From nobody Sun May 3 14:25:23 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=quarantine dis=none) header.from=suse.com ARC-Seal: i=1; a=rsa-sha256; t=1777464439; cv=none; d=zohomail.com; s=zohoarc; b=kKYedk1ngWn867NiPUmc3QIUSzILdmsnF3JYEVtSfAck8lb8+f1rfyFR6qkvKMAdCwQMT9cjaFz2oHk3Uuw7/BqSU1DQ9Rp09SQeWuTWAoSWquoTfvs36H/p5TcdhUCF3dB+6c8B05ZeHOpGC1KusU0cXlYLcUDBI0ptUsWZxjM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1777464439; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=Fvrcx0L64Kf/ax26AArSQHlhXePuAaFw8eCivbX6h2o=; b=mFUNK+tAMCWgrN6p3el3IXRxE89MxqnGzgIQ2r3tkQ0Nk5E0J3nZ/SxqC0S+8UjJ+Q6tBJIajcW1TN15pjoIHU4VYPJlYiPDhcjgIZ9+kroYHbTLxZzaNVAYUCe2t54i5WMkS6ZP8/NLl+FIxykOEg6D7M7cAtXg3Ui2kAdQgM4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1777464439228383.22309331768304; Wed, 29 Apr 2026 05:07:19 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.1297275.1573365 (Exim 4.92) (envelope-from ) id 1wI3gb-0006sd-Sm; Wed, 29 Apr 2026 12:06:37 +0000 Received: by outflank-mailman (output) from mailman id 1297275.1573365; Wed, 29 Apr 2026 12:06:37 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wI3gb-0006sW-Q0; Wed, 29 Apr 2026 12:06:37 +0000 Received: by outflank-mailman (input) for mailman id 1297275; Wed, 29 Apr 2026 12:06:36 +0000 Received: from mx.expurgate.net ([195.190.135.10]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wI3ga-0006rt-TK for xen-devel@lists.xenproject.org; Wed, 29 Apr 2026 12:06:36 +0000 Received: from mx.expurgate.net (helo=localhost) by mx.expurgate.net with esmtp id 1wI3ga-00CWOJ-9E for xen-devel@lists.xenproject.org; Wed, 29 Apr 2026 14:06:36 +0200 Received: from [10.42.69.4] (helo=localhost) by localhost with ESMTP (eXpurgate MTA 0.9.1) (envelope-from ) id 69f1f444-bab6-0a2a0a5309dd-0a2a4504d07e-8 for ; Wed, 29 Apr 2026 14:06:36 +0200 Received: from [195.135.223.131] (helo=smtp-out2.suse.de) by tlsNG-ebf023.mxtls.expurgate.net with ESMTPS (eXpurgate 4.56.1) (envelope-from ) id 69f1f44c-1dec-0a2a45040019-c387df8391e6-3 for ; Wed, 29 Apr 2026 14:06:36 +0200 Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 73CF95BD76; Wed, 29 Apr 2026 12:06:27 +0000 (UTC) Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 34656593B1; Wed, 29 Apr 2026 12:06:27 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id 0AanC0P08WlVVQAAD6G6ig (envelope-from ); Wed, 29 Apr 2026 12:06:27 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" Authentication-Results: eu.smtp.expurgate.cloud; dkim=pass header.s=susede1 header.d=suse.com header.i="@suse.com" header.h="From:Date:Message-ID:To:Cc:MIME-Version:Content-Transfer-Encoding:In-Reply-To:References"; dkim=pass header.s=susede1 header.d=suse.com header.i="@suse.com" header.h="From:Date:Message-ID:To:Cc:MIME-Version:Content-Transfer-Encoding:In-Reply-To:References" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1777464391; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Fvrcx0L64Kf/ax26AArSQHlhXePuAaFw8eCivbX6h2o=; b=rWr/AfLq4Do+4dGLXmUZJqNCAoB45EdHlTZSg2IwN9IL1oCtvpBDagiq0jX7Xek2Xi4JJn Z7+DdkS8/mcNF6geCcvdWZVVcpLlp+3q0qmYv4/ktlDc+EeE7+j5xVEbvlm4i09Ivv7kXo NHF8neRjrnlvcfVC7z5qay6IRn292Yo= Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1777464387; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Fvrcx0L64Kf/ax26AArSQHlhXePuAaFw8eCivbX6h2o=; b=doVE1FUrkPKeHwe1H2jkYGx4rnIy0eeUbZYQ3rsmgB2jCy5clURQBb4p8G5b2OFJ93GHxW 1+8olA1VIi/lGydAQAmwvhEejrON41IMYFXXczIKTo+rhMAy1UwY3InhjUc+40okaw6CLE G9n+/SeTgrXuoOtVf/KcJtvpExmQljo= From: Juergen Gross To: xen-devel@lists.xenproject.org Cc: Denis Mukhin , Andrew Cooper , Anthony PERARD , Michal Orzel , Jan Beulich , Julien Grall , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Stefano Stabellini , Juergen Gross , Jason Andryuk Subject: [PATCH v2 1/4] xen/public: introduce DOMID_ANY Date: Wed, 29 Apr 2026 14:06:16 +0200 Message-ID: <20260429120619.1013440-2-jgross@suse.