[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v2] passthrough: give XEN_DOMCTL_test_assign_device more sane semantics


  • To: Jan Beulich <JBeulich@xxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
  • Date: Fri, 23 Jun 2017 12:49:32 -0400
  • Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Julien Grall <julien.grall@xxxxxxx>
  • Delivery-date: Fri, 23 Jun 2017 16:49:44 +0000
  • Ironport-phdr: 9a23:RRzLjRME8WitrAKd9hsl6mtUPXoX/o7sNwtQ0KIMzox0K/j7o8bcNUDSrc9gkEXOFd2CrakV1KyH7+u5ATFIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSijewZbF/IA+yoAjeucUanJduJ6YswRbVv3VEfPhby3l1LlyJhRb84cmw/J9n8ytOvv8q6tBNX6bncakmVLJUFDspPXw7683trhnDUBCA5mAAXWUMkxpHGBbK4RfnVZrsqCT6t+592C6HPc3qSL0/RDqv47t3RBLulSwKLCAy/n3JhcNsjaJbuBOhqAJ5w47Ie4GeKf5ycrrAcd8GWWZNW8BcWCJbAoO4coABEewPM+hFpIX5vlcCsweyCQyqCejyyDFHm2X20LUn3eo/HwHI3AsgEdEAvnvao9r6NrsdX++uwanUzzjOde9a1Svz5YXKdB0qvPGCXah3ccrU0UQhGRnKjlORqYP7OzOey+oDvHaG5ORhT+KgkXQoqw9sqTWo28gshZTGiZwaylDe7yp025o1JN2kR057Zt6oCp1QtzqAOIdsTcMiRH9otT88x7YbupC7ZDAHxIkoyhPQcfCKc5WE7gj9WOuePzt0nm9pdbSijBio60eg0PfzVsys3VZPqSpKj8fDu2gW1xzW9siHUvx9/lq92TqX1wDc9OVEIUcsmKrHMZEh2L8wlocIsUjZAi/3mFn5jK+Rdkk+/Oin9//nban8qp+ZNo90jhnyMqUomsOhHeQ1KhUCUmeU9Oim1LDv4Ff1TKtFg/EoiKXVrYjWJcEBqa64Bw9V3Jwj6xG6Dzq+zdsYkmQII0xKeBKdlYfkIE3OIfDkAve/hFSgijFrx+vcMbH7DZXNKWbDnK/7fblh805c1BYzzddH6pxQF7wOPu/zWkvwtNPEDh80KBe0w/v8CNpjzI8RRWWPAqqBOqPIrVCI/v4vI/WLZIINtzfyNf4l6+fzgnAnh18SY62p0IATaHC5BfRmP16ZbWDjg9gfF2cKphA+TOvoiFKcTTFTe2y+X6Um5jE0EIimF5vMRpixgLyd2ye2Bp9WZn1CClCND3jocZ+IW/gWaC2IJs9hlicJWqK7S48kzx2hqAj6y79/JOrO5iIYrY7j1MRy5+DLjx4y8yF7D96D3GCDVW17gmQIRzgu3K9hu0xwxEyO3rR5g/xED9xT5vxIXh0mOp7byuxwE8ryVR7ZfteVVFamRc2rAD8vQdIw2dMOZ0d9G8i8gh3YwyWqAqMVl6aKBJ076K7Tw3/xJ8NlwXbcyKYhl0UmQtdINWC+h6Bw6Q/TB5TGk0qHjaqke7kc3CjJ9GiZ1WqDp19XUBNqXarZXHAfelHWrdX250/YU7CuDrEnOBNbycGeMqtKdsHpjVJeSfngItveZXi9lWOqChmUxbOMd43qe2MG0SrDFUgIiRwc/XeaNQgkByegrHjSAyBpFVLqe0ns6/VxqGunTk8oyAGHd1Zh16Gp+hEPnvOTVfcT3rYFuCcnqjV5B1W90MzMC9qGuQVheL9QYdQn4FdIzWjZrRByPoS8L6B+gV4Tawd3v0To1xVtEIpPjNImrX0rzAp2KqKVy1RBdymC0p/sPr3YNHP+8wyoa67TwlveysqZ+r8T6PQkrFXupB2pFksn83h83NhazX2c6o/NDAoIXpKiGnowojpzofnwbzQ55ojUnSlOG6Sptj7J2/oyGfAojB2neoEbeLOJEkr+HtMXA4D6OOEs3lSkcB8AFORT77IvedOrceOc36ymN/ommyip2zdp+od4h26F8StxTqbk0t4q2fiR0EPTWzjwgVi7u+jriItEYncUBWP5xi/6Ut0CLpZudJoGXD/9a/a8wc9z0tu0ASZV
  • List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 06/23/2017 11:00 AM, Jan Beulich wrote:
So far callers of the libxc interface passed in a domain ID which was
then ignored in the hypervisor. Instead, make the hypervisor honor it
(accepting DOMID_INVALID to obtain original behavior), allowing to
query whether a device can be assigned to a particular domain.

Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
---
v2: Alter the semantics to check whether the device can be assigned to
     the passed in domain.
TBD: It's not clear to me whether the test-assign XSM hooks are still
      useful this way.

As long as the only user of this hypercall is the device assignment
path, I would remove the XSM hook for test_assign and use the
assign_device hook for both test and actual.  That way, if XSM is
actually preventing the assignment, you will get the same AVC denials as
if you tried without doing the test first.  The hook should just skip the
two checks relating to (d) if it is null.

If this test hypercall were to be used as part of a query (such as
populating a list of assignable devices by trying all PCI devices listed
via sysfs), then it would make sense to have either a different hook or
a flag in the XSM hook to silence the audit messages since you aren't
actually trying to do the assignment yet.  That change will make the
cause of the "can't assign" error harder to diagnose, however, so unless
it's being used like that I don't think it's a good idea.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.