hi, I have installed xen 3.2 in my computer , security is very important! although linux is more secure than windows.i need to protect the domu filesystem against hacking or virus. so each time when domu need to write to disk. it send the request to dom0, when i recieve the request in dom0, i will make sure the file it write is not in the /usr/bin directory. if domu is trying to change files under /usr/bin directory, it will be stoped by dom0. this way, i can protect the /usr/bin dir not been changed for ever, even if you have root privilage in domu , you can''t change the files in /usr/bin. so ,the first thing i need to do is to scan files in /usr/bin directory to get all the inode info. save each inode number in a file. and transfer the file to dom0, each time domu submit a request to a file , the request will send to dom0. next ,dom0 will compare the inode number in that file .if find the same inode number, dom0 will stop the write request. if not found, domu can write the file as normal. my question is how to scan a directory(such as /usr/bin) and get all inode info? which funtions may i use in the linux kernel api? Can someone please shed some light on this problem? or any suggestions on my ideas above to protect