On Mon, Oct 09, 2017 at 05:01:37PM +0100, Ian Jackson wrote: > We need to restrict *all* the control fds that qemu opens. Looking in > /proc/PID/fd shows there are many; their allocation seems scattered > throughout Xen support code in qemu. > > We must postpone the restrict call until roughly the same time as qemu > changes its uid, chroots (if applicable), and so on. > > There doesn't seem to be an appropriate hook already. The RunState > change hook fires at different times depending on exactly what mode > qemu is operating in. > > And it appears that no-one but the Xen code wants a hook at this phase > of execution. So, introduce a bare call to a new function > xen_setup_post, just before os_setup_post. Also provide the > appropriate stub for when Xen compilation is disabled. > > We do the restriction before rather than after os_setup_post, because > xen_restrict may need to open /dev/null, and os_setup_post might have > called chroot. > > Signed-off-by: Ian Jackson <ian.jack...@eu.citrix.com>
Reviewed-by: Anthony PERARD <anthony.per...@citrix.com> -- Anthony PERARD _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel