Reiner Sailer
2005-Apr-26 15:00 UTC
[Xen-devel] [PATCH] shype for xen / patches version 1.0
Hi all, this is a follow-up on our earlier posting: http://lists.xensource.com/archives/html/xen-devel/2005-03/msg01406.html. Please refer to this posting for background information and links to technical reports describing the architecture. This new sHype patch supports grant tables. I''ve also worked in comments that I received on the earlier post (e.g., global default ssids). Please note that the default policy under these patches is a "NULL" policy. This means that, even after the patches are applied, there will be *no* change to the user or administrator experience until a security policy is explicitly enabled. The sHype port consists of three patches (tested on the xeno-unstable.bk 04/26/05): 1. shype_4_xeno-unstable.bk_v1.0_xen.diff patch that includes the security enforcement hooks and the access control module 2. shype_4_xeno-unstable.bk_v1.0_sparse.diff kernel patch that adds a /proc/xen/policycmd interface using a new policy hypercall to communicate policies between xen and the policy management tool; 3. shype_4_xeno-unstable.bk_v1.0_tools.diff tools patch that adds support for a new parameter security subject identifier reference (ssidref) in the domain configuration, as well as a v-e-r-y simple policy tool to set binary policies in xen and to retrieve and dump enforced policies from xen (tools/policytool); in a future version, this tool will read user-defined policies and compile them into the binary policies to be downloaded into xen. Please refer to shype_4_xen.readme.gz for more information about installing sHype into the bitkeeper version of xeno-unstable and about experimenting with it. Feedback welcome. Kindest Regards Reiner Signed-off-by: Reiner Sailer ___________________________________________________________ Reiner Sailer, Research Staff Member, Secure Systems Department IBM T J Watson Research Ctr, 19 Skyline Drive, Hawthorne NY 10532 Phone: 914 784 6280 (t/l 863) Fax: 914 784 6205, sailer@us.ibm.com http://www.research.ibm.com/people/s/sailer/ _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel