[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 3/8] xen: defer call to xen_restrict until after
From: |
Ian Jackson |
Subject: |
Re: [Qemu-devel] [PATCH 3/8] xen: defer call to xen_restrict until after os_setup_post |
Date: |
Mon, 9 Oct 2017 17:58:17 +0100 |
(My resend has crossed with your review. Sorry about that.)
Anthony PERARD writes ("Re: [PATCH 3/8] xen: defer call to xen_restrict until
after os_setup_post"):
> On Wed, Oct 04, 2017 at 05:18:06PM +0100, Ian Jackson wrote:
> > +void xen_setup_post(void)
> > +{
> > + int rc;
>
> We probably want to check here if Xen is enable (via xen_enabled()).
> xen_domid_restrict could be true when Xen is not used, even if it does
> not make sense to use -xen-domid-restrict in that case.
Should -xen-domid-restrict without xen_enabled() not fail ? IMO it is
normally better for an option which requests enhanced security to fail
when it can't do its job, rather than just hoping that its
inapplicability is intentional.
OTOH I suppose there is an argument that without xen_enabled() the
function of -xen-domid-restrict is achieved, in that without
xen_enabled() qemu is unable (after dropping privileges) to act on
Xen domains at all...
Thanks,
Ian.
- Re: [Qemu-devel] [PATCH 7/8] os-posix: Provide new -runasid option, (continued)
[Qemu-devel] [PATCH 3/8] xen: defer call to xen_restrict until after os_setup_post, Ian Jackson, 2017/10/04
[Qemu-devel] [PATCH 5/8] xen: move xc_interface compatibility fallback further up the file, Ian Jackson, 2017/10/04
[Qemu-devel] [PATCH 2/8] xen: restrict: use xentoolcore_restrict_all, Ian Jackson, 2017/10/04
[Qemu-devel] [PATCH 4/8] xen: destroy_hvm_domain: Move reason into a variable, Ian Jackson, 2017/10/04
[Qemu-devel] [PATCH 8/8] RFC configure: do_compiler: Dump some extra info under bash, Ian Jackson, 2017/10/04
[Qemu-devel] [PATCH 6/8] xen: destroy_hvm_domain: Try xendevicemodel_shutdown, Ian Jackson, 2017/10/04
Re: [Qemu-devel] [PATCH v2 0/*] xen: xen-domid-restrict improvements, Ross Lagerwall, 2017/10/06