From mboxrd@z Thu Jan  1 00:00:00 1970
From: Alex Zeffertt <alex.zeffertt@eu.citrix.com>
Subject: Re: how to scan domU to get the inode info?
Date: Wed, 06 May 2009 10:34:42 +0100
Message-ID: <4A0159B2.5000202@eu.citrix.com>
References: <a160a7d60905052013m5a845abahc90807aef4799ccd@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xensource.com>
In-Reply-To: <a160a7d60905052013m5a845abahc90807aef4799ccd@mail.gmail.com>
List-Unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xensource.com>
List-Help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-Subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
Sender: xen-devel-bounces@lists.xensource.com
Errors-To: xen-devel-bounces@lists.xensource.com
To: Sucan <bitzsk@gmail.com>
Cc: "xen-devel@lists.xensource.com" <xen-devel@lists.xensource.com>, "9907yruby@gmail.com" <9907yruby@gmail.com>
List-Id: xen-devel@lists.xenproject.org

Sucan wrote:
> hi,
> 
> I have installed xen 3.2 in my computer , security is very important! 
> although linux is more secure than windows.i need to protect the domu 
> filesystem against hacking or virus. so each time when domu need to 
> write to disk. it send the request to dom0, when i recieve the request 
> in dom0, i will make sure the file it write is not in the /usr/bin 
> directory. if domu is trying to change files under /usr/bin directory, 
> it will be stoped by dom0.
>    this way, i can protect the /usr/bin dir not been changed for ever, 
> even if you have root privilage in domu , you can't change the files in 
> /usr/bin.
>     so ,the first thing i need to do is to scan files in /usr/bin 
> directory to get all the inode info. save each inode number in a file. 
> and transfer the file to dom0, each time domu submit a request to a file 
> , the request will send to dom0. next ,dom0 will compare the inode 
> number in that file .if find the same inode number, dom0 will stop the 
> write request. if not found, domu can write the file as normal.
>     my question is how to scan a directory(such as /usr/bin) and get all 
> inode info? which funtions may i use in the linux kernel api? Can 
> someone please shed some light on this problem? or any suggestions on my 
> ideas above to protect the domu linux filesystem against invasion?
> 

I'm not a security expert, but I think that write protecting /usr/bin will only 
stop a small number of security threats.  I recommend that you ask this question 
on a list dedicated to security issues rather than here.

However... if you just want a read-only /usr you can create a vbd and mount it 
as read-only on /usr.  You can also ensure it is read-only in dom0, by changing 
permission on the corresponding /dev file (or loopback file), and by setting the 
permissions in the 'disk' list in /etc/xen/your-vm-config.

Regards,

Alex

> -- 
> Best regards,
> Sucan
> Computer Department,Beijing Institute of Technology,China
>