LGPL-v2.1-only, similar to
> other LGPL elements of the Xen tools, because it may want to be moved
> into or combined with osstest or some other project at some point in
> the future, so it wants a licence compatible with osstest's AGPLv3+.
> 
> Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>

Acked-by: Wei Liu <wei.liu2@citrix.com>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH v2 8/8] tools/tests/depriv-fd-checker: Support checking of Linux tun devices

[Wei Liu]

On Mon, Jun 11, 2018 at 03:13:24PM +0100, Ian Jackson wrote:
> Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

The code looks OK. But I'm not sure how this is supposed to be used.

Wei.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH v2 8/8] tools/tests/depriv-fd-checker: Support checking of Linux tun devices

[Ian Jackson]

Wei Liu writes ("Re: [PATCH v2 8/8] tools/tests/depriv-fd-checker: Support checking of Linux tun devices"):
> On Mon, Jun 11, 2018 at 03:13:24PM +0100, Ian Jackson wrote:
> > Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
> 
> The code looks OK. But I'm not sure how this is supposed to be used.

I'm not sure what you mean.  You arrange for it to get a tun device.
It prints "tun maybe <fd> <ifname> ...".  You decide whether that
interface name is what you expected.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH v2 8/8] tools/tests/depriv-fd-checker: Support checking of Linux tun devices

[Wei Liu]

On Wed, Jun 27, 2018 at 03:07:56PM +0100, Ian Jackson wrote:
> Wei Liu writes ("Re: [PATCH v2 8/8] tools/tests/depriv-fd-checker: Support checking of Linux tun devices"):
> > On Mon, Jun 11, 2018 at 03:13:24PM +0100, Ian Jackson wrote:
> > > Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
> > 
> > The code looks OK. But I'm not sure how this is supposed to be used.
> 
> I'm not sure what you mean.  You arrange for it to get a tun device.
> It prints "tun maybe <fd> <ifname> ...".  You decide whether that
> interface name is what you expected.

OK.

Acked-by: Wei Liu <wei.liu2@citrix.com>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

[PATCH v4 3/8] tools: xencall, xengnttab, xengntshr: Provide access to internal fds

[Ian Jackson]

Ian Jackson writes ("[PATCH for-4.12 v2 0/8] tools: Depriv fd checking, internal fd access"):
> This series provides the support in xen.git for auditing whether qemu
> file descriptors are deprivileged, as expected with libxl
> dm_restrict=1.

These were all acked.

However, on rebasing to current staging I had a merge conflict in
libxengnttab.map.  Here is the new version, therefore, with Roger's
R-B and Wei's A-B dropped for that reason.

Thanks,
Ian.

From f61e6ee1a2a6530dabc15eef86845210d14aa53c Mon Sep 17 00:00:00 2001
From: Ian Jackson <ian.jackson@eu.citrix.com>
Date: Fri, 4 May 2018 16:29:17 +0100
Subject: [PATCH v4 3/8] tools: xencall, xengnttab, xengntshr: Provide access
 to internal fds
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

I want this to support my qemu depriv descriptor audit tool.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
CC: Andrew Cooper <andrew.cooper3@citrix.com>
---
v4: Rebase onto current staging.
v3: Remove an erroneously-introduced blank line.
v2: Fix ABI breakage.
---
 tools/libs/call/core.c                |  5 +++++
 tools/libs/call/include/xencall.h     |  8 ++++++++
 tools/libs/call/libxencall.map        |  1 +
 tools/libs/gnttab/gntshr_core.c       |  6 ++++++
 tools/libs/gnttab/gnttab_core.c       |  5 +++++
 tools/libs/gnttab/include/xengnttab.h | 17 +++++++++++++++++
 tools/libs/gnttab/libxengnttab.map    |  6 ++++++
 7 files changed, 48 insertions(+)

diff --git a/tools/libs/call/core.c b/tools/libs/call/core.c
index 46ca615..57d3a33 100644
--- a/tools/libs/call/core.c
+++ b/tools/libs/call/core.c
@@ -91,6 +91,11 @@ int xencall_close(xencall_handle *xcall)
     return rc;
 }
 
