We need to restrict *all* the control fds that qemu opens. Looking in
/proc/PID/fd shows there are many; their allocation seems scattered
throughout Xen support code in qemu.
We must postpone the restrict call until roughly the same time as qemu
changes its uid, chroots (if applicable), and so on
Anthony PERARD writes ("Re: [PATCH 05/16] xen: defer call to xen_restrict until
just before os_setup_post"):
> I think this include is not needed anymore, and can go away from the
> patch series.
Yes.
Thanks,
Ian.
On Thu, Apr 19, 2018 at 05:45:08PM +0100, Ian Jackson wrote:
> diff --git a/stubs/xen-hvm.c b/stubs/xen-hvm.c
> index 0067bcc..7787ea2 100644
> --- a/stubs/xen-hvm.c
> +++ b/stubs/xen-hvm.c
> @@ -13,6 +13,7 @@
> #include "hw/xen/xen.h"
> #include "exec/memory.h"
> #include "qapi/qapi-commands-mi
On Thu, Apr 19, 2018 at 05:45:08PM +0100, Ian Jackson wrote:
> We need to restrict *all* the control fds that qemu opens. Looking in
> /proc/PID/fd shows there are many; their allocation seems scattered
> throughout Xen support code in qemu.
>
> We must postpone the restrict call until roughly th
We need to restrict *all* the control fds that qemu opens. Looking in
/proc/PID/fd shows there are many; their allocation seems scattered
throughout Xen support code in qemu.
We must postpone the restrict call until roughly the same time as qemu
changes its uid, chroots (if applicable), and so on
