On Mon, Mar 28, 2022 at 04:36:22PM -0400, Daniel P. Smith wrote: > During domain construction under dom0less and hyperlaunch it is necessary to > allocate at least the event channel for xenstore and potentially the event > channel for the core console. When dom0less and hyperlaunch are doing their > construction logic they are executing under the idle domain context. The idle > domain is not a privileged domain, it is not the target domain, and as a > result > under the current default XSM policy is not allowed to allocate the event > channel.
I've not been following the discussion around this patch, but I would assume such privileges are only required for init code when no other domains are running? Since it's only at that point where the idle domain context needs to allocate event channels would it make sense to temporary elevate it's privileges by setting d->is_privileged while doing the domain creation? That way we wouldn't need to grant those permissions for the lifetime of the host when they are only needed for initialization code. Another option would be switching to the initial vCPU of the domain being created, but that's likely to be more complex, or even create a short lived system domain with is_privileged set just for the purpose of building other domains. Overall I'm not sure it's worth giving those extra privileges to the idle domain when they are just need for a known and bounded period of time. Thanks, Roger.
