Cover Letter Detail
Show a cover letter.
GET /api/covers/814353/?format=api
{ "id": 814353, "url": "http://patchwork.ozlabs.org/api/covers/814353/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/cover/1505498999-17427-1-git-send-email-ian.jackson@eu.citrix.com/", "project": { "id": 14, "url": "http://patchwork.ozlabs.org/api/projects/14/?format=api", "name": "QEMU Development", "link_name": "qemu-devel", "list_id": "qemu-devel.nongnu.org", "list_email": "qemu-devel@nongnu.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<1505498999-17427-1-git-send-email-ian.jackson@eu.citrix.com>", "list_archive_url": null, "date": "2017-09-15T18:09:53", "name": "[RFC,0/6] xen: xen-domid-restrict improvements", "submitter": { "id": 2704, "url": "http://patchwork.ozlabs.org/api/people/2704/?format=api", "name": "Ian Jackson", "email": "ian.jackson@eu.citrix.com" }, "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/cover/1505498999-17427-1-git-send-email-ian.jackson@eu.citrix.com/mbox/", "series": [ { "id": 3347, "url": "http://patchwork.ozlabs.org/api/series/3347/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/list/?series=3347", "date": "2017-09-15T18:09:53", "name": "xen: xen-domid-restrict improvements", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/3347/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/covers/814353/comments/", "headers": { "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@bilbo.ozlabs.org", "Authentication-Results": "ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=<UNKNOWN>)", "Received": [ "from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xv3P46Qn5z9sPs\n\tfor <incoming@patchwork.ozlabs.org>;\n\tSat, 16 Sep 2017 04:10:58 +1000 (AEST)", "from localhost ([::1]:54499 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)\n\tid 1dsv4p-0000n5-JM\n\tfor incoming@patchwork.ozlabs.org; Fri, 15 Sep 2017 14:10:55 -0400", "from eggs.gnu.org ([2001:4830:134:3::10]:39153)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from <prvs=4248f5c51=Ian.Jackson@citrix.com>)\n\tid 1dsv49-0000lY-Ne\n\tfor qemu-devel@nongnu.org; Fri, 15 Sep 2017 14:10:14 -0400", "from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from <prvs=4248f5c51=Ian.Jackson@citrix.com>)\n\tid 1dsv44-0006lm-N2\n\tfor qemu-devel@nongnu.org; Fri, 15 Sep 2017 14:10:13 -0400", "from smtp02.citrix.com ([66.165.176.63]:59995)\n\tby eggs.gnu.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.71)\n\t(envelope-from <prvs=4248f5c51=Ian.Jackson@citrix.com>)\n\tid 1dsv44-0006gP-HS\n\tfor qemu-devel@nongnu.org; Fri, 15 Sep 2017 14:10:08 -0400" ], "X-IronPort-AV": "E=Sophos;i=\"5.42,398,1500940800\"; d=\"scan'208\";a=\"448014520\"", "From": "Ian Jackson <ian.jackson@eu.citrix.com>", "To": "<qemu-devel@nongnu.org>", "Date": "Fri, 15 Sep 2017 19:09:53 +0100", "Message-ID": "<1505498999-17427-1-git-send-email-ian.jackson@eu.citrix.com>", "X-Mailer": "git-send-email 2.1.4", "MIME-Version": "1.0", "Content-Type": "text/plain", "X-detected-operating-system": "by eggs.gnu.org: Genre and OS details not\n\trecognized.", "X-Received-From": "66.165.176.63", "Subject": "[Qemu-devel] [PATCH RFC 0/6] xen: xen-domid-restrict improvements", "X-BeenThere": "qemu-devel@nongnu.org", "X-Mailman-Version": "2.1.21", "Precedence": "list", "List-Id": "<qemu-devel.nongnu.org>", "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n\t<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>", "List-Archive": "<http://lists.nongnu.org/archive/html/qemu-devel/>", "List-Post": "<mailto:qemu-devel@nongnu.org>", "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>", "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n\t<mailto:qemu-devel-request@nongnu.org?subject=subscribe>", "Cc": "Juergen Gross <jgross@suse.com>,\n\tStefano Stabellini <sstabellini@kernel.org>, xen-devel@nongnu.org", "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org", "Sender": "\"Qemu-devel\"\n\t<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>" }, "content": "I have been working on trying to get qemu, when running as a Xen\ndevice model, to _actually_ not have power equivalent to root.\n\nI think I have achieved this, with some limitations (which will be\ndiscussed in my series against xen.git, which I am about to post).\n\nHowever, there are changes to qemu needed. In particular\n\n * The -xen-domid-restrict option does not work properly right now.\n It only restricts a small subset of the descriptors qemu has open.\n I am introducing a new library call in the Xen libraries for this,\n xentoolcore_restrict_all.\n\n * We need to call a different function on domain shutdown.\n\n * Additionally, in the future, we intend to be able to set aside\n a uid range for these qemus to run in, and that involves being\n able to tell qemu to drop privilege by numeric uid and gid.\n\nThis series is only an RFC because right now it won't compile against\nolder versions of Xen. There is \"configure\" work needed. I would\nappreciate some help and/or advice and have CC'd some people who\ntouched this area recently...\n\nThanks for your attention.\n\nIan." }