diff options
| -rw-r--r-- | accel/accel.c | 9 | ||||
| -rwxr-xr-x | configure | 33 | ||||
| -rw-r--r-- | hw/i386/xen/xen-hvm.c | 75 | ||||
| -rw-r--r-- | hw/xen/xen-common.c | 21 | ||||
| -rw-r--r-- | include/hw/xen/xen_common.h | 125 | ||||
| -rw-r--r-- | include/sysemu/accel.h | 3 | ||||
| -rw-r--r-- | os-posix.c | 91 | ||||
| -rw-r--r-- | qemu-options.hx | 3 | ||||
| -rwxr-xr-x | scripts/checkpatch.pl | 1 | ||||
| -rw-r--r-- | vl.c | 1 |
10 files changed, 242 insertions, 120 deletions
diff --git a/accel/accel.c b/accel/accel.c index 93e2434c87..9cfab115d0 100644 --- a/accel/accel.c +++ b/accel/accel.c @@ -126,6 +126,15 @@ void accel_register_compat_props(AccelState *accel) register_compat_props_array(class->global_props); } +void accel_setup_post(MachineState *ms) +{ + AccelState *accel = ms->accelerator; + AccelClass *acc = ACCEL_GET_CLASS(accel); + if (acc->setup_post) { + acc->setup_post(ms, accel); + } +} + static void register_accel_types(void) { type_register_static(&accel_type); @@ -60,6 +60,11 @@ do_compiler() { # is compiler binary to execute. local compiler="$1" shift + if test -n "$BASH_VERSION"; then eval ' + echo >>config.log " +funcs: ${FUNCNAME[*]} +lines: ${BASH_LINENO[*]}" + '; fi echo $compiler "$@" >> config.log $compiler "$@" >> config.log 2>&1 || return $? # Test passed. If this is an --enable-werror build, rerun @@ -2189,6 +2194,9 @@ if test "$xen" != "no" ; then xen=yes xen_pc="xencontrol xenstore xenguest xenforeignmemory xengnttab" xen_pc="$xen_pc xenevtchn xendevicemodel" + if $pkg_config --exists xentoolcore; then + xen_pc="$xen_pc xentoolcore" + fi QEMU_CFLAGS="$QEMU_CFLAGS $($pkg_config --cflags $xen_pc)" libs_softmmu="$($pkg_config --libs $xen_pc) $libs_softmmu" LDFLAGS="$($pkg_config --libs $xen_pc) $LDFLAGS" @@ -2218,20 +2226,41 @@ EOF # Xen unstable elif cat > $TMPC <<EOF && +#undef XC_WANT_COMPAT_DEVICEMODEL_API +#define __XEN_TOOLS__ +#include <xendevicemodel.h> +int main(void) { + xendevicemodel_handle *xd; + + xd = xendevicemodel_open(0, 0); + xendevicemodel_pin_memory_cacheattr(xd, 0, 0, 0, 0); + + return 0; +} +EOF + compile_prog "" "$xen_libs -lxendevicemodel $xen_stable_libs -lxentoolcore" + then + xen_stable_libs="-lxendevicemodel $xen_stable_libs -lxentoolcore" + xen_ctrl_version=41100 + xen=yes + elif + cat > $TMPC <<EOF && #undef XC_WANT_COMPAT_MAP_FOREIGN_API #include <xenforeignmemory.h> +#include <xentoolcore.h> int main(void) { xenforeignmemory_handle *xfmem; xfmem = xenforeignmemory_open(0, 0); xenforeignmemory_map2(xfmem, 0, 0, 0, 0, 0, 0, 0); + xentoolcore_restrict_all(0); return 0; } EOF - compile_prog "" "$xen_libs -lxendevicemodel $xen_stable_libs" + compile_prog "" "$xen_libs -lxendevicemodel $xen_stable_libs -lxentoolcore" then - xen_stable_libs="-lxendevicemodel $xen_stable_libs" + xen_stable_libs="-lxendevicemodel $xen_stable_libs -lxentoolcore" xen_ctrl_version=41000 xen=yes elif diff --git a/hw/i386/xen/xen-hvm.c b/hw/i386/xen/xen-hvm.c index f24b7d4923..caa563be3d 100644 --- a/hw/i386/xen/xen-hvm.c +++ b/hw/i386/xen/xen-hvm.c @@ -347,7 +347,7 @@ static int xen_add_to_physmap(XenIOState *state, MemoryRegion *mr, hwaddr offset_within_region) { - unsigned long i = 0; + unsigned long nr_pages; int rc = 0; XenPhysmap *physmap = NULL; hwaddr pfn, start_gpfn; @@ -396,22 +396,26 @@ go_physmap: pfn = phys_offset >> TARGET_PAGE_BITS; start_gpfn = start_addr >> TARGET_PAGE_BITS; - for (i = 0; i < size >> TARGET_PAGE_BITS; i++) { - unsigned long idx = pfn + i; - xen_pfn_t gpfn = start_gpfn + i; - - rc = xen_xc_domain_add_to_physmap(xen_xc, xen_domid, XENMAPSPACE_gmfn, idx, gpfn); - if (rc) { - DPRINTF("add_to_physmap MFN %"PRI_xen_pfn" to PFN %" - PRI_xen_pfn" failed: %d (errno: %d)\n", idx, gpfn, rc, errno); - return -rc; - } + nr_pages = size >> TARGET_PAGE_BITS; + rc = xendevicemodel_relocate_memory(xen_dmod, xen_domid, nr_pages, pfn, + start_gpfn); + if (rc) { + int saved_errno = errno; + + error_report("relocate_memory %lu pages from GFN %"HWADDR_PRIx + " to GFN %"HWADDR_PRIx" failed: %s", + nr_pages, pfn, start_gpfn, strerror(saved_errno)); + errno = saved_errno; + return -1; } - xc_domain_pin_memory_cacheattr(xen_xc, xen_domid, + rc = xendevicemodel_pin_memory_cacheattr(xen_dmod, xen_domid, start_addr >> TARGET_PAGE_BITS, (start_addr + size - 1) >> TARGET_PAGE_BITS, XEN_DOMCTL_MEM_CACHEATTR_WB); + if (rc) { + error_report("pin_memory_cacheattr failed: %s", strerror(errno)); + } return xen_save_physmap(state, physmap); } @@ -419,7 +423,6 @@ static int xen_remove_from_physmap(XenIOState *state, hwaddr start_addr, ram_addr_t size) { - unsigned long i = 0; int rc = 0; XenPhysmap *physmap = NULL; hwaddr phys_offset = 0; @@ -438,16 +441,17 @@ static int xen_remove_from_physmap(XenIOState *state, size >>= TARGET_PAGE_BITS; start_addr >>= TARGET_PAGE_BITS; phys_offset >>= TARGET_PAGE_BITS; - for (i = 0; i < size; i++) { - xen_pfn_t idx = start_addr + i; - xen_pfn_t gpfn = phys_offset + i; - - rc = xen_xc_domain_add_to_physmap(xen_xc, xen_domid, XENMAPSPACE_gmfn, idx, gpfn); - if (rc) { - fprintf(stderr, "add_to_physmap MFN %"PRI_xen_pfn" to PFN %" - PRI_xen_pfn" failed: %d (errno: %d)\n", idx, gpfn, rc, errno); - return -rc; - } + rc = xendevicemodel_relocate_memory(xen_dmod, xen_domid, size, start_addr, + phys_offset); + if (rc) { + int saved_errno = errno; + + error_report("relocate_memory "RAM_ADDR_FMT" pages" + " from GFN %"HWADDR_PRIx + " to GFN %"HWADDR_PRIx" failed: %s", + size, start_addr, phys_offset, strerror(saved_errno)); + errno = saved_errno; + return -1; } QLIST_REMOVE(physmap, list); @@ -1254,14 +1258,6 @@ void xen_hvm_init(PCMachineState *pcms, MemoryRegion **ram_memory) goto err; } - if (xen_domid_restrict) { - rc = xen_restrict(xen_domid); - if (rc < 0) { - error_report("failed to restrict: error %d", errno); - goto err; - } - } - xen_create_ioreq_server(xen_domid, &state->ioservid); state->exit.notify = xen_exit_notifier; @@ -1394,13 +1390,26 @@ void destroy_hvm_domain(bool reboot) { xc_interface *xc_handle; int sts; + int rc; + + unsigned int reason = reboot ? SHUTDOWN_reboot : SHUTDOWN_poweroff; + + if (xen_dmod) { + rc = xendevicemodel_shutdown(xen_dmod, xen_domid, reason); + if (!rc) { + return; + } + if (errno != ENOTTY /* old Xen */) { + perror("xendevicemodel_shutdown failed"); + } + /* well, try the old thing then */ + } xc_handle = xc_interface_open(0, 0, 0); if (xc_handle == NULL) { fprintf(stderr, "Cannot acquire xenctrl handle\n"); } else { - sts = xc_domain_shutdown(xc_handle, xen_domid, - reboot ? SHUTDOWN_reboot : SHUTDOWN_poweroff); + sts = xc_domain_shutdown(xc_handle, xen_domid, reason); if (sts != 0) { fprintf(stderr, "xc_domain_shutdown failed to issue %s, " "sts %d, %s\n", reboot ? "reboot" : "poweroff", diff --git a/hw/xen/xen-common.c b/hw/xen/xen-common.c index 83099dd1b1..6ec14c73ca 100644 --- a/hw/xen/xen-common.c +++ b/hw/xen/xen-common.c @@ -101,7 +101,12 @@ static void xenstore_record_dm_state(struct xs_handle *xs, const char *state) } snprintf(path, sizeof (path), "device-model/%u/state", xen_domid); - if (!xs_write(xs, XBT_NULL, path, state, strlen(state))) { + /* + * This call may fail when running restricted so don't make it fatal in + * that case. Toolstacks should instead use QMP to listen for state changes. + */ + if (!xs_write(xs, XBT_NULL, path, state, strlen(state)) && + !xen_domid_restrict) { error_report("error recording dm state"); exit(1); } @@ -117,6 +122,19 @@ static void xen_change_state_handler(void *opaque, int running, } } +static void xen_setup_post(MachineState *ms, AccelState *accel) +{ + int rc; + + if (xen_domid_restrict) { + rc = xen_restrict(xen_domid); + if (rc < 0) { + perror("xen: failed to restrict"); + exit(1); + } + } +} + static int xen_init(MachineState *ms) { xen_xc = xc_interface_open(0, 0, 0); @@ -165,6 +183,7 @@ static void xen_accel_class_init(ObjectClass *oc, void *data) AccelClass *ac = ACCEL_CLASS(oc); ac->name = "Xen"; ac->init_machine = xen_init; + ac->setup_post = xen_setup_post; ac->allowed = &xen_allowed; ac->global_props = xen_compat_props; } diff --git a/include/hw/xen/xen_common.h b/include/hw/xen/xen_common.h index 64a978e4e0..5f1402b494 100644 --- a/include/hw/xen/xen_common.h +++ b/include/hw/xen/xen_common.h @@ -78,6 +78,49 @@ static inline void *xenforeignmemory_map(xc_interface *h, uint32_t dom, extern xenforeignmemory_handle *xen_fmem; +#if CONFIG_XEN_CTRL_INTERFACE_VERSION < 40900 + +typedef xc_interface xendevicemodel_handle; + +#else /* CONFIG_XEN_CTRL_INTERFACE_VERSION >= 40900 */ + +#undef XC_WANT_COMPAT_DEVICEMODEL_API +#include <xendevicemodel.h> + +#endif + +#if CONFIG_XEN_CTRL_INTERFACE_VERSION < 41100 + +static inline int xendevicemodel_relocate_memory( + xendevicemodel_handle *dmod, domid_t domid, uint32_t size, uint64_t src_gfn, + uint64_t dst_gfn) +{ + uint32_t i; + int rc; + + for (i = 0; i < size; i++) { + unsigned long idx = src_gfn + i; + xen_pfn_t gpfn = dst_gfn + i; + + rc = xc_domain_add_to_physmap(xen_xc, domid, XENMAPSPACE_gmfn, idx, + gpfn); + if (rc) { + return rc; + } + } + + return 0; +} + +static inline int xendevicemodel_pin_memory_cacheattr( + xendevicemodel_handle *dmod, domid_t domid, uint64_t start, uint64_t end, + uint32_t type) +{ + return xc_domain_pin_memory_cacheattr(xen_xc, domid, start, end, type); +} + +#endif /* CONFIG_XEN_CTRL_INTERFACE_VERSION < 41100 */ + #if CONFIG_XEN_CTRL_INTERFACE_VERSION < 41000 #define XEN_COMPAT_PHYSMAP @@ -91,12 +134,27 @@ static inline void *xenforeignmemory_map2(xenforeignmemory_handle *h, return xenforeignmemory_map(h, dom, prot, pages, arr, err); } +static inline int xentoolcore_restrict_all(domid_t domid) +{ + errno = ENOTTY; + return -1; +} + +static inline int xendevicemodel_shutdown(xendevicemodel_handle *dmod, + domid_t domid, unsigned int reason) +{ + errno = ENOTTY; + return -1; +} + +#else /* CONFIG_XEN_CTRL_INTERFACE_VERSION >= 41000 */ + +#include <xentoolcore.h> + #endif #if CONFIG_XEN_CTRL_INTERFACE_VERSION < 40900 -typedef xc_interface xendevicemodel_handle; - static inline xendevicemodel_handle *xendevicemodel_open( struct xentoollog_logger *logger, unsigned int open_flags) { @@ -218,25 +276,6 @@ static inline int xendevicemodel_set_mem_type( return xc_hvm_set_mem_type(dmod, domid, mem_type, first_pfn, nr); } -static inline int xendevicemodel_restrict( - xendevicemodel_handle *dmod, domid_t domid) -{ - errno = ENOTTY; - return -1; -} - -static inline int xenforeignmemory_restrict( - xenforeignmemory_handle *fmem, domid_t domid) -{ - errno = ENOTTY; - return -1; -} - -#else /* CONFIG_XEN_CTRL_INTERFACE_VERSION >= 40900 */ - -#undef XC_WANT_COMPAT_DEVICEMODEL_API -#include <xendevicemodel.h> - #endif extern xendevicemodel_handle *xen_dmod; @@ -290,28 +329,8 @@ static inline int xen_modified_memory(domid_t domid, uint64_t first_pfn, static inline int xen_restrict(domid_t domid) { int rc; - - /* Attempt to restrict devicemodel operations */ - rc = xendevicemodel_restrict(xen_dmod, domid); - trace_xen_domid_restrict(rc ? errno : 0); - - if (rc < 0) { - /* - * If errno is ENOTTY then restriction is not implemented so - * there's no point in trying to restrict other types of - * operation, but it should not be treated as a failure. - */ - if (errno == ENOTTY) { - return 0; - } - - return rc; - } - - /* Restrict foreignmemory operations */ - rc = xenforeignmemory_restrict(xen_fmem, domid); + rc = xentoolcore_restrict_all(domid); trace_xen_domid_restrict(rc ? errno : 0); - return rc; } @@ -626,28 +645,6 @@ static inline int xen_set_ioreq_server_state(domid_t dom, #endif -#if CONFIG_XEN_CTRL_INTERFACE_VERSION < 40600 -static inline int xen_xc_domain_add_to_physmap(xc_interface *xch, uint32_t domid, - unsigned int space, - unsigned long idx, - xen_pfn_t gpfn) -{ - return xc_domain_add_to_physmap(xch, domid, space, idx, gpfn); -} -#else -static inline int xen_xc_domain_add_to_physmap(xc_interface *xch, uint32_t domid, - unsigned int space, - unsigned long idx, - xen_pfn_t gpfn) -{ - /* In Xen 4.6 rc is -1 and errno contains the error value. */ - int rc = xc_domain_add_to_physmap(xch, domid, space, idx, gpfn); - if (rc == -1) - return errno; - return rc; -} -#endif - #ifdef CONFIG_XEN_PV_DOMAIN_BUILD #if CONFIG_XEN_CTRL_INTERFACE_VERSION < 40700 static inline int xen_domain_create(xc_interface *xc, uint32_t ssidref, diff --git a/include/sysemu/accel.h b/include/sysemu/accel.h index 5a632cee1d..637358f430 100644 --- a/include/sysemu/accel.h +++ b/include/sysemu/accel.h @@ -40,6 +40,7 @@ typedef struct AccelClass { const char *name; int (*available)(void); int (*init_machine)(MachineState *ms); + void (*setup_post)(MachineState *ms, AccelState *accel); bool *allowed; /* * Array of global properties that would be applied when specific @@ -68,5 +69,7 @@ extern unsigned long tcg_tb_size; void configure_accelerator(MachineState *ms); /* Register accelerator specific global properties */ void accel_register_compat_props(AccelState *accel); +/* Called just before os_setup_post (ie just before drop OS privs) */ +void accel_setup_post(MachineState *ms); #endif diff --git a/os-posix.c b/os-posix.c index b9c2343b1e..24eb7007dc 100644 --- a/os-posix.c +++ b/os-posix.c @@ -41,7 +41,14 @@ #include <sys/prctl.h> #endif -static struct passwd *user_pwd; +/* + * Must set all three of these at once. + * Legal combinations are unset by name by uid + */ +static struct passwd *user_pwd; /* NULL non-NULL NULL */ +static uid_t user_uid = (uid_t)-1; /* -1 -1 >=0 */ +static gid_t user_gid = (gid_t)-1; /* -1 -1 >=0 */ + static const char *chroot_dir; static int daemonize; static int daemon_pipe; @@ -118,15 +125,42 @@ void os_set_proc_name(const char *s) /* Could rewrite argv[0] too, but that's a bit more complicated. This simple way is enough for `top'. */ if (prctl(PR_SET_NAME, name)) { - perror("unable to change process name"); + error_report("unable to change process name: %s", strerror(errno)); exit(1); } #else - fprintf(stderr, "Change of process name not supported by your OS\n"); + error_report("Change of process name not supported by your OS"); exit(1); #endif } + +static bool os_parse_runas_uid_gid(const char *optarg) +{ + unsigned long lv; + const char *ep; + uid_t got_uid; + gid_t got_gid; + int rc; + + rc = qemu_strtoul(optarg, &ep, 0, &lv); + got_uid = lv; /* overflow here is ID in C99 */ + if (rc || *ep != ':' || got_uid != lv || got_uid == (uid_t)-1) { + return false; + } + + rc = qemu_strtoul(ep + 1, 0, 0, &lv); + got_gid = lv; /* overflow here is ID in C99 */ + if (rc || got_gid != lv || got_gid == (gid_t)-1) { + return false; + } + + user_pwd = NULL; + user_uid = got_uid; + user_gid = got_gid; + return true; +} + /* * Parse OS specific command line options. * return 0 if option handled, -1 otherwise @@ -144,8 +178,13 @@ void os_parse_cmd_args(int index, const char *optarg) #endif case QEMU_OPTION_runas: user_pwd = getpwnam(optarg); - if (!user_pwd) { - fprintf(stderr, "User \"%s\" doesn't exist\n", optarg); + if (user_pwd) { + user_uid = -1; + user_gid = -1; + } else if (!os_parse_runas_uid_gid(optarg)) { + error_report("User \"%s\" doesn't exist" + " (and is not <uid>:<gid>)", + optarg); exit(1); } break; @@ -165,22 +204,36 @@ void os_parse_cmd_args(int