subject:"\[Xen\-devel\] \[PATCH 3\/3\] xen\/privcmd\: add IOCTL_PRIVCMD_RESTRICT"

Re: [Xen-devel] [PATCH 3/3] xen/privcmd: add IOCTL_PRIVCMD_RESTRICT

2017-02-09 Thread Paul Durrant

lt;jgr...@suse.com>; linux- > ker...@vger.kernel.org > Subject: Re: [Xen-devel] [PATCH 3/3] xen/privcmd: add > IOCTL_PRIVCMD_RESTRICT > > >>> On 09.02.17 at 15:17, <paul.durr...@citrix.com> wrote: > > @@ -666,6 +680,20 @@ static long privcmd_ioctl_dm_op(void __user > *u

Re: [Xen-devel] [PATCH 3/3] xen/privcmd: add IOCTL_PRIVCMD_RESTRICT

2017-02-09 Thread Jan Beulich

>>> On 09.02.17 at 15:17, wrote: > @@ -666,6 +680,20 @@ static long privcmd_ioctl_dm_op(void __user *udata) > return rc; > } > > +static long privcmd_ioctl_restrict(struct file *file, void __user *udata) > +{ > + struct privcmd_data *data =

[Xen-devel] [PATCH 3/3] xen/privcmd: add IOCTL_PRIVCMD_RESTRICT

2017-02-09 Thread Paul Durrant

The purpose if this ioctl is to allow a user of privcmd to restrict its operation such that it will no longer service arbitrary hypercalls via IOCTL_PRIVCMD_HYPERCALL, and will check for a matching domid when servicing IOCTL_PRIVCMD_DM_OP. The aim of this is to limit the attack surface for a