*/
#include <stdlib.h>
+#include <errno.h>
#include "private.h"
return rc;
}
+int xencall_restrict_target(xencall_handle *xcall, uint32_t domid)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
int xencall0(xencall_handle *xcall, unsigned int op)
{
privcmd_hypercall_t call = {
*/
int xencall_close(xencall_handle *xcall);
+/*
+ * Attempt to restrict the given xcall handle to only be able to
+ * target the given domain.
+ *
+ * On success returns 0, after which only hypercalls which are on a
+ * platform specific whitelist can be called and the arguments will be
+ * audited by the platform to ensure that the target domain is
+ * domid.
+ *
+ * Subsequent attempts to call any hypercall not on the platform
+ * specific whitelist will return -1 setting errno to ENOSYS.
+ *
+ * Subsequent attempts to call any hypercall on the platform specific
+ * whitelist with any other target domain return -1 setting errno to
+ * EPERM.
+ *
+ * These restrictions will be implemented by the platform in a way
+ * which cannot be circumvented by a userspace process. Further
+ * privilege drops (such as using setuid(2) etc) may also be required
+ * to prevent a compromised process from simply opening a second
+ * handle
+ *
+ * XXX which hypercalls are restricted, per platform list, do we need
+ * a way to probe? Do we want to be able to restrict to particular
+ * subsets of whitelisted hypercalls?
+ *
+ * On failure returns -1 and sets errno:
+ * ENOSYS: The platform is not able to support restricting the
+ * target domain.
+ * Other: The platform should be able to support restricting the
+ * target domain, but was unable to do so.
+ */
+int xencall_restrict_target(xencall_handle *xcall, uint32_t domid);
+
/*
* Call hypercalls with varying numbers of arguments.
*
xencall_open;
xencall_close;
+ xencall_restrict_target;
+
xencall0;
xencall1;
xencall2;
#include <unistd.h>
#include <stdlib.h>
+#include <errno.h>
#include "private.h"
return rc;
}
+int xenevtchn_restrict_target(xenevtchn_handle *xce, uint32_t domid)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
/*
* Local variables:
* mode: C
*/
int xenevtchn_close(xenevtchn_handle *xce);
+/*
+ * Attempt to restrict the given evtchn handle to only operate on the
+ * given domain.
+ *
+ * On success returns 0, after which:
+ *
+ * - Any operations which take a peer domain as an argument can only
+ * be called with the specified target domain. Subsequent attempts
+ * to call any such interface with another domain will return -1
+ * setting errno to EPERM.
+ *
+ * - Any operations which take an evtchn_port_t are not restricted
+ * other than by the requirement to have previously bound that
+ * evtchn to the handle. Therefore users of the restrict interface
+ * should take care not to bind any event channels relating to other
+ * domains prior to enforcing the restriction. The restrictions on
+ * xenevtchn_bind_*() (which take a domain id, see previous point)
+ * suffice to prevent any new such bindings being created.
+ *
+ * - xenevtchn_bind_virq is not permitted and will return -1 setting
+ * errno to EPERM.
+ *
+ * These restrictions will be implemented by the platform in a way
+ * which cannot be circumvented by a userspace process. Further
+ * privilege drops (such as using setuid(2) etc) may also be required
+ * to prevent a compromised process from simply opening a second
+ * handle
+ *
+ * On failure returns -1 and sets errno:
+ * ENOSYS: The platform is not able to support restricting the
+ * target domain.
+ * Other: The platform should be able to support restricting the
+ * target domain, but was unable to do so.
+ */
+int xenevtchn_restrict_target(xenevtchn_handle *xce, uint32_t domid);
+
/*
* Return an fd that can be select()ed on.
*
xenevtchn_open;
xenevtchn_close;
+ xenevtchn_restrict_target;
+
xenevtchn_fd;
xenevtchn_bind_unbound_port;
return rc;
}
+int xenforeignmemory_restrict_target(xenforeignmemory_handle *fmem,
+ uint32_t domid)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
void *xenforeignmemory_map(xenforeignmemory_handle *fmem,
uint32_t dom, int prot,
size_t num,
*/
int xenforeignmemory_close(xenforeignmemory_handle *fmem);
+/*
+ * Attempt to restrict the given handle to only target the given
+ * domain.
+ *
+ * On success returns 0, after which calls to xenforeignmemory_map
+ * which pass a domain other than the given domain will return -1
+ * setting errno to EPERM.
