On 09/24/2018 09:20 AM, Paul Durrant wrote: >> -----Original Message----- >> From: Xen-devel [mailto:xen-devel-boun...@lists.xenproject.org] On Behalf >> Of George Dunlap >> Sent: 21 September 2018 18:04 >> To: xen-devel@lists.xenproject.org >> Cc: Anthony Perard <anthony.per...@citrix.com>; Ian Jackson >> <ian.jack...@citrix.com>; Wei Liu <wei.l...@citrix.com>; George Dunlap >> <george.dun...@citrix.com> >> Subject: [Xen-devel] [PATCH v2 3/6] tools/dm_restrict: Ask QEMU to chroot >> >> When dm_restrict is enabled, ask QEMU to chroot into an empty directory. >> >> * Create /var/run/qemu/root-domid (deleting the old one if it's there) >> * Pass the -chroot option to QEMU >> >> Rather than running `rm -rf` on the directory before creating it >> (since there is no library function to do this), simply rmdir the >> directory, relying on the fact that the previous QEMU instance, if >> properly restcirted, shouldn't have been able to write anything > > ^ typo... 'restricted'
Oops -- fixed, thanks. >> diff --git a/docs/designs/qemu-deprivilege.md b/docs/designs/qemu- >> deprivilege.md >> index 1e731c16aa..df5bb07d7c 100644 >> --- a/docs/designs/qemu-deprivilege.md >> +++ b/docs/designs/qemu-deprivilege.md >> @@ -58,12 +58,6 @@ FIXME: Double-check the correctness of the above >> >> '''Testing status''': Tested >> >> -# Restrictions / improvements still to do >> - >> -This lists potential restrictions still to do. It is meant to be >> -listed in order of ease of implementation, with low-hanging fruit >> -first. >> - >> ## Chroot >> >> '''Description''': Qemu runs in its own chroot, such that even if it >> @@ -81,6 +75,12 @@ Then adds the following to the qemu command-line: >> >> '''Tested''': Not tested > > ^ should this change to 'tested' now? I sort of went back and forth here between whether this should mean 'a test it available' (i.e., depriv-process-checker.sh checks it) and 'this is actively being tested' (i.e., by osstest). Here I ended up going with the second option, but that makes a weird dependency between xen.git and osstest. One option, I suppose, would be to change this to "Test implemented" or something. -George _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