index, const char *optarg) static void change_process_uid(void) { - if (user_pwd) { - if (setgid(user_pwd->pw_gid) < 0) { - fprintf(stderr, "Failed to setgid(%d)\n", user_pwd->pw_gid); + assert((user_uid == (uid_t)-1) || user_pwd == NULL); + assert((user_uid == (uid_t)-1) == + (user_gid == (gid_t)-1)); + + if (user_pwd || user_uid != (uid_t)-1) { + gid_t intended_gid = user_pwd ? user_pwd->pw_gid : user_gid; + uid_t intended_uid = user_pwd ? user_pwd->pw_uid : user_uid; + if (setgid(intended_gid) < 0) { + error_report("Failed to setgid(%d)", intended_gid); exit(1); } - if (initgroups(user_pwd->pw_name, user_pwd->pw_gid) < 0) { - fprintf(stderr, "Failed to initgroups(\"%s\", %d)\n", - user_pwd->pw_name, user_pwd->pw_gid); - exit(1); + if (user_pwd) { + if (initgroups(user_pwd->pw_name, user_pwd->pw_gid) < 0) { + error_report("Failed to initgroups(\"%s\", %d)", + user_pwd->pw_name, user_pwd->pw_gid); + exit(1); + } + } else { + if (setgroups(1, &user_gid) < 0) { + error_report("Failed to setgroups(1, [%d])", + user_gid); + exit(1); + } } - if (setuid(user_pwd->pw_uid) < 0) { - fprintf(stderr, "Failed to setuid(%d)\n", user_pwd->pw_uid); + if (setuid(intended_uid) < 0) { + error_report("Failed to setuid(%d)", intended_uid); exit(1); } if (setuid(0) != -1) { - fprintf(stderr, "Dropping privileges failed\n"); + error_report("Dropping privileges failed"); exit(1); } } @@ -190,11 +243,11 @@ static void change_root(void) { if (chroot_dir) { if (chroot(chroot_dir) < 0) { - fprintf(stderr, "chroot failed\n"); + error_report("chroot failed"); exit(1); } if (chdir("/")) { - perror("not able to chdir to /"); + error_report("not able to chdir to /: %s", strerror(errno)); exit(1); } } @@ -256,7 +309,7 @@ void os_setup_post(void) if (daemonize) { if (chdir("/")) { - perror("not able to chdir to /"); + error_report("not able to chdir to /: %s", strerror(errno)); exit(1); } TFR(fd = qemu_open("/dev/null", O_RDWR)); @@ -330,7 +383,7 @@ int os_mlock(void) ret = mlockall(MCL_CURRENT | MCL_FUTURE); if (ret < 0) { - perror("mlockall"); + error_report("mlockall: %s", strerror(errno)); } return ret; diff --git a/qemu-options.hx b/qemu-options.hx index ca4e412f2f..5fbf966292 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -3765,7 +3765,8 @@ ETEXI #ifndef _WIN32 DEF("runas", HAS_ARG, QEMU_OPTION_runas, \ - "-runas user change to user id user just before starting the VM\n", + "-runas user change to user id user just before starting the VM\n" \ + " user can be numeric uid:gid instead\n", QEMU_ARCH_ALL) #endif STEXI diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl index d52207a3cc..5b8735defb 100755 --- a/scripts/checkpatch.pl +++ b/scripts/checkpatch.pl @@ -266,6 +266,7 @@ our @typeList = ( qr{target_(?:u)?long}, qr{hwaddr}, qr{xml${Ident}}, + qr{xendevicemodel_handle}, ); # This can be modified by sub possible. Since it can be empty, be careful @@ -4742,6 +4742,7 @@ int main(int argc, char **argv, char **envp) vm_start(); } + accel_setup_post(current_machine); os_setup_post(); main_loop(); |