Ian Pratt
2005-Apr-15 19:09 UTC
RE: [Xen-devel] Problem when doing direct_remap_area_pages() in aprivileged user domain
> I have come accross a problem when trying to do a > direct_remap_area_pages() call in a backend driver that is > running in a privileged user domain. The call ends up with an > error code (-14 = -EFAULT). This in turn is caused by the > hypervisor call > HYPERVISOR_mmu_update() which returns an error code of -22 = > -EINVAL after failing in set_foreigndom due to not (!?!) > being privileged. The same call returns no error if run in domain-0. > However, I found the solution to fix this. I needed to make > a fake(*) PCI device available to the privileged user domain > by adding a line like pci=[''00,07,00''] to the configuration > file, because this would actually set the privileged flag for > the domain in > xen/common/physdev.c:physdev_pci_access_modify(). I wonder > whether the setting of this flag should not be moved to some > other place?Yep, we''ve had to point people at this work around before. Not nice. I''d really like to see a patch that creates a more fine grained set of privilege capabilities, and an appropriate config file option to set them. For completeness, there should be a dom0_op that enables a domain to irrevocably surrender a capability. There''s an argument that certain capabilities should be specific to a specified target domain or group of domains (we already have a domain group ID). This may be going to far in the first instance, but its worth bearing in mind while working up a patch for the former. Cheers, Ian _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel