XEN : XSM policy and want some clarification for understanding.

XEN : XSM policy and want some clarification for understanding.

[cooldharma06]

[-- Attachment #1.1: Type: text/plain, Size: 667 bytes --]

hi,

i am trying to create new policy between dom's.

By the XSM Flask document

-domU_t is a domain that can communicate with any other domU_t
- isolated_domU_t can only communicate with dom0

i analysed the policy..

by -domain_self_comms(domU_t)
     - domain_comms(dom0_t, isolated_domU_t)

above things are achieved.

>From dom0 by making hypercall we call check that policy is working.
but from domU how we can check this..?

And also "how i can find that communication between these doms are
established..??"

Is there any tool or userspace program is available for that.??

Clarify me because i cant able to move further by this one.


regards,
cooldharma06.

[-- Attachment #1.2: Type: text/html, Size: 1071 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: XEN : XSM policy and want some clarification for understanding.

[Daniel De Graaf]

On 08/02/2013 07:30 AM, cooldharma06 wrote:
> hi,
>
> i am trying to create new policy between dom's.
>
> By the XSM Flask document
>
> -domU_t is a domain that can communicate with any other domU_t
> - isolated_domU_t can only communicate with dom0
>
> i analysed the policy..
>
> by -domain_self_comms(domU_t)
>       - domain_comms(dom0_t, isolated_domU_t)
>
> above things are achieved.
>
>>From dom0 by making hypercall we call check that policy is working.
> but from domU how we can check this..?

Do you mean just checking if XSM is enabled? The XSM hypercall to get
enforcing mode will also work from domUs, if you really need to check
it directly. But most of the time, a domU will only need to notice
when it tries to do something not allowed by the policy.

Ideally the only domains that would care if XSM was enabled or not
would be toolstack domains that need to do things like set labels,
or domains that enforce their own security policy using XSM labels.

> And also "how i can find that communication between these doms are
> established..??"
>
> Is there any tool or userspace program is available for that.??

One easy way to test this is to use the libvchan client to communicate
between domains that are allowed (domU_t to domU_t) and then notice
that it gives an error when used between domU_t and isolated_domU_t.

> Clarify me because i cant able to move further by this one.
>
>
> regards,
> cooldharma06.
>


-- 
Daniel De Graaf
National Security Agency

Re: XEN : XSM policy and want some clarification for understanding.

[cooldharma06]

[-- Attachment #1.1: Type: text/plain, Size: 1872 bytes --]

hi,

i searched for enabling "libvchan" library. And to achieve the
communication between domU's.
i am unable to find the proper guide or document for this.

can u send me the guide or document for this.

regards,
cooldharma06.


On Fri, Aug 2, 2013 at 7:08 PM, Daniel De Graaf <dgdegra@tycho.nsa.gov>wrote:

> On 08/02/2013 07:30 AM, cooldharma06 wrote:
>
>> hi,
>>
>> i am trying to create new policy between dom's.
>>
>> By the XSM Flask document
>>
>> -domU_t is a domain that can communicate with any other domU_t
>> - isolated_domU_t can only communicate with dom0
>>
>> i analysed the policy..
>>
>> by -domain_self_comms(domU_t)
>>       - domain_comms(dom0_t, isolated_domU_t)
>>
>> above things are achieved.
>>
>>  From dom0 by making hypercall we call check that policy is working.
>>>
>> but from domU how we can check this..?
>>
>
> Do you mean just checking if XSM is enabled? The XSM hypercall to get
> enforcing mode will also work from domUs, if you really need to check
> it directly. But most of the time, a domU will only need to notice
> when it tries to do something not allowed by the policy.
>
> Ideally the only domains that would care if XSM was enabled or not
> would be toolstack domains that need to do things like set labels,
> or domains that enforce their own security policy using XSM labels.
>
>
>  And also "how i can find that communication between these doms are
>> established..??"
>>
>> Is there any tool or userspace program is available for that.??
>>
>
> One easy way to test this is to use the libvchan client to communicate
> between domains that are allowed (domU_t to domU_t) and then notice
> that it gives an error when used between domU_t and isolated_domU_t.
>
>
>  Clarify me because i cant able to move further by this one.
>>
>>
>> regards,
>> cooldharma06.
>>
>>
>
> --
> Daniel De Graaf
> National Security Agency
>

[-- Attachment #1.2: Type: text/html, Size: 3045 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel