www.infradead.org Git - users/jedix/linux-maple.git/commit

author	David Vrabel <david.vrabel@citrix.com>
	Mon, 11 Jul 2016 14:45:51 +0000 (15:45 +0100)
committer	Bob Liu <bob.liu@oracle.com>
	Thu, 20 Oct 2016 08:01:37 +0000 (04:01 -0400)
commit	87eef0f91431818fad309a224d3de357bf70e7bf
tree	f2c84d746bbea77eb9f5793454aed5474450c245	tree
parent	0b8f9a566734effa2d425ceb8971b664fc0ad383	commit \| diff

xen/evtchn: add IOCTL_EVTCHN_RESTRICT

IOCTL_EVTCHN_RESTRICT limits the file descriptor to being able to bind
to interdomain event channels from a specific domain. Event channels
that are already bound continue to work for sending and receiving
notifications.

This is useful as part of deprivileging a user space PV backend or
device model (QEMU). e.g., Once the device model as bound to the
ioreq server event channels it can restrict the file handle so an
exploited DM cannot use it to create or bind to arbitrary event
channels.

Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
(cherry picked from commit fbc872c38c8fed31948c85683b5326ee5ab9fccc)
Signed-off-by: Bob Liu <bob.liu@oracle.com>
Orabug: 24820937

drivers/xen/evtchn.c		diff \| blob \| history
include/uapi/xen/evtchn.h		diff \| blob \| history