|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] protecting xen startup
Luke Kenneth Casson Leighton wrote: hi, i notice that there's a management interface on port 8000. i seek to protect this interface such that nothing but a trusted program (think selinux) may run, manage, start up or shut down xen oses. so: where can i find out information about the structure of the xen management interface? is the port 8000 stuff just providing a web server (/etc/init.d/xend) front-end to some extra system calls? What lives behind port 8000 is xend. This is the management daemon for xen. It presents its interface over HTTP and implements it using low-level calls into the xen hypervisor via ioctls. There is no system call interface that corresponds to the xend api. is the port 8000 stuff actually running in the xen boot-up stuff? Xen boots the hypervisor, then domain-0. Xend runs in domain-0 and is the normal way that all other domains get started. if it's some extra system calls that's very good because it will be possible to add selinux security hooks to protect each system call. You should be able to use selinux rules to specify what gets to talk to xend at port 8000. You'd need to enable LSM and selinux in the domain-0 kernel, but otherwise all you should need to do is configure selinux appropriately. ta, l. Hope this helps, Mike ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users.Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |