Re: [Xen-devel] [PATCH 03/11] xen: defer call to xen_restrict until just before os_setup_post

On Fri, 9 Mar 2018, Eduardo Habkost wrote: > On Fri, Mar 09, 2018 at 12:07:21PM +, Ian Jackson wrote: > > Ian Jackson writes ("Re: [PATCH 03/11] xen: defer call to xen_restrict > > until just before os_setup_post"): > > > Eduardo Habkost writes ("Re: [PATCH 03/11] xen: defer call to > > >

Re: [Xen-devel] [PATCH 03/11] xen: defer call to xen_restrict until just before os_setup_post

On Fri, Mar 09, 2018 at 12:07:21PM +, Ian Jackson wrote: > Ian Jackson writes ("Re: [PATCH 03/11] xen: defer call to xen_restrict until > just before os_setup_post"): > > Eduardo Habkost writes ("Re: [PATCH 03/11] xen: defer call to xen_restrict > > until just before os_setup_post"): > > > I

Re: [Xen-devel] [PATCH 03/11] xen: defer call to xen_restrict until just before os_setup_post

On Fri, Mar 09, 2018 at 11:33:35AM +, Ian Jackson wrote: > Eduardo Habkost writes ("Re: [PATCH 03/11] xen: defer call to xen_restrict > until just before os_setup_post"): > > On Thu, Mar 08, 2018 at 05:39:09PM +, Ian Jackson wrote: > > [...] > > > diff --git a/vl.c b/vl.c > > > +

Re: [Xen-devel] [PATCH 03/11] xen: defer call to xen_restrict until just before os_setup_post

Ian Jackson writes ("Re: [PATCH 03/11] xen: defer call to xen_restrict until just before os_setup_post"): > Ian Jackson writes ("Re: [PATCH 03/11] xen: defer call to xen_restrict until > just before os_setup_post"): > > How about this ? > > And here's the corresponding change to the

Re: [Xen-devel] [PATCH 03/11] xen: defer call to xen_restrict until just before os_setup_post

Ian Jackson writes ("Re: [PATCH 03/11] xen: defer call to xen_restrict until just before os_setup_post"): > How about this ? And here's the corresponding change to the Xen-specific patch. From d6140681a877c4d468c4fcf5cac075cdffbea22c Mon Sep 17 00:00:00 2001 From: Ian Jackson

Re: [Xen-devel] [PATCH 03/11] xen: defer call to xen_restrict until just before os_setup_post

Ian Jackson writes ("Re: [PATCH 03/11] xen: defer call to xen_restrict until just before os_setup_post"): > Eduardo Habkost writes ("Re: [PATCH 03/11] xen: defer call to xen_restrict > until just before os_setup_post"): > > I don't think we should have accelerator-specific code in main(), > > if

Re: [Xen-devel] [PATCH 03/11] xen: defer call to xen_restrict until just before os_setup_post

Eduardo Habkost writes ("Re: [PATCH 03/11] xen: defer call to xen_restrict until just before os_setup_post"): > On Thu, Mar 08, 2018 at 05:39:09PM +, Ian Jackson wrote: > [...] > > diff --git a/vl.c b/vl.c > > +xen_setup_post(); > > I don't think we should have accelerator-specific code

Re: [Xen-devel] [PATCH 03/11] xen: defer call to xen_restrict until just before os_setup_post

On Thu, Mar 08, 2018 at 05:39:09PM +, Ian Jackson wrote: [...] > diff --git a/vl.c b/vl.c > index dae986b..e6e8e1e 100644 > --- a/vl.c > +++ b/vl.c > @@ -4719,6 +4719,7 @@ int main(int argc, char **argv, char **envp) > vm_start(); > } > > +xen_setup_post(); I don't think

[Xen-devel] [PATCH 03/11] xen: defer call to xen_restrict until just before os_setup_post

We need to restrict *all* the control fds that qemu opens. Looking in /proc/PID/fd shows there are many; their allocation seems scattered throughout Xen support code in qemu. We must postpone the restrict call until roughly the same time as qemu changes its uid, chroots (if applicable), and so