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260429120619.1013440-1-jgross@suse.com> References: <20260429120619.1013440-1-jgross@suse.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -6.80 X-Spam-Level: X-Spamd-Result: default: False [-6.80 / 50.00]; REPLY(-4.00)[]; BAYES_HAM(-3.00)[99.99%]; NEURAL_HAM_LONG(-1.00)[-1.000]; MID_CONTAINS_FROM(1.00)[]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; RCVD_COUNT_TWO(0.00)[2]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; MIME_TRACE(0.00)[0:+]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCPT_COUNT_SEVEN(0.00)[11]; DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo,amd.com:email,suse.com:mid,suse.com:email,ford.com:email]; DKIM_SIGNED(0.00)[suse.com:s=susede1]; TO_DN_SOME(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Spam-Flag: NO X-purgate-ID: tlsNG-ebf023/1777464396-2B3673FF-AB0E0F40/0/0 X-purgate-type: clean X-purgate-size: 1320 X-ZohoMail-DKIM: pass (identity @suse.com) (identity @suse.com) X-ZM-MESSAGEID: 1777464441101154100 Content-Type: text/plain; charset="utf-8" From: Denis Mukhin Add DOMID_ANY to xen/include/public/xen.h meant to be a wildcard for domids. Signed-off-by: Denis Mukhin Signed-off-by: Juergen Gross Reviewed-by: Jason Andryuk --- This is based on Denis Mukhin's patch "xen/domain: introduce DOMID_ANY". As my series is another use case for DOMID_ANY and it is a backport candidate, I've split out the definition of DOMID_ANY from Denis' patch in order to make progress for my series. V2: update comment (Jason Andryuk) --- xen/include/public/xen.h | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/xen/include/public/xen.h b/xen/include/public/xen.h index b12fd10e63..2149b8dd38 100644 --- a/xen/include/public/xen.h +++ b/xen/include/public/xen.h @@ -608,6 +608,13 @@ DEFINE_XEN_GUEST_HANDLE(mmuext_op_t); /* DOMID_INVALID is used to identify pages with unknown owner. */ #define DOMID_INVALID xen_mk_uint(0x7FF4) =20 +/* + * DOMID_ANY is used to signal no specific domain ID requested. + * Handler should pick a valid ID, or handle it as a wildcard value + * depending on the context. + */ +#define DOMID_ANY xen_mk_uint(0x7FF5) + /* Idle domain. */ #define DOMID_IDLE xen_mk_uint(0x7FFF) =20 --=20 2.53.0 From nobody Sun May 3 14:25:23 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail(p=quarantine dis=quarantine) header.from=suse.com Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1777464448258121.34564022445181; Wed, 29 Apr 2026 05:07:28 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.1297274.1573357 (Exim 4.92) (envelope-from ) id 1wI3gZ-0006ej-MJ; Wed, 29 Apr 2026 12:06:35 +0000 Received: by outflank-mailman (output) from mailman id 1297274.1573357; Wed, 29 Apr 2026 12:06:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wI3gZ-0006ec-J9; Wed, 29 Apr 2026 12:06:35 +0000 Received: by outflank-mailman (input) for mailman id 1297274; Wed, 29 Apr 2026 12:06:34 +0000 Received: from mx.expurgate.net ([195.190.135.10]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wI3gY-0006bB-6F for xen-devel@lists.xenproject.org; Wed, 29 Apr 2026 12:06:34 +0000 Received: from mx.expurgate.net (helo=localhost) by mx.expurgate.net