Differential D37098

libvmmapi: Provide an interface for limiting rights on the device fd
ClosedPublic
Actions

Authored by markj on Oct 23 2022, 6:45 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Mon, Jun 24, 4:09 AM

	Unknown Object (File)
	Sun, Jun 23, 6:06 PM

	Unknown Object (File)
	Sun, Jun 23, 4:49 PM

	Unknown Object (File)
	Mar 22 2024, 8:41 PM

	Unknown Object (File)
	Mar 22 2024, 8:41 PM

	Unknown Object (File)
	Mar 22 2024, 8:41 PM

	Unknown Object (File)
	Mar 8 2024, 5:47 PM

	Unknown Object (File)
	Jan 4 2024, 7:12 AM

View All 23 Files

Subscribers

Details

Reviewers

Group Reviewers

Commits

rG3e9b4532d174: libvmmapi: Provide an interface for limiting rights on the device fd

Summary

Currently libvmmapi provides a way to get a list of the allowed ioctls
on the vmm device file, so that bhyve can limit rights on the device
file fd. The interface is rather strange: it allocates a copy of the
list but returns a const pointer, so the caller has to cast away the
const in order to free it without aggravating the compiler.

As far as I can see, there's no reason to make a copy of the array, but
changing vm_get_ioctls() to not do that would break compatibility. So
this change just introduces a better interface: move all rights-limiting
logic into libvmmapi. bhyve will be changed to use the new
vm_limit_rights() in a follow-up revision.

Any new operations on the fd should be wrapped by libvmmapi, so also
discourage use of vm_get_device_fd(). Currently bhyve uses it only when
limiting rights on the device fd.

No functional change intended.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

markj created this revision.Oct 23 2022, 6:45 PM

Herald added subscribers: jonathan, rgrimes, imp. · View Herald TranscriptOct 23 2022, 6:45 PM

markj requested review of this revision.Oct 23 2022, 6:45 PM

Harbormaster completed remote builds in B47965: Diff 112117.Oct 23 2022, 6:45 PM

markj added a child revision: D37099: bhyve: Use the new vm_limit_rights() interface.Oct 23 2022, 6:45 PM

jhb accepted this revision.Oct 24 2022, 7:32 PM

jhb added a subscriber: jhb.

jhb added inline comments.

lib/libvmmapi/vmmapi.h
198	I would move this section to the bottom of the file perhaps? I'm not sure if there are any other functions that are also deprecated at this point.

This revision is now accepted and ready to land.Oct 24 2022, 7:32 PM

markj added inline comments.Oct 24 2022, 9:28 PM

lib/libvmmapi/vmmapi.h
198	Good point, I'll do that.

Closed by commit rG3e9b4532d174: libvmmapi: Provide an interface for limiting rights on the device fd (authored by markj). · Explain WhyOct 24 2022, 9:34 PM

This revision was automatically updated to reflect the committed changes.

markj added a commit: rG3e9b4532d174: libvmmapi: Provide an interface for limiting rights on the device fd.

Revision Contents
Changeset List

Path

Size

lib/

libvmmapi/

11 lines

68 lines

Diff 112164

lib/libvmmapi/vmmapi.h

Loading...

lib/libvmmapi/vmmapi.c

Loading...