Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing Listxen 2.0 - adding selinux permissions
From: Luke Kenneth Casson Leighton <lkcl_at_lkcl.net>
Date: Tue, 23 Nov 2004 22:03:52 +0000
at present, the xen "master", which is the first virtual machine fired up, is allowed access to the xen control system (running in x86 ring 0) via /proc/xen. some ioctl commands represent things like "start a new virtual machine", "stop one", "suspend this session to disk" that sort of thing. then, what the xen developers have done is to write a web interface (using twisted python *gibber*) which presents virtually unrestricted (*gibber*) access to that /proc/xen interface on port 8000, using HTTP. then there is a command xm which connects to port 8000 and issues commands over the network port. apparently it is possible to implement authentication with the twisted python framework, so it's not _all_ bad - plus, if you're running a cluster, security restrictions just... get in the way!!! what i would _like_ to do is:
so: is this a practical proposition? i've looked at security/selinux/hooks.c - is it a simple matter of, say, copying the file ioctl command? should i be adding a new function to the LSM function table, examining the xen ioctl kernel call and calling the new security function in the xen ioctl? if i add a new function to the LSM function table, then presumably that means that someone could write a linux "capabilities" function too, yes? l. -- -- <a href="http://lkcl.net">http://lkcl.net</a> -- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Tue 23 Nov 2004 - 16:53:17 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |