[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Linux xenfs vs privcmd

  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Jürgen Groß <jgross@xxxxxxxx>
  • Date: Wed, 8 Oct 2025 16:08:44 +0200
  • Autocrypt: addr=jgross@xxxxxxxx; keydata= xsBNBFOMcBYBCACgGjqjoGvbEouQZw/ToiBg9W98AlM2QHV+iNHsEs7kxWhKMjrioyspZKOB ycWxw3ie3j9uvg9EOB3aN4xiTv4qbnGiTr3oJhkB1gsb6ToJQZ8uxGq2kaV2KL9650I1SJve dYm8Of8Zd621lSmoKOwlNClALZNew72NjJLEzTalU1OdT7/i1TXkH09XSSI8mEQ/ouNcMvIJ NwQpd369y9bfIhWUiVXEK7MlRgUG6MvIj6Y3Am/BBLUVbDa4+gmzDC9ezlZkTZG2t14zWPvx XP3FAp2pkW0xqG7/377qptDmrk42GlSKN4z76ELnLxussxc7I2hx18NUcbP8+uty4bMxABEB AAHNH0p1ZXJnZW4gR3Jvc3MgPGpncm9zc0BzdXNlLmNvbT7CwHkEEwECACMFAlOMcK8CGwMH CwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRCw3p3WKL8TL8eZB/9G0juS/kDY9LhEXseh mE9U+iA1VsLhgDqVbsOtZ/S14LRFHczNd/Lqkn7souCSoyWsBs3/wO+OjPvxf7m+Ef+sMtr0 G5lCWEWa9wa0IXx5HRPW/ScL+e4AVUbL7rurYMfwCzco+7TfjhMEOkC+va5gzi1KrErgNRHH kg3PhlnRY0Udyqx++UYkAsN4TQuEhNN32MvN0Np3WlBJOgKcuXpIElmMM5f1BBzJSKBkW0Jc Wy3h2Wy912vHKpPV/Xv7ZwVJ27v7KcuZcErtptDevAljxJtE7aJG6WiBzm+v9EswyWxwMCIO RoVBYuiocc51872tRGywc03xaQydB+9R7BHPzsBNBFOMcBYBCADLMfoA44MwGOB9YT1V4KCy vAfd7E0BTfaAurbG+Olacciz3yd09QOmejFZC6AnoykydyvTFLAWYcSCdISMr88COmmCbJzn sHAogjexXiif6ANUUlHpjxlHCCcELmZUzomNDnEOTxZFeWMTFF9Rf2k2F0Tl4E5kmsNGgtSa aMO0rNZoOEiD/7UfPP3dfh8JCQ1VtUUsQtT1sxos8Eb/HmriJhnaTZ7Hp3jtgTVkV0ybpgFg w6WMaRkrBh17mV0z2ajjmabB7SJxcouSkR0hcpNl4oM74d2/VqoW4BxxxOD1FcNCObCELfIS auZx+XT6s+CE7Qi/c44ibBMR7hyjdzWbABEBAAHCwF8EGAECAAkFAlOMcBYCGwwACgkQsN6d 1ii/Ey9D+Af/WFr3q+bg/8v5tCknCtn92d5lyYTBNt7xgWzDZX8G6/pngzKyWfedArllp0Pn fgIXtMNV+3t8Li1Tg843EXkP7+2+CQ98MB8XvvPLYAfW8nNDV85TyVgWlldNcgdv7nn1Sq8g HwB2BHdIAkYce3hEoDQXt/mKlgEGsLpzJcnLKimtPXQQy9TxUaLBe9PInPd+Ohix0XOlY+Uk QFEx50Ki3rSDl2Zt2tnkNYKUCvTJq7jvOlaPd6d/W0tZqpyy7KVay+K4aMobDsodB3dvEAs6 ScCnh03dDAFgIq5nsB11j3KPKdVoPlfucX2c7kGNH+LUMbzqV6beIENfNexkOfxHfw==
  • Delivery-date: Wed, 08 Oct 2025 14:08:55 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 08.10.25 15:33, Andrew Cooper wrote:

Hello,

I'm doing a deployment of Xen on a remote system provisioned with Ubuntu
24.04, and I've found what I'm pretty sure is a bug.

