From: Keir Fraser <keir@xensource.com>
To: Derek Murray <Derek.Murray@cl.cam.ac.uk>,
"George S. Coker, II" <gscoker@alpha.ncsc.mil>
Cc: xen-devel@lists.xensource.com, xense-devel@lists.xensource.com
Subject: Re: [Xense-devel][PATCH][1/4] Xen Security Modules: XSM
Date: Wed, 09 May 2007 15:23:16 +0100 [thread overview]
Message-ID: <C26797E4.E987%keir@xensource.com> (raw)
In-Reply-To: <37BDD058-CD33-46BC-8CC6-B0214A45925C@cl.cam.ac.uk>
On 9/5/07 15:04, "Derek Murray" <Derek.Murray@cl.cam.ac.uk> wrote:
> For disaggregation of the domain builder, we would like to be able to
> delegate this privilege to a small, trusted domain (domB): it seems
> to me that XSM would be the cleanest way to do this. Would it
> therefore be possible to add a hook in set_foreigndom() on the !
> IS_PRIV(d) branch, or is there some security consequence that I am
> overlooking?
Better to get rid of the IS_PRIV() altogether? If we're adding these hooks
all over the place we may as well get some benefit from them, even if it
means adding extra ones. Only question then is whether conflating security
constraints required for correct operation of the Xen platform (i.e.,
capabilities of the disaggregated dom0 domains) with the constraints
required for domU's, and trying to express these in the same security policy
module actually makes sense. It might make sense to 'shim in' a static
built-in policy at those hook points as a pre-filter on the
dynamically-loaded policy for ordinary domUs.
-- Keir
next prev parent reply other threads:[~2007-05-09 14:23 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-05-07 21:41 [Xense-devel][PATCH][1/4] Xen Security Modules: XSM George S. Coker, II
2007-05-07 23:10 ` Chris Wright
2007-05-08 0:59 ` George S. Coker, II
2007-05-08 1:12 ` George S. Coker, II
2007-05-08 3:08 ` Chris Wright
2007-05-08 2:54 ` Mark Williamson
2007-05-08 12:44 ` John McDermott (US Navy Employee)
2007-05-08 13:12 ` Mark Williamson
2007-05-09 14:04 ` Derek Murray
2007-05-09 14:23 ` Keir Fraser [this message]
2007-05-09 17:04 ` George S. Coker, II
2007-05-11 13:32 ` Derek Murray
2007-05-11 15:10 ` George S. Coker, II
2007-05-11 16:51 ` Keir Fraser
2007-05-11 17:19 ` George S. Coker, II
2007-05-18 3:56 ` Stefan Berger
2007-05-18 20:00 ` George S. Coker, II
2007-05-09 17:13 ` George S. Coker, II
-- strict thread matches above, loose matches on Subject: below --
2007-06-04 19:06 George S. Coker, II
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=C26797E4.E987%keir@xensource.com \
--to=keir@xensource.com \
--cc=Derek.Murray@cl.cam.ac.uk \
--cc=gscoker@alpha.ncsc.mil \
--cc=xen-devel@lists.xensource.com \
--cc=xense-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.