Jan Beulich
2008-Sep-19 13:06 UTC
[Xen-devel] [PATCH] domctl: don''t allow certain operations on Dom0
XEN_DOMCTL_setvcpucontext, XEN_DOMCTL_max_vcpus, and XEN_DOMCTL_setdebugging don''t seem to allow Dom0 as the subject domain (based on the criteria that they pause that domain in order to do their job). Apart from this, I wonder about the usefulness of XEN_DOMCTL_max_vcpus on a domain that was already booted - generally, I would expect OSes to be allowed to assume they know how many CPUs they might ever run on (at least Linux indeed does, by requiring that cpu_possible_map never changes). Signed-off-by: Jan Beulich <jbeulich@novell.com> Index: 2008-09-19/xen/common/domctl.c ==================================================================--- 2008-09-19.orig/xen/common/domctl.c 2008-09-19 13:36:28.000000000 +0200 +++ 2008-09-19/xen/common/domctl.c 2008-09-19 13:36:52.000000000 +0200 @@ -223,7 +223,8 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc goto svc_out; ret = -EINVAL; - if ( (vcpu >= MAX_VIRT_CPUS) || ((v = d->vcpu[vcpu]) == NULL) ) + if ( d == current->domain || + (vcpu >= MAX_VIRT_CPUS) || ((v = d->vcpu[vcpu]) == NULL) ) goto svc_out; if ( guest_handle_is_null(op->u.vcpucontext.ctxt) ) @@ -392,14 +393,14 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc struct domain *d; unsigned int i, max = op->u.max_vcpus.max, cpu; - ret = -EINVAL; - if ( max > MAX_VIRT_CPUS ) - break; - ret = -ESRCH; if ( (d = rcu_lock_domain_by_id(op->domain)) == NULL ) break; + ret = -EINVAL; + if ( d == current->domain || max > MAX_VIRT_CPUS ) + break; + ret = xsm_max_vcpus(d); if ( ret ) { @@ -706,6 +707,10 @@ long do_domctl(XEN_GUEST_HANDLE(xen_domc if ( d == NULL ) break; + ret = -EINVAL; + if ( d == current->domain ) + break; + ret = xsm_setdebugging(d); if ( ret ) { _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel