summaryrefslogtreecommitdiffstats
path: root/include/uapi/xen
diff options
context:
space:
mode:
authorDavid Vrabel <david.vrabel@citrix.com>2016-07-11 16:45:51 +0200
committerDavid Vrabel <david.vrabel@citrix.com>2016-07-25 11:59:31 +0200
commitfbc872c38c8fed31948c85683b5326ee5ab9fccc (patch)
tree6945716f9f0a670c14a9e1020a069e08e7929776 /include/uapi/xen
parentxen-blkback: really don't leak mode property (diff)
downloadlinux-fbc872c38c8fed31948c85683b5326ee5ab9fccc.tar.xz
linux-fbc872c38c8fed31948c85683b5326ee5ab9fccc.zip
xen/evtchn: add IOCTL_EVTCHN_RESTRICT
IOCTL_EVTCHN_RESTRICT limits the file descriptor to being able to bind to interdomain event channels from a specific domain. Event channels that are already bound continue to work for sending and receiving notifications. This is useful as part of deprivileging a user space PV backend or device model (QEMU). e.g., Once the device model as bound to the ioreq server event channels it can restrict the file handle so an exploited DM cannot use it to create or bind to arbitrary event channels. Signed-off-by: David Vrabel <david.vrabel@citrix.com> Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Diffstat (limited to 'include/uapi/xen')
-rw-r--r--include/uapi/xen/evtchn.h15
1 files changed, 15 insertions, 0 deletions
diff --git a/include/uapi/xen/evtchn.h b/include/uapi/xen/evtchn.h
index 14e833ee4e0b..cb4aa4bb905e 100644
--- a/include/uapi/xen/evtchn.h
+++ b/include/uapi/xen/evtchn.h
@@ -85,4 +85,19 @@ struct ioctl_evtchn_notify {
#define IOCTL_EVTCHN_RESET \
_IOC(_IOC_NONE, 'E', 5, 0)
+/*
+ * Restrict this file descriptor so that it can only be used to bind
+ * new interdomain events from one domain.
+ *
+ * Once a file descriptor has been restricted it cannot be
+ * de-restricted, and must be closed and re-opened. Event channels
+ * which were bound before restricting remain bound afterwards, and
+ * can be notified as usual.
+ */
+#define IOCTL_EVTCHN_RESTRICT_DOMID \
+ _IOC(_IOC_NONE, 'E', 6, sizeof(struct ioctl_evtchn_restrict_domid))
+struct ioctl_evtchn_restrict_domid {
+ domid_t domid;
+};
+
#endif /* __LINUX_PUBLIC_EVTCHN_H__ */