+ *
+ * This restriction will be implemented by the platform in a way which
+ * cannot be circumvented by a userspace process. Further privilege
+ * drops (such as using setuid(2) etc) may also be required to prevent
+ * a compromised process from simply opening a second handle
+ *
+ * On failure returns -1 and sets errno:
+ * ENOSYS: The platform is not able to support restricting the
+ * target domain.
+ * Other: The platform should be able to support restricting the
+ * target domain, but was unable to do so.
+ */
+int xenforeignmemory_restrict_target(xenforeignmemory_handle *fmem,
+ uint32_t domid);
+
/*
* Maps a range within one domain to a local address range. Mappings
* must be unmapped with xenforeignmemory_unmap and should follow the
global:
xenforeignmemory_open;
xenforeignmemory_close;
+
+ xenforeignmemory_restrict_target;
+
xenforeignmemory_map;
xenforeignmemory_unmap;
local: *; /* Do not expose anything by default */
*/
#include <stdlib.h>
+#include <errno.h>
#include "private.h"
free(xgs);
return rc;
}
+
+int xengntshr_restrict_target(xengntshr_handle *xgs, uint32_t domid)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
void *xengntshr_share_pages(xengntshr_handle *xcg, uint32_t domid,
int count, uint32_t *refs, int writable)
{
*/
#include <stdlib.h>
+#include <errno.h>
#include "private.h"
return rc;
}
+int xengnttab_restrict_target(xengnttab_handle *xgt, uint32_t domid)
+{
+ errno = ENOSYS;
+ return -1;
+}
+
int xengnttab_set_max_grants(xengnttab_handle *xgt, uint32_t count)
{
return osdep_gnttab_set_max_grants(xgt, count);
*/
int xengnttab_close(xengnttab_handle *xgt);
+/*
+ * Attempt to restrict the given handle to only target the given
+ * domain.
+ *
+ * On success returns 0, after which:
+ *
+ * - Calls to xengnttab_map_*() which are passed a domain other than
+ * the given domain (either as an argument or as any member of a
+ * domid array argument, regardless of the validity of other members
+ * of the array) will return -1 setting errno to EPERM.
+ *
+ * - Calls to xengnttab_set_max_grants() will return -1 having set
+ * errno to EPERM.
+ *
+ * This restriction will be implemented by the platform in a way which
+ * cannot be circumvented by a userspace process. Further privilege
+ * drops (such as using setuid(2) etc) may also be required to prevent
+ * a compromised process from simply opening a second handle
+ *
+ * On failure returns -1 and sets errno:
+ * ENOSYS: The platform is not able to support restricting the
+ * target domain.
+ * Other: The platform should be able to support restricting the
+ * target domain, but was unable to do so.
+ */
+int xengnttab_restrict_target(xengnttab_handle *xgt, uint32_t domid);
+
/**
* Memory maps a grant reference from one domain to a local address range.
* Mappings should be unmapped with xengnttab_unmap. Logs errors.
*/
int xengntshr_close(xengntshr_handle *xgs);
+/*
+ * Attempt to restrict the given handle to only target the given
+ * domain.
+ *
+ * On success returns 0, after which:
+ *
+ * - Calls to xengntshr_share_*() which are passed a domain other than
+ * the given domain will return -1 setting errno to EPERM.
+ *
+ * - Calls to xengnttab_set_max_grants() will return -1 having set
+ * errno to EPERM.
+ *
+ * This restriction will be implemented by the platform in a way which
+ * cannot be circumvented by a userspace process. Further privilege
+ * drops (such as using setuid(2) etc) may also be required to prevent
+ * a compromised process from simply opening a second handle
+ *
+ * On failure returns -1 and sets errno:
+ * ENOSYS: The platform is not able to support restricting the
+ * target domain.
+ * Other: The platform should be able to support restricting the
+ * target domain, but was unable to do so.
+ */
+int xengntshr_restrict_target(xengntshr_handle *xgs, uint32_t domid);
+
/**
* Allocates and shares pages with another domain.
*
xengnttab_open;
xengnttab_close;
+ xengnttab_restrict_target;
+
xengnttab_set_max_grants;
xengnttab_map_domain_grant_refs;
xengntshr_open;
xengntshr_close;
+ xengntshr_restrict_target;
+
xengntshr_share_page_notify;
xengntshr_share_pages;
projects / people / liuw / libxenctrl-split / xen.git / commitdiff