with esmtp id 1wI3gX-00CWNe-Iq for xen-devel@lists.xenproject.org; Wed, 29 Apr 2026 14:06:33 +0200 Received: from [10.42.69.9] (helo=localhost) by localhost with ESMTP (eXpurgate MTA 0.9.1) (envelope-from ) id 69f1f442-e002-0a2a0a5209dd-0a2a45098cd6-36 for ; Wed, 29 Apr 2026 14:06:33 +0200 Received: from [195.135.223.131] (helo=smtp-out2.suse.de) by tlsNG-bad1c0.mxtls.expurgate.net with ESMTPS (eXpurgate 4.56.1) (envelope-from ) id 69f1f449-2497-0a2a45090019-c387df83c7bc-3 for ; Wed, 29 Apr 2026 14:06:33 +0200 Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id E27615BCC2; Wed, 29 Apr 2026 12:06:32 +0000 (UTC) Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id BE5C4593B0; Wed, 29 Apr 2026 12:06:32 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id jV1oLUj08Wl6VQAAD6G6ig (envelope-from ); Wed, 29 Apr 2026 12:06:32 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" Authentication-Results: eu.smtp.expurgate.cloud; none Authentication-Results: smtp-out2.suse.de; none From: Juergen Gross To: xen-devel@lists.xenproject.org Cc: Juergen Gross , Anthony PERARD , Julien Grall , Jason Andryuk Subject: [PATCH v2 2/4] tools/xenstored: add support for "all domains" node permission Date: Wed, 29 Apr 2026 14:06:17 +0200 Message-ID: <20260429120619.1013440-3-jgross@suse.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260429120619.1013440-1-jgross@suse.com> References: <20260429120619.1013440-1-jgross@suse.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Rspamd-Queue-Id: E27615BCC2 X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Rspamd-Action: no action X-Spam-Score: -4.00 X-Spam-Level: X-Spam-Flag: NO X-Spamd-Result: default: False [-4.00 / 50.00]; REPLY(-4.00)[] X-Rspamd-Server: rspamd1.dmz-prg2.suse.org X-purgate-ID: tlsNG-bad1c0/1777464393-492B2A53-7D71699E/0/0 X-purgate-type: clean X-purgate-size: 5943 X-ZM-MESSAGEID: 1777464449700158500 Content-Type: text/plain; charset="utf-8" Add support for using DOMID_ANY in node permissions to indicate that all domains are allowed to access the node. Add a new feature bit for indicating the support of DOMID_ANY. Signed-off-by: Juergen Gross Reviewed-by: Jason Andryuk --- docs/man/xl.cfg.5.pod.in | 4 ++++ tools/xenstored/core.c | 19 ++++++++++++++----- tools/xenstored/domain.c | 16 ++++++++++++++-- tools/xenstored/domain.h | 3 ++- xen/include/public/io/xs_wire.h | 2 ++ 5 files changed, 36 insertions(+), 8 deletions(-) diff --git a/docs/man/xl.cfg.5.pod.in b/docs/man/xl.cfg.5.pod.in index 2f77016ecf..d34951edb9 100644 --- a/docs/man/xl.cfg.5.pod.in +++ b/docs/man/xl.cfg.5.pod.in @@ -746,6 +746,10 @@ Xenstore supports to set watches with a limited depth = (depth 0 matches only the watched node, depth 1 matches the node and its direct children, etc.). =20 +=3Ditem B<0x00000008> + +Xenstore supports the B node access permission. + =3Dback =20 The features supported by the running Xenstore instance can be retrieved diff --git a/tools/xenstored/core.c b/tools/xenstored/core.c index 6d82111e29..7dbcd5daad 100644 --- a/tools/xenstored/core.c +++ b/tools/xenstored/core.c @@ -882,6 +882,16 @@ static int write_node(struct connection *conn, struct = node *node, return ret; } =20 +/* Check one node permission to match a connection. */ +static bool perm_allows_conn(const struct connection *conn, + const struct xs_permissions *p) +{ + if (p->id =3D=3D conn->id || (conn->target && p->id =3D=3D conn->target->= id)) + return true; + + return p->id =3D=3D DOMID_ANY; +} + unsigned int perm_for_conn(struct connection *conn, const struct node_perms *perms) { @@ -889,14 +899,13 @@ unsigned int perm_for_conn(struct connection *conn, unsigned int mask =3D XS_PERM_READ|XS_PERM_WRITE|XS_PERM_OWNER; =20 /* Owners and tools get it all... */ - if (!domain_is_unprivileged(conn) || perms->p[0].id =3D=3D conn->id - || (conn->target && perms->p[0].id =3D=3D conn->target->id= )) + if (!domain_is_unprivileged(conn) || + perm_allows_conn(conn, perms->p)) return (XS_PERM_READ|XS_PERM_WRITE|XS_PERM_OWNER) & mask; =20 for (i =3D 1; i < perms->num; i++) if (!(perms->p[i].perms & XS_PERM_IGNORE) && - (perms->p[i].id =3D=3D conn->id || - (conn->target && perms->p[i].id =3D=3D conn->target->id))) + perm_allows_conn(conn, perms->p + i)) return perms->p[i].perms & mask; =20 return perms->p[0].perms & mask; @@ -1832,7 +1841,7 @@ static int do_set_perms(const void *ctx, struct conne= ction *conn, if (!xenstore_strings_to_perms(perms.p, perms.num, permstr)) return errno; =20 - if (domain_alloc_permrefs(&perms)) + if (domain_alloc_permrefs(conn, &perms)) return ENOMEM; if (perms.p[0].perms & XS_PERM_IGNORE) return ENOENT; diff --git a/tools/xenstored/domain.c b/tools/xenstored/domain.c index 00875d6b5c..7074abd197 100644 --- a/tools/xenstored/domain.c +++ b/tools/xenstored/domain.c @@ -44,7 +44,8 @@ #endif =20 #define XENSTORE_FEATURES (XENSTORE_SERVER_FEATURE_ERROR | \ - XENSTORE_SERVER_FEATURE_WATCHDEPTH) + XENSTORE_SERVER_FEATURE_WATCHDEPTH | \ + XENSTORE_SERVER_FEATURE_DOMID_ANY) =20 static xenmanage_handle *xm_handle; xengnttab_handle **xgt_handle; @@ -1754,8 +1755,12 @@ static bool chk_domain_generation(unsigned int domid= , uint64_t gen) * Allocate all missing struct domain referenced by a permission set. * Any permission entries for not existing domains will be marked to be * ignored. + * A DOMID_ANY entry will be marked to be ignored, if the writing + * domain doesn't have the XENSTORE_SERVER_FEATURE_DOMID_ANY enabled. Note + * that Xen tools will never set DOMID_ANY for a guest owned node. */ -int domain_alloc_permrefs(struct node_perms *perms) +int domain_alloc_permrefs(const struct connection *conn, + struct node_perms *perms) { unsigned int i, domid; struct domain *d; @@ -1763,6 +1768,12 @@ int domain_alloc_permrefs(struct node_perms *perms) =20 for (i =3D 0; i < perms->num; i++) { domid =3D perms->p[i].id; + if (domid =3D=3D DOMID_ANY) { + if (!(conn->domain->features & + XENSTORE_SERVER_FEATURE_DOMID_ANY)) + perms->p[i].perms |=3D XS_PERM_IGNORE; + continue; + } d =3D find_domain_struct(domid); if (!d) { if (xenmanage_get_domain_info(xm_handle, domid, NULL, @@ -1788,6 +1799,7 @@ int domain_adjust_node_perms(struct node *node) =20 for (i =3D 1; i < node->hdr.num_perms; i++) { if ((perms[i].perms & XS_PERM_IGNORE) || + perms[i].id =3D=3D DOMID_ANY || chk_domain_generation(perms[i].id, node->hdr.generation)) continue; =20 diff --git a/tools/xenstored/domain.h b/tools/xenstored/domain.h index b1cfb5cd82..7dad4849a0 100644 --- a/tools/xenstored/domain.h +++ b/tools/xenstored/domain.h @@ -116,7 +116,8 @@ const char *get_implicit_path(const struct connection *= conn); */ int domain_adjust_node_perms(struct node *node); =20 -int domain_alloc_permrefs(struct node_perms *perms); +int domain_alloc_permrefs(const struct connection *conn, + struct node_perms *perms); =20 /* Quota manipulation */ int domain_nbentry_inc(struct connection *conn, unsigned int domid); diff --git a/xen/include/public/io/xs_wire.h b/xen/include/public/io/xs_wir= e.h index 2e763bc877..d6533a8452 100644 --- a/xen/include/public/io/xs_wire.h +++ b/xen/include/public/io/xs_wire.h @@ -126,6 +126,8 @@ struct xenstore_domain_interface { #define XENSTORE_SERVER_FEATURE_ERROR 2 /* The XS_WATCH command can be used with a parameter */ #define XENSTORE_SERVER_FEATURE_WATCHDEPTH 4 +/* The capability to use DOMID_ANY for node permissions */ +#define XENSTORE_SERVER_FEATURE_DOMID_ANY 8 =20 /* Valid values for the connection field */ #define XENSTORE_CONNECTED 0 /* the steady-state */ --=20 2.53.0 From nobody Sun May 3 14:25:23 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail(p=quarantine dis=quarantine) header.from=suse.com Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1777464442712495.0600483880952; Wed, 29 Apr 2026 05:07:22 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.1297276.1573375 (Exim 4.92) (envelope-from ) id 1wI3gf-000785-58; Wed, 29 Apr 2026 12:06:41 +0000 Received: by outflank-mailman (output) from mailman id 1297276.1573375; Wed, 29 Apr 2026 12:06:41 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wI3gf-00077t-1L; Wed, 29 Apr 2026 12:06:41 +0000 Received: by outflank-mailman (input) for mailman id 1297276; Wed, 29 Apr 2026 12:06:40 +0000 Received: from mx.expurgate.net ([195.190.135.10]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wI3gd-00076k-VM for xen-devel@lists.xenproject.org; Wed, 29 Apr 2026 12:06:39 +0000 Received: from mx.expurgate.net (helo=localhost) by mx.expurgate.net with esmtp id 1wI3gd-00CWOJ-BO for xen-devel@lists.xenproject.org; Wed, 29 Apr 2026 14:06:39 +0200 Received: from [10.42.69.6] (helo=localhost) by localhost with ESMTP (eXpurgate MTA 0.9.1) (envelope-from ) id 69f1f440-bab6-0a2a0a5309dd-0a2a450689ac-40 for ; Wed, 29 Apr 2026 14:06:39 +0200 Received: from [195.135.223.131] (helo=smtp-out2.suse.de) by tlsNG-16d1c6.mxtls.expurgate.net with ESMTPS (eXpurgate 4.56.1) (envelope-from ) id 69f1f44f-7371-0a2a45060019-c387df83d28e-3 for ; Wed, 29 Apr 2026 14:06:39 +0200 Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 6EEB45BD15; Wed, 29 Apr 2026 12:06:38 +0000 (UTC) Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 46C11593B0; Wed, 29 Apr 2026 12:06:38 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id B3krEE708Wm5VQAAD6G6ig (envelope-from ); Wed, 29 Apr 2026 12:06:38 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" Authentication-Results: eu.smtp.expurgate.cloud; none Authentication-Results: smtp-out2.suse.de; none From: Juergen Gross To: xen-devel@lists.xenproject.org Cc: Juergen Gross , Julien Grall , Anthony PERARD , Jason Andryuk Subject: [PATCH v2 3/4] tools/xenstored: allow @releaseDomain watch for all domains Date: Wed, 29 Apr 2026 14:06:18 +0200 Message-ID: <20260429120619.1013440-4-jgross@suse.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260429120619.1013440-1-jgross@suse.com> References: <20260429120619.1013440-1-jgross@suse.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Rspamd-Queue-Id: 6EEB45BD15 X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Rspamd-Action: no action X-Spam-Score: -4.00 X-Spam-Level: X-Spam-Flag: NO X-Spamd-Result: default: False [-4.00 / 50.00]; REPLY(-4.00)[] X-Rspamd-Server: rspamd1.dmz-prg2.suse.org X-purgate-ID: tlsNG-16d1c6/1777464399-50566D75-6BEF1B58/0/0 X-purgate-type: clean X-purgate-size: 2688 X-ZM-MESSAGEID: 1777464443717158500 Content-Type: text/plain; charset="utf-8" Currently the @releaseDomain watch is allowed for dom0 only. This is problematic for guests which want to give other domains access to Xenstore entries, as they have no simple way to tell when such a