SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List [RFC][PATCH 00/01]qemu VM entrypoints This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ Next in thread ] [ Replies ] From: David Windsor <dwindsor_at_tresys.com> Date: Fri, 20 Jul 2007 15:32:16 -0400 Hi, After a bit more discussion about integrating SELinux and KVM, it seems that there is little interest in adding enforcement hooks to KVM as it stands. Once KVM gets some type of inter-vm communication mechanism, MAC hooks will probably be added in that space. Until then, there seems to be interest in adding MAC controls to control VM management operations, such as migrating VMs, or saving/resuming VMs. One particular aspect of VM management which may be nice to control via SELinux is the loading of a virtual hard disk into a VM. Currently, administrators would have to rely on file permissions to control which files could be used as a virtual hard disks. The semantics of file permissions do not accomplish what is needed here. A domain needs to explicitly get permission from the policy to both use a file as a virtual disk and to use the contents of that virtual disk as an "entrypoint" to the new, virtual machine of a different integrity level. Since there is no SELinux permission for this, I have created the vm { entrypoint } object class/permission pair to represent this type of access. Policy for allowing domain user_t to load a virtual disk of type qemu_virtdisk_t would look something like: allow user_t qemu_virtdisk_t:file r_file_perms; type_change user_t qemu_virtdisk_t:vm vm_user_t; allow qemu_virtdisk_t user_vm_t:vm entrypoint; Please note that this patch will only check the entrypoint permission, and does not actually facilitate transitioning on the type of the virtual disk. I want some comments before continuing with this approach. When loading a virtual disk into a VM, qemu would consult the policy to see essentially three things: if the current process is allowed to read the virtual disk file, what the type of the VM should be after loading the disk, and if the virtual disk is in fact allowed to serve as an entrypoint to the target domain. One problem with this approach is that loading a VM is not an exec-based operation. Dynamic transitions could be used, but could possibly be avoided by altering the patch to fork, then re-exec in the target domain. This patch applies cleanly to kvm-userspace trunk. Thoughts? -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Mon 23 Jul 2007 - 09:55:51 EDT This message: [ Message body ] Next message: David Windsor: "[RFC][PATCH 01/01] SELinux: add VM entrypoint object class/permission" Previous message: Yuichi Nakamura: "[patch] customizable AVTAB_HASH_BITS for embedded devices" Next in thread: James Morris: "Re: [kvm-devel] [RFC][PATCH 00/01]qemu VM entrypoints" Reply: James Morris: "Re: [kvm-devel] [RFC][PATCH 00/01]qemu VM entrypoints" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom