Re: [Xen-devel] [PATCH 1/2] xen: Implement ioctl to restrict privcmd to a specific domain

From: Jan Beulich
Date: Fri Aug 01 2014 - 04:27:31 EST

Next message: Joonsoo Kim: "Re: [PATCH 0/2] new API to allocate buffer-cache for superblock in non-movable area"
Previous message: Wanpeng Li: "Re: [PATCH 2/2] KVM: nVMX: fix acknowledge interrupt on exit when APICv is in use"
Next in thread: Frediano Ziglio: "Re: [Xen-devel] [PATCH 1/2] xen: Implement ioctl to restrict privcmd to a specific domain"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>>> On 31.07.14 at 15:16, <frediano.ziglio@xxxxxxxxxx> wrote:
> Add a RESTRICT ioctl to /dev/xen/privcmd, which allows privileged commands
> file descriptor to be restricted to only working with a particular domain.

The "with" here has been quite confusing, and I realized that you
mean the subject domain rather than the actor one only after
having gone through quite some parts of the patch. For a patch
this size, a little more of a description (and the original motivation)
would have helped.

Wrt motivation: Why does this need enforcing in the kernel at all?
Doesn't XSM_DM_PRIV mode deal specifically with what you're
trying to do here? Or else I guess I really need some better
explanation of what this is about.

Jan

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Joonsoo Kim: "Re: [PATCH 0/2] new API to allocate buffer-cache for superblock in non-movable area"
Previous message: Wanpeng Li: "Re: [PATCH 2/2] KVM: nVMX: fix acknowledge interrupt on exit when APICv is in use"
Next in thread: Frediano Ziglio: "Re: [Xen-devel] [PATCH 1/2] xen: Implement ioctl to restrict privcmd to a specific domain"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]