domain is stopped. Allow @releaseDomain to be usable by all domains as the default. Signed-off-by: Juergen Gross Reviewed-by: Jason Andryuk --- tools/xenstored/core.c | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/tools/xenstored/core.c b/tools/xenstored/core.c index 7dbcd5daad..d6d462b7bc 100644 --- a/tools/xenstored/core.c +++ b/tools/xenstored/core.c @@ -2279,19 +2279,19 @@ struct connection *get_connection_by_id(unsigned in= t conn_id) } =20 /* We create initial nodes manually. */ -static void manual_node(const char *name, const char *child) +static void manual_node_perms(const char *name, const char *child, + struct xs_permissions *perms, + unsigned int n_perms) { struct node *node; - struct xs_permissions perms =3D { .id =3D priv_domid, - .perms =3D XS_PERM_NONE }; =20 node =3D talloc_zero(NULL, struct node); if (!node) barf_perror("Could not allocate initial node %s", name); =20 node->name =3D name; - node->perms =3D &perms; - node->hdr.num_perms =3D 1; + node->perms =3D perms; + node->hdr.num_perms =3D n_perms; node->children =3D (char *)child; if (child) node->hdr.childlen =3D strlen(child) + 1; @@ -2301,6 +2301,14 @@ static void manual_node(const char *name, const char= *child) talloc_free(node); } =20 +static void manual_node(const char *name, const char *child) +{ + struct xs_permissions perms =3D { .id =3D priv_domid, + .perms =3D XS_PERM_NONE }; + + manual_node_perms(name, child, &perms, 1); +} + static unsigned int hash_from_key_fn(const void *k) { const char *str =3D k; @@ -2320,6 +2328,11 @@ static int keys_equal_fn(const void *key1, const voi= d *key2) =20 void setup_structure(bool live_update) { + struct xs_permissions perms[] =3D { + { .id =3D priv_domid, .perms =3D XS_PERM_NONE }, + { .id =3D DOMID_ANY, .perms =3D XS_PERM_READ }, + }; + nodes =3D create_hashtable(NULL, "nodes", hash_from_key_fn, keys_equal_fn, HASHTABLE_FREE_KEY | HASHTABLE_FREE_VALUE); if (!nodes) @@ -2331,7 +2344,8 @@ void setup_structure(bool live_update) manual_node("/", "tool"); manual_node("/tool", "xenstored"); manual_node("/tool/xenstored", NULL); - manual_node("@releaseDomain", NULL); + manual_node_perms("@releaseDomain", NULL, + perms, ARRAY_SIZE(perms)); manual_node("@introduceDomain", NULL); domain_nbentry_fix(priv_domid, 5); } --=20 2.53.0 From nobody Sun May 3 14:25:23 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=quarantine dis=none) header.from=suse.com ARC-Seal: i=1; a=rsa-sha256; t=1777464458; cv=none; d=zohomail.com; s=zohoarc; b=nIPAHb72zHvUg4LV5KXxCpMMk/+e67/t1ELdjujI3tTRA9Zu2fPKD5jObFgYUAbfwQ4o1vnbx/2ks06Ek8Mb1iRznlJUeDL++KncLB4xvJ7DL/CmKzORoQ5FoVUwdMaBcZNIKE8rscj4T4MKFcrvbrEVX/vwHWZ/QRF8BW2G7Vk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1777464458; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=neoM0rxwlNWkYjpN6UzzXgAR6Uz/BSePabcIeLnOQEY=; b=Wt4vFO7jrpb3lJ+JFvGWBIku7QE4pzdjW1TNSA7XADgeuw/AzO9dA1QjPQXpln70sbcmD84Shy0wsANGEhgwprylERP8Uw4Y+q/lH9CAvXeSOI/UjNw53IuTito1oFvHJ5vcUAEfF5K0Dq6Mszgb/Ra7erqsN9PI8j1vdmhHoVc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1777464458664635.3040799584726; Wed, 29 Apr 2026 05:07:38 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.1297290.1573384 (Exim 4.92) (envelope-from ) id 1wI3gt-0007qX-F2; Wed, 29 Apr 2026 12:06:55 +0000 Received: by outflank-mailman (output) from mailman id 1297290.1573384; Wed, 29 Apr 2026 12:06:55 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wI3gt-0007qN-Bm; Wed, 29 Apr 2026 12:06:55 +0000 Received: by outflank-mailman (input) for mailman id 1297290; Wed, 