Xen project Mailing List

Re: [Xen-devel] [patch 5/5] xen: net features

Date: Tue, 1 Feb 2005 01:31:21 +0100

Cc: Ian Pratt <m+Ian.Pratt@xxxxxxxxxxxx>

Delivery-date: Tue, 01 Feb 2005 00:29:14 +0000

List-id: List for Xen developers <xen-devel.lists.sourceforge.net>

On Tue, Feb 01, 2005 at 12:00:17AM -0000, Ian Pratt wrote: > > > I can't see why making the frontend MAC readonly can really be done > > > securely within the domain. > > > > Well, if you have module support enabled in the kernel, or some way > > that lets root write to random (domain) memory, then it's not really > > secure, although i think it's still a nice to have. Otherwise i would > > think it should be reasonably secure? > > You need root access to change the mac normally, and its trivial for > root to change it under your scheme -- running sed on /dev/mem would do > it... I was thinking of something along the lines of adding a tiny bit of code to remove the CAP_SYS_MODULE and CAP_SYS_RAWIO capabilities from the global set of allowed cap's when using the readonly option. With that in place you're down to requiring a kernel-hole to get around it. > > > > (2) the addition of some xen-specific sysfs attributes > > > > on front/back vifs, > > > > > > What attributes? > > > > Backend: > > - xen/fe.domain: frontend domain name > > - xen/fe.initial_address: initial frontend interface mac address > > - xen/fe.mac_mode: mac mode of the frontend interface (r/w) > > - xen/be.mac_mode: mac mode of the backend interface (r/w) > > > > Frontend: > > - xen/mac_mode: mac mode of the interface > > What's the naming convention for multiple fe/bs's. Ah, sorry. I've had my head stuck in the sysfs system so much lately I didn't get enough context. Network interfaces appear within sysfs as: /sys/class/net/INTNAME so, eg, /sys/class/net/vif1.0. The paths above are located within that, so you'd have /sys/class/net/vif1.0/xen/fe.initial_address > I can see some point having the be enforce the MAC, and possibly in > having the enforcement address being configurable via sysfs. I'm not a > big fan of this section of the patch, though. The entire idea of it or just the current attributes? J -- Jody Belka knew (at) pimb (dot) org ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.