30 messages in com.xensource.lists.xen-develRe: [Xen-devel] [PATCH][ACM] kernel e...| From | Sent On | Attachments |
|---|---|---|
| Bryan D. Payne | 24 Jul 2006 09:23 |  .diff |
| Keir Fraser | 24 Jul 2006 10:28 | |
| Bryan D Payne | 24 Jul 2006 13:09 | |
| Reiner Sailer | 24 Jul 2006 17:20 | |
| Keir Fraser | 25 Jul 2006 02:52 | |
| Bryan D Payne | 25 Jul 2006 10:45 | |
| Steven Hand | 25 Jul 2006 11:48 | |
| Mike D. Day | 26 Jul 2006 06:25 | |
| Keir Fraser | 26 Jul 2006 06:49 | |
| Reiner Sailer | 26 Jul 2006 08:47 | |
| Mike D. Day | 26 Jul 2006 10:45 | |
| Keir Fraser | 26 Jul 2006 11:06 | |
| Mike D. Day | 26 Jul 2006 11:23 | |
| Andrew Warfield | 26 Jul 2006 11:49 | |
| Reiner Sailer | 26 Jul 2006 14:21 | |
| Harry Butterworth | 26 Jul 2006 15:22 | |
| Reiner Sailer | 26 Jul 2006 15:51 | |
| Andrew Warfield | 26 Jul 2006 16:04 | |
| Harry Butterworth | 26 Jul 2006 18:40 | |
| Harry Butterworth | 27 Jul 2006 02:41 | |
| Reiner Sailer | 27 Jul 2006 08:37 | |
| Harry Butterworth | 27 Jul 2006 09:26 | |
| Harry Butterworth | 27 Jul 2006 09:36 | |
| Reiner Sailer | 27 Jul 2006 09:58 | |
| Harry Butterworth | 27 Jul 2006 10:06 | |
| Harry Butterworth | 27 Jul 2006 10:18 | |
| Reiner Sailer | 27 Jul 2006 10:38 | |
| Harry Butterworth | 27 Jul 2006 10:43 | |
| Reiner Sailer | 27 Jul 2006 10:52 | |
| Harry Butterworth | 27 Jul 2006 11:37 |
| Subject: | Re: [Xen-devel] [PATCH][ACM] kernel enforcement of vbd policies via blkback driver |
|---|---|
| From: | Steven Hand (Stev...@cl.cam.ac.uk) |
| Date: | 07/25/2006 11:48:09 AM |
| List: | com.xensource.lists.xen-devel |
The tools hook is not just a usability/conformity check. The check ensures that the tools will not set up entries in xenstore that would allow blkback to create a non-conformant vbd. So there is no way for a guest to trick blkback into creating a non-conformant vbd: it can only connect to vbds specified in its config file or added later via the vbd-add xm hotplug command. The tools stack should perform its compiance checks on both 'xm create' and 'xm vbd-add', and that should be sufficient.
My concern is that security is now relying on the correctness of all code that can write to the xenstore. The quantity of code that does this will likely continue to grow, and even include third party tools. If any of this code attachs a vbd to a domain without performing a security check, then the security would be bypassed.
There still a major dependency on xenstore; it's pretty much part of the TCB at present. I know some folks have been thinking about how to 'secure' it more comprehensively while allowing integration with whatever ACM policy is in force. I think this is a more promising approach than an ad hoc extra check in blkback.
cheers,
S.
_______________________________________________ Xen-devel mailing list Xen-...@lists.xensource.com http://lists.xensource.com/xen-devel