29 Apr 2026 12:06:53 +0000 Received: from mx.expurgate.net ([195.190.135.10]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1wI3gr-0007jq-Ey for xen-devel@lists.xenproject.org; Wed, 29 Apr 2026 12:06:53 +0000 Received: from mx.expurgate.net (helo=localhost) by mx.expurgate.net with esmtp id 1wI3gq-00CWTK-R9 for xen-devel@lists.xenproject.org; Wed, 29 Apr 2026 14:06:52 +0200 Received: from [10.42.69.7] (helo=localhost) by localhost with ESMTP (eXpurgate MTA 0.9.1) (envelope-from ) id 69f1f44e-e002-0a2a0a5209dd-0a2a450789ca-48 for ; Wed, 29 Apr 2026 14:06:52 +0200 Received: from [195.135.223.130] (helo=smtp-out1.suse.de) by tlsNG-ef75cf.mxtls.expurgate.net with ESMTPS (eXpurgate 4.56.1) (envelope-from ) id 69f1f45c-229c-0a2a45070019-c387df82dc42-3 for ; Wed, 29 Apr 2026 14:06:52 +0200 Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id E39B46A882; Wed, 29 Apr 2026 12:06:43 +0000 (UTC) Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id BB4D3593B1; Wed, 29 Apr 2026 12:06:43 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id 5ECsLFP08WlnVgAAD6G6ig (envelope-from ); Wed, 29 Apr 2026 12:06:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" Authentication-Results: eu.smtp.expurgate.cloud; dkim=pass header.s=susede1 header.d=suse.com header.i="@suse.com" header.h="From:Date:Message-ID:To:Cc:MIME-Version:Content-Transfer-Encoding:In-Reply-To:References"; dkim=pass header.s=susede1 header.d=suse.com header.i="@suse.com" header.h="From:Date:Message-ID:To:Cc:MIME-Version:Content-Transfer-Encoding:In-Reply-To:References" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1777464408; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=neoM0rxwlNWkYjpN6UzzXgAR6Uz/BSePabcIeLnOQEY=; b=crpuUwj03HTzALbP6aMvKtI+UrUDFjtrcMk488Web7k5nVA8/2VDsL/z/P6OpabobA4QRD 9gf5kaoxLSLiLKLLb11KVjiKArOcPG2ATT228i8V9AfxxBRmSRjWzbi2oB5Qr1izR1MAu9 eny0KlFe305xNPGnkcSGWzoXJf6GMx4= Authentication-Results: smtp-out1.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1777464403; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=neoM0rxwlNWkYjpN6UzzXgAR6Uz/BSePabcIeLnOQEY=; b=ZSpWGLqasrDc/j1ptizTy2a1M7sNMVRN5jKpUou289QW+BCKG9frcmynpM4OURxI3sdoIP Nj8UCc7h+hImONRLCNvmNexl7f1LRFpzZdB8XuEGIvDB3sSM9N1Sbnj5PlHFcQQphdZd4A 83Nk5f5igr8ymuTC2pqRmrDgGzF+rtQ= From: Juergen Gross To: xen-devel@lists.xenproject.org Cc: Juergen Gross , Julien Grall , Anthony PERARD , Jason Andryuk Subject: [PATCH v2 4/4] tools/xenstored: remove permissions related to dead domain Date: Wed, 29 Apr 2026 14:06:19 +0200 Message-ID: <20260429120619.1013440-5-jgross@suse.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260429120619.1013440-1-jgross@suse.com> References: <20260429120619.1013440-1-jgross@suse.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Spamd-Result: default: False [-6.80 / 50.00]; REPLY(-4.00)[]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; MID_CONTAINS_FROM(1.00)[]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; RCVD_COUNT_TWO(0.00)[2]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo,suse.com:mid,suse.com:email,amd.com:email]; FROM_EQ_ENVFROM(0.00)[]; DKIM_SIGNED(0.00)[suse.com:s=susede1]; RCPT_COUNT_FIVE(0.00)[5]; RCVD_TLS_ALL(0.00)[] X-Spam-Flag: NO X-Spam-Score: -6.80 X-Spam-Level: X-purgate-ID: tlsNG-ef75cf/1777464412-14E57C48-7515360F/0/0 X-purgate-type: clean X-purgate-size: 3796 X-ZohoMail-DKIM: pass (identity @suse.com) (identity @suse.com) X-ZM-MESSAGEID: 1777464459941158500 Content-Type: text/plain; charset="utf-8" Wit unprivileged domains now capable to use