[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Trace domU's process file access by/inside Xen

  • To: xen-users@xxxxxxxxxxxxx
  • From: Alexandre Kouznetsov <alk@xxxxxxxxxx>
  • Date: Wed, 03 Apr 2013 10:07:50 -0600
  • Delivery-date: Wed, 03 Apr 2013 16:09:06 +0000
  • List-id: Xen user discussion <xen-users.lists.xen.org>


El 03/04/13 08:30, Winai Wongthai escribió:
By using or inside Xen itself not dom0 or domU,
In short, no. Nothing can be done within Xen intself.

Please note that the storage (ant the networking) resources are offered to DomU's not by the hypervisor itself, but by Dom0. Now that I mention it, it is possible to set up a "stub domain" in order to give this job to a less privileged domain, but it still stays within a virtual machine, not within the hypervisor itself. Beside, any control interaction with Xen hypervisor has to be done via Dom0.

Obviously, a interaction between Dom0 and the hypervisor takes place, while exporintg resources to DomU, but it is very low level, and would require heavy hypervisor hacking to get into it.

it is possible that I can trace which domU's process reads,
writes,  opens, or closes ( system call number 3-6 ) a particular
file inside domU itself?
In short, no, as far as I know. The way you intend to do it is rather complex.

Theoretically, you could monitor DomU's disk access from Dom0. What you could actually see would not be FS system calls, but blocks read and write, because it's a low level block device what is exported to the DomU. If intercepted, (again, theoretically) it would be possible to parse those reads and writes, and find out what's going on inside using some technique similar to networking Deep Packets Inspection (take raw data, look for patterns, compare to templates).

If you intend to audit your FS access, the place to do it is the DomU itself. Auditd utility seems to be the right tool, never used it myself.


Alexandre Kouznetsov

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.