In dom0, to start with:

user@host:~$ ls -la /dev/xen/
total 0
drwxr-xr-x  2 root root     140 Oct  8 20:04 .
drwxr-xr-x 18 root root    4620 Oct  8 20:04 ..
crw-------  1 root root 10, 120 Oct  8 20:04 evtchn
crw-------  1 root root 10, 118 Oct  8 20:04 gntalloc
crw-------  1 root root 10, 119 Oct  8 20:04 gntdev
crw-------  1 root root 10, 124 Oct  8 20:04 xenbus
crw-------  1 root root 10, 123 Oct  8 20:04 xenbus_backend
user@host:~$ ls -la /proc/xen/
total 0
dr-xr-xr-x   2 root root 0 Oct  8 20:04 .
dr-xr-xr-x 326 root root 0 Oct  8 20:04 ..

i.e. no /dev/xen/privcmd.

It turns out that mounting xenfs causes it to appear:

user@host:~$ sudo systemctl start proc-xen.mount
user@host:~$ ls -la /dev/xen/
total 0
drwxr-xr-x  2 root root     180 Oct  8 20:05 .
drwxr-xr-x 18 root root    4620 Oct  8 20:04 ..
crw-------  1 root root 10, 120 Oct  8 20:04 evtchn
crw-------  1 root root 10, 118 Oct  8 20:04 gntalloc
crw-------  1 root root 10, 119 Oct  8 20:04 gntdev
crw-------  1 root root 10, 115 Oct  8 20:05 hypercall
crw-------  1 root root 10, 116 Oct  8 20:05 privcmd
crw-------  1 root root 10, 124 Oct  8 20:04 xenbus
crw-------  1 root root 10, 123 Oct  8 20:04 xenbus_backend
user@host:~$ ls -la /proc/xen/
total 0
drwxr-xr-x   2 root root 0 Oct  8 20:05 .
dr-xr-xr-x 315 root root 0 Oct  8 20:04 ..
-r--r--r--   1 root root 0 Oct  8 20:05 capabilities
-rw-------   1 root root 0 Oct  8 20:05 privcmd
-rw-------   1 root root 0 Oct  8 20:05 xenbus
-r--------   1 root root 0 Oct  8 20:05 xensyms
-rw-------   1 root root 0 Oct  8 20:05 xsd_kva
-rw-------   1 root root 0 Oct  8 20:05 xsd_port

For good measure, I checked unmounting xenfs:

user@host:~$ sudo umount /proc/xen
user@host:~$ ls -la /dev/xen/
total 0
drwxr-xr-x  2 root root     180 Oct  8 20:05 .
drwxr-xr-x 18 root root    4620 Oct  8 20:04 ..
crw-------  1 root root 10, 120 Oct  8 20:04 evtchn
crw-------  1 root root 10, 118 Oct  8 20:04 gntalloc
crw-------  1 root root 10, 119 Oct  8 20:04 gntdev
crw-------  1 root root 10, 115 Oct  8 20:05 hypercall
crw-------  1 root root 10, 116 Oct  8 20:05 privcmd
crw-------  1 root root 10, 124 Oct  8 20:04 xenbus
crw-------  1 root root 10, 123 Oct  8 20:04 xenbus_backend
user@host:~$ ls -la /proc/xen/
total 0
dr-xr-xr-x   2 root root 0 Oct  8 20:04 .
dr-xr-xr-x 291 root root 0 Oct  8 20:04 ..

and /dev/xen/privcmd stayed.


Anyway - /dev/xen/privcmd (and /hypercall) shouldn't be tied to xenfs.
They should be SIF_PRIVILEGED alone, should they not?


I don't think they should be tied to SIF_PRIVILEGED, as device model ops
are handled via the privcmd driver, too.

TBH I have no idea why there is a direct connection to xenfs.

Did you try to modprobe privcmd without mounting xenfs? I guess the
connection is that the capabilities in /proc/xen/capabilities are tested to
contain "control_d", resulting in the privcmd driver to be loaded.


Juergen

Attachment: OpenPGP_0xB0DE9DD628BF132F.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.