+int xencall_fd(xencall_handle *xcall)
+{
+    return xcall->fd;
+}
+
 int xencall0(xencall_handle *xcall, unsigned int op)
 {
     privcmd_hypercall_t call = {
diff --git a/tools/libs/call/include/xencall.h b/tools/libs/call/include/xencall.h
index 0d09bc8..2d0c42a 100644
--- a/tools/libs/call/include/xencall.h
+++ b/tools/libs/call/include/xencall.h
@@ -74,6 +74,14 @@ xencall_handle *xencall_open(struct xentoollog_logger *logger,
 int xencall_close(xencall_handle *xcall);
 
 /*
+ * Return the fd used internally by xencall.  selecting on it is not
+ * useful.  But it could be useful for unusual use cases; perhaps,
+ * passing to other programs, calling ioctls on directly, or maybe
+ * calling fcntl.
+ */
+int xencall_fd(xencall_handle *xcall);
+
+/*
  * Call hypercalls with varying numbers of arguments.
  *
  * On success the return value of the hypercall is the return value of
diff --git a/tools/libs/call/libxencall.map b/tools/libs/call/libxencall.map
index c482195..feacee3 100644
--- a/tools/libs/call/libxencall.map
+++ b/tools/libs/call/libxencall.map
@@ -21,4 +21,5 @@ VERS_1.0 {
 VERS_1.1 {
 	global:
 		xencall_buffers_never_fault;
+		xencall_fd;
 } VERS_1.0;
diff --git a/tools/libs/gnttab/gntshr_core.c b/tools/libs/gnttab/gntshr_core.c
index 7f6bf9d..1117e29 100644
--- a/tools/libs/gnttab/gntshr_core.c
+++ b/tools/libs/gnttab/gntshr_core.c
@@ -64,6 +64,12 @@ int xengntshr_close(xengntshr_handle *xgs)
     free(xgs);
     return rc;
 }
+
+int xengntshr_fd(xengntshr_handle *xgs)
+{
+    return xgs->fd;
+}
+
 void *xengntshr_share_pages(xengntshr_handle *xcg, uint32_t domid,
                             int count, uint32_t *refs, int writable)
 {
diff --git a/tools/libs/gnttab/gnttab_core.c b/tools/libs/gnttab/gnttab_core.c
index 98f1591..bd075f8 100644
--- a/tools/libs/gnttab/gnttab_core.c
+++ b/tools/libs/gnttab/gnttab_core.c
@@ -75,6 +75,11 @@ int xengnttab_close(xengnttab_handle *xgt)
     return rc;
 }
 
+int xengnttab_fd(xengnttab_handle *xgt)
+{
+    return xgt->fd;
+}
+
 int xengnttab_set_max_grants(xengnttab_handle *xgt, uint32_t count)
 {
     return osdep_gnttab_set_max_grants(xgt, count);
diff --git a/tools/libs/gnttab/include/xengnttab.h b/tools/libs/gnttab/include/xengnttab.h
index 35be6c1..91d4cd5 100644
--- a/tools/libs/gnttab/include/xengnttab.h
+++ b/tools/libs/gnttab/include/xengnttab.h
@@ -149,6 +149,15 @@ xengnttab_handle *xengnttab_open(struct xentoollog_logger *logger,
  */
 int xengnttab_close(xengnttab_handle *xgt);
 
+
+/*
+ * Return the fd used internally by xengnttab.  selecting on it is not
+ * useful.  But it could be useful for unusual use cases; perhaps,
+ * passing to other programs, calling ioctls on directly, or maybe
+ * calling fcntl.
+ */
+int xengnttab_fd(xengnttab_handle *xgt);
+
 /**
  * Memory maps a grant reference from one domain to a local address range.
  * Mappings should be unmapped with xengnttab_unmap.  Logs errors.
@@ -334,6 +343,14 @@ xengntshr_handle *xengntshr_open(struct xentoollog_logger *logger,
  */
 int xengntshr_close(xengntshr_handle *xgs);
 
+/*
+ * Return the fd used internally by xengntshr.  selecting on it is not
+ * useful.  But it could be useful for unusual use cases; perhaps,
+ * passing to other programs, calling ioctls on directly, or maybe
+ * calling fcntl.
+ */
+int xengntshr_fd(xengntshr_handle *xgs);
+
 /**
  * Allocates and shares pages with another domain.
  *
diff --git a/tools/libs/gnttab/libxengnttab.map b/tools/libs/gnttab/libxengnttab.map
index f78da22..d5da388 100644
--- a/tools/libs/gnttab/libxengnttab.map
+++ b/tools/libs/gnttab/libxengnttab.map
@@ -26,3 +26,9 @@ VERS_1.1 {
     global:
         xengnttab_grant_copy;
 } VERS_1.0;
+
+VERS_1.2 {
+    global:
+		xengnttab_fd;
+		xengntshr_fd;
+} VERS_1.1;
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH v4 3/8] tools: xencall, xengnttab, xengntshr: Provide access to internal fds

[Roger Pau Monné]

On Wed, Jul 04, 2018 at 05:26:54PM +0100, Ian Jackson wrote:
> Ian Jackson writes ("[PATCH for-4.12 v2 0/8] tools: Depriv fd checking, internal fd access"):
> > This series provides the support in xen.git for auditing whether qemu
> > file descriptors are deprivileged, as expected with libxl
> > dm_restrict=1.
> 
> These were all acked.
> 
> However, on rebasing to current staging I had a merge conflict in
> libxengnttab.map.  Here is the new version, therefore, with Roger's
> R-B and Wei's A-B dropped for that reason.
> 
> Thanks,
> Ian.
> 
> From f61e6ee1a2a6530dabc15eef86845210d14aa53c Mon Sep 17 00:00:00 2001
> From: Ian Jackson <ian.jackson@eu.citrix.com>
> Date: Fri, 4 May 2018 16:29:17 +0100
> Subject: [PATCH v4 3/8] tools: xencall, xengnttab, xengntshr: Provide access
>  to internal fds
> MIME-Version: 1.0
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: 8bit
> 
> I want this to support my qemu depriv descriptor audit tool.
> 
> Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
> CC: Andrew Cooper <andrew.cooper3@citrix.com>

Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH v4 3/8] tools: xencall, xengnttab, xengntshr: Provide access to internal fds

[Wei Liu]

On Wed, Jul 04, 2018 at 05:26:54PM +0100, Ian Jackson wrote:
> Ian Jackson writes ("[PATCH for-4.12 v2 0/8] tools: Depriv fd checking, internal fd access"):
> > This series provides the support in xen.git for auditing whether qemu
> > file descriptors are deprivileged, as expected with libxl
> > dm_restrict=1.
> 
> These were all acked.
> 
> However, on rebasing to current staging I had a merge conflict in
> libxengnttab.map.  Here is the new version, therefore, with Roger's
> R-B and Wei's A-B dropped for that reason.
> 
> Thanks,
> Ian.
> 
> From f61e6ee1a2a6530dabc15eef86845210d14aa53c Mon Sep 17 00:00:00 2001
> From: Ian Jackson <ian.jackson@eu.citrix.com>
> Date: Fri, 4 May 2018 16:29:17 +0100
> Subject: [PATCH v4 3/8] tools: xencall, xengnttab, xengntshr: Provide access
>  to internal fds
> MIME-Version: 1.0
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: 8bit
> 
> I want this to support my qemu depriv descriptor audit tool.
> 
> Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
> CC: Andrew Cooper <andrew.cooper3@citrix.com>


Acked-by: Wei Liu <wei.liu2@citrix.com>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel