tools/xenstore: add XS_RESTRICT operation to C xenstore client libs.

The OCaml xenstored supports the XS_RESTRICT operation, which
deprivileges a dom0 xenstore connection so it can only affect one
domain's entries.   Add the relevant definitions to the C libraries
so that callers can use it.

Signed-off-by: Tim Deegan <Tim.Deegan@citrix.com>

2 files changed, 17 insertions, 0 deletions

diff --git a/tools/xenstore/xs.c b/tools/xenstore/xs.c
index 094db25efa..3441656039 100644
--- a/tools/xenstore/xs.c
+++ b/tools/xenstore/xs.c
@@ -615,6 +615,14 @@ unwind:
 	return false;
 }
 
+bool xs_restrict(struct xs_handle *h, unsigned domid)
+{
+	char buf[16];
+
+	sprintf(buf, "%d", domid);
+	return xs_bool(xs_single(h, XBT_NULL, XS_RESTRICT, buf, NULL));
+}
+
 /* Watch a node for changes (poll on fd to detect, or call read_watch()).
  * When the node (or any child) changes, fd will become readable.
  * Token is returned when watch is read, to allow matching.
diff --git a/tools/xenstore/xs.h b/tools/xenstore/xs.h
index 4dae5944ae..4806f1e240 100644
--- a/tools/xenstore/xs.h
+++ b/tools/xenstore/xs.h
@@ -83,6 +83,15 @@ bool xs_mkdir(struct xs_handle *h, xs_transaction_t t,
 bool xs_rm(struct xs_handle *h, xs_transaction_t t,
 	   const char *path);
 
+/* Restrict a xenstore handle so that it acts as if it had the
+ * permissions of domain @domid.  The handle must currently be
+ * using domain 0's credentials.
+ *
+ * Returns false on failure, in which case the handle continues
+ * to use the old credentials, or true on success.
+ */
+bool xs_restrict(struct xs_handle *h, unsigned domid);
+
 /* Get permissions of node (first element is owner, first perms is "other").
  * Returns malloced array, or NULL: call free() after use.
  */