Xen project Mailing List

RE: [Xense-devel] Re: [Xen-devel] [PATCH] sHype access controlarchitecture for Xen

To: "aq" <aquynh@xxxxxxxxx>, "Ray Valdez" <rvaldez@xxxxxxxxxx>

From: "Neugebauer, Rolf" <rolf.neugebauer@xxxxxxxxx>

Date: Wed, 22 Jun 2005 01:01:29 +0100

Cc: xen-devel@xxxxxxxxxxxxxxxxxxx, Stefan Berger <stefanb@xxxxxxxxxx>, Tupshin Harper <tupshin@xxxxxxxxxxx>, xense-devel@xxxxxxxxxxxxxxxxxxx, steven.hand@xxxxxxxxxxxx

Delivery-date: Wed, 22 Jun 2005 00:00:36 +0000

List-id: "A discussion list for those developing security enhancements for Xen." <xense-devel.lists.xensource.com>

Thread-index: AcV2co5Lx4Q0fpcFSKmynh6CF9bLPAARZjvQ

Thread-topic: [Xense-devel] Re: [Xen-devel] [PATCH] sHype access controlarchitecture for Xen

Lets not confuse the issues here and don't turn this into a programming language argument. With the sHype patches there is a well defined language for specifying policies and there is a well defined binary representation for that policy. That is a very good start! I see the java tool as a *sample* implementation of a translator between the two. You are free to write/use your own compiler in a language of your choice. None of this affects the basic operation of MAC per se. Off the top of my head here is a list of more interesting subjects: - consistent/meaningful labeling of objects and subjects - exposing these labels to service OSes who need to perform MAC - ensuring that access check hooks are in the right place - efficient policy cache implementation - assistance in defining sensible/usable policies - considering groups of VMs in MAC policies I'm sure there are others (also see the minutes of the last Xen Security meeting posted to this list mid may which documented some of the MAC related discussions) <rant> I'd rather see discussions on these subjects than whether gcj compiles the policy compiler or whether it should be written in a different language etc. </rant> rolf > -----Original Message----- > From: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx [mailto:xense-devel- > bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of aq > Sent: 21 June 2005 15:49 > To: Ray Valdez > Cc: xen-devel@xxxxxxxxxxxxxxxxxxx; Stefan Berger; Tupshin Harper; > steven.hand@xxxxxxxxxxxx; xense-devel@xxxxxxxxxxxxxxxxxxx > Subject: [Xense-devel] Re: [Xen-devel] [PATCH] sHype access > controlarchitecture for Xen > > On 6/21/05, Ray Valdez <rvaldez@xxxxxxxxxx> wrote: > > On 6/21/05, Tupshin Harper <tupshin@xxxxxxxxxxx> wrote: > > > aq wrote: > > > > > > >any plan to write the tool in other language, not Java? i guess not > > > >many people (include me) are willing to install Java on their system. > > > > > > > >since python is used in xen, i think it is a good candidate. > > > > > > > >i will play with the code and give some feedbacks. > > > > > Ensuring that the code compiles cleanly with gcj would eliminate this > > issue. > > > > We will look into compiling the tool with gcj. Thanks. We will > appreciate > > your feedback. > > > > > but we still need java to run the binary code, dont we? > > > > No. The tool is used for generating a binary policy file, which can then > be > > loaded into sHype via the > > xeno-unstable.bk/tools/policy/policy_tool command. > > > > to tell the truth, installing java into any of my machines is the last > thing i want to do. if it is possible to compile java code to native > binary, that would be great. then java turns out to be even better > than python, right ;-) > > regards, > aq > > _______________________________________________ > Xense-devel mailing list > Xense-devel@xxxxxxxxxxxxxxxxxxx > http://lists.xensource.com/xense-devel _______________________________________________ Xense-devel mailing list Xense-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xense-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.