the @releaseDomain watch, there is no reason not to remove any node permissions which relate to a domain which has been removed. This resolves a complex scenario where a new domain could inherit the permissions of an old one with the same domid. Signed-off-by: Juergen Gross Reviewed-by: Jason Andryuk --- V2: use priv_domid instead of literal 0 in message (Jason Andryuk) --- tools/xenstored/domain.c | 62 ++++++++++++++++++++++++---------------- 1 file changed, 37 insertions(+), 25 deletions(-) diff --git a/tools/xenstored/domain.c b/tools/xenstored/domain.c index 7074abd197..2db452144d 100644 --- a/tools/xenstored/domain.c +++ b/tools/xenstored/domain.c @@ -569,24 +569,10 @@ static int domain_tree_remove_sub(const void *ctx, st= ruct connection *conn, struct node *node, void *arg) { struct domain *domain =3D arg; - int ret =3D WALK_TREE_OK; - - if (node->perms[0].id !=3D domain->domid) - return WALK_TREE_OK; + bool node_changed =3D false; + unsigned int i; =20 - if (keep_orphans) { - domain_nbentry_dec(NULL, domain->domid); - node->perms[0].id =3D priv_domid; - node->acc.memory =3D 0; - domain_nbentry_inc(NULL, priv_domid); - if (write_node_raw(NULL, node->name, node, NODE_MODIFY, true)) { - /* That's unfortunate. We only can try to continue. */ - syslog(LOG_ERR, - "error when moving orphaned node %s to dom0\n", - node->name); - } else - trace("orphaned node %s moved to dom0\n", node->name); - } else { + if (node->perms[0].id =3D=3D domain->domid && !keep_orphans) { if (rm_node(NULL, ctx, node->name)) { /* That's unfortunate. We only can try to continue. */ syslog(LOG_ERR, @@ -596,10 +582,39 @@ static int domain_tree_remove_sub(const void *ctx, st= ruct connection *conn, trace("orphaned node %s deleted\n", node->name); =20 /* Skip children in all cases in order to avoid more errors. */ - ret =3D WALK_TREE_SKIP_CHILDREN; + return WALK_TREE_SKIP_CHILDREN; } =20 - return domain->acc_val[ACC_NODES] ? ret : WALK_TREE_SUCCESS_STOP; + if (node->perms[0].id =3D=3D domain->domid) { + domain_nbentry_dec(NULL, domain->domid); + node->perms[0].id =3D priv_domid; + node->acc.memory =3D 0; + domain_nbentry_inc(NULL, priv_domid); + trace("moving orphaned node %s to dom%d\n", node->name, + priv_domid); + node_changed =3D true; + } + + for (i =3D 1; i < node->hdr.num_perms; i++) { + if (node->perms[i].id !=3D domain->domid) + continue; + memmove(node->perms + i, node->perms + i + 1, + sizeof(*node->perms) * (node->hdr.num_perms - i - 1)); + node->hdr.num_perms--; + i--; + node_changed =3D true; + } + + if (node_changed) { + if (write_node_raw(NULL, node->name, node, NODE_MODIFY, true)) { + /* That's unfortunate. We only can try to continue. */ + syslog(LOG_ERR, + "error when writing modified node %s\n", + node->name); + } + } + + return WALK_TREE_OK; } =20 static void domain_tree_remove(struct domain *domain) @@ -607,12 +622,9 @@ static void domain_tree_remove(struct domain *domain) int ret; struct walk_funcs walkfuncs =3D { .enter =3D domain_tree_remove_sub }; =20 - if (domain->acc_val[ACC_NODES]) { - ret =3D walk_node_tree(domain, NULL, "/", &walkfuncs, domain); - if (ret =3D=3D WALK_TREE_ERROR_STOP) - syslog(LOG_ERR, - "error when looking for orphaned nodes\n"); - } + ret =3D walk_node_tree(domain, NULL, "/", &walkfuncs, domain); + if (ret =3D=3D WALK_TREE_ERROR_STOP) + syslog(LOG_ERR, "error when looking for orphaned nodes\n"); =20 walk_node_tree(domain, NULL, "@releaseDomain", &walkfuncs, domain); walk_node_tree(domain, NULL, "@introduceDomain", &walkfuncs, domain); --=20 2.53.0