From 1c599472b02783ee80691bfdaa465af9fbf25c8a Mon Sep 17 00:00:00 2001 From: Paul Durrant Date: Wed, 22 Mar 2017 09:39:15 +0000 Subject: xen: use libxendevice model to restrict operations This patch adds a command-line option (-xen-domid-restrict) which will use the new libxendevicemodel API to restrict devicemodel [1] operations to the specified domid. (Such operations are not applicable to the xenpv machine type). This patch also adds a tracepoint to allow successful enabling of the restriction to be monitored. [1] I.e. operations issued by libxendevicemodel. Operation issued by other xen libraries (e.g. libxenforeignmemory) are currently still unrestricted but this will be rectified by subsequent patches. Signed-off-by: Paul Durrant Reviewed-by: Stefano Stabellini --- include/hw/xen/xen.h | 1 + include/hw/xen/xen_common.h | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+) (limited to 'include/hw/xen') diff --git a/include/hw/xen/xen.h b/include/hw/xen/xen.h index 2b1733b747..7efcdaa8fe 100644 --- a/include/hw/xen/xen.h +++ b/include/hw/xen/xen.h @@ -21,6 +21,7 @@ enum xen_mode { extern uint32_t xen_domid; extern enum xen_mode xen_mode; +extern bool xen_domid_restrict; extern bool xen_allowed; diff --git a/include/hw/xen/xen_common.h b/include/hw/xen/xen_common.h index fa990a07c0..0fcbba8c54 100644 --- a/include/hw/xen/xen_common.h +++ b/include/hw/xen/xen_common.h @@ -151,6 +151,13 @@ static inline int xendevicemodel_set_mem_type( return xc_hvm_set_mem_type(dmod, domid, mem_type, first_pfn, nr); } +static inline int xendevicemodel_restrict( + xendevicemodel_handle *dmod, domid_t domid) +{ + errno = ENOTTY; + return -1; +} + #else /* CONFIG_XEN_CTRL_INTERFACE_VERSION >= 40900 */ #undef XC_WANT_COMPAT_DEVICEMODEL_API @@ -206,6 +213,19 @@ static inline int xen_modified_memory(domid_t domid, uint64_t first_pfn, return xendevicemodel_modified_memory(xen_dmod, domid, first_pfn, nr); } +static inline int xen_restrict(domid_t domid) +{ + int rc = xendevicemodel_restrict(xen_dmod, domid); + + trace_xen_domid_restrict(errno); + + if (errno == ENOTTY) { + return 0; + } + + return rc; +} + /* Xen 4.2 through 4.6 */ #if CONFIG_XEN_CTRL_INTERFACE_VERSION < 40701 -- cgit v1.2.3-55-g7522