[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel][Xense-devel][PATCH][1/4] Xen Security Modules: XSM




xen-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 05/11/2007 11:10:08 AM:

> On Fri, 2007-05-11 at 14:32 +0100, Derek Murray wrote:
> > On 9 May 2007, at 18:04, George S. Coker, II wrote:
[...]
> Currently the existing ACM module is implemented as a single XSM module
> which stacks (internally) the Chinese Wall and Simple Type Enforcement
> functionality.  (This is the preferred approach for stacking.)  ACM-XSM
> is one module with the flexibility to enforce STE and/or CW policy.
>
> The existing ACM was designed to be complementary to Xen's IS_PRIV().
> Moving IS_PRIV() to the default/dummy XSM module does not alter this
> relationship as the hooks used by ACM are orthogonal to the IS_PRIV()
> hooks.  On init of the XSM (because ACM-XSM does not define replacements
> for these IS_PRIV() hooks), the hooks from the dummy/default module are
> integrated (or "shimmed") in to the ACM-XSM module.  So I think XSM can


If ACM-XSM does not define replacements for the IS_PRIV() hooks, how are you going to integrate them into ACM-XSM? If so, based on what information from the current ACM policy would ACM-XSM enforce the IS_PRIV() check? What if ACM is not active, what enforces IS_PRIV() then?

   Stefan

> do what you and Keir are suggesting.



>
> > Thanks for your input on this, and if I can be of any more help,  
> > please let me know.
> >
> > Regards,
> >
> > Derek Murray.
> --
> George S. Coker, II <gscoker@xxxxxxxxxxxxxx> 443-479-6944
>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-devel
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.