From: Luke Kenneth Casson Leighton <lkcl@lkcl.net>
To: SE-Linux <selinux@tycho.nsa.gov>
Subject: xen 2.0 - adding selinux permissions
Date: Tue, 23 Nov 2004 22:03:52 +0000 [thread overview]
Message-ID: <20041123220352.GF5146@lkcl.net> (raw)
i'm considering doing some mods on xen 2.0's management interface,
if i can justify the work.
at present, the xen "master", which is the first virtual machine fired up,
is allowed access to the xen control system (running in x86 ring 0) via
/proc/xen.
some ioctl commands represent things like "start a new virtual machine",
"stop one", "suspend this session to disk" that sort of thing.
then, what the xen developers have done is to write a web
interface (using twisted python *gibber*) which presents
virtually unrestricted (*gibber*) access to that /proc/xen
interface on port 8000, using HTTP.
then there is a command xm which connects to port 8000 and issues
commands over the network port.
apparently it is possible to implement authentication with
the twisted python framework, so it's not _all_ bad - plus,
if you're running a cluster, security restrictions just... get
in the way!!!
what i would _like_ to do is:
- take out the HTTP access and merge the xm http client with the xend
http server.
- add in some new selinux security ids representing the xen commands
(create virtual machine, list virtual machines, shutdown a machine,
suspend-a-session-to-disk, etc.)
- write an selinux policy restricting the xm command to be the only
thing that is allowed to perform those operations.
so: is this a practical proposition?
i've looked at security/selinux/hooks.c - is it a simple matter of, say,
copying the file ioctl command?
should i be adding a new function to the LSM function table, examining
the xen ioctl kernel call and calling the new security function in the
xen ioctl?
if i add a new function to the LSM function table, then presumably that
means that someone could write a linux "capabilities" function too, yes?
l.
--
--
<a href="http://lkcl.net">http://lkcl.net</a>
--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next reply other threads:[~2004-11-23 21:53 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-11-23 22:03 Luke Kenneth Casson Leighton [this message]
2004-11-24 13:39 ` xen 2.0 - adding selinux permissions Stephen Smalley
2004-11-24 15:09 ` Luke Kenneth Casson Leighton
2004-11-24 15:06 ` Stephen Smalley
2004-11-24 15:49 ` Luke Kenneth Casson Leighton
2004-11-24 15:54 ` Stephen Smalley
2004-11-24 17:10 ` Luke Kenneth Casson Leighton
2004-11-24 18:13 ` Colin Walters
2004-11-24 20:19 ` Luke Kenneth Casson Leighton
2004-11-25 1:15 ` Colin Walters
2004-11-25 9:22 ` Luke Kenneth Casson Leighton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20041123220352.GF5146@lkcl.net \
--to=lkcl@lkcl.net \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.