xen: hvm: restrict handles to only be able to operate on target domain
Combined with running as non-root after initialisation this should
limit the damage which a compromised qemu process can do.
Several things TBD:
- When to do this (only with runas?)
- Behaviour if cannot lock down (warn vs exit, configurable)
- How best to structure the above without massive code duplication.
- Foreign memory handle is opened in common code but locked down in
xen-hvm, which seems like a dangerous separation of duties (i.e.
something might get moved and/or forgotten).
Only the handles opened/used by QEMU running as an HVM DM are handled.
In particular handles used as a backend are not locked down, in any
case they need to have the privilege of the backend domain (i.e. the
current one containing the QEMU process), not the frontend, so there
is not much to restrict.
NB gnttab is not used by HVM DM (only by PV backends), so it is not
handled here at all.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
projects / people / liuw / libxenctrl-split / qemu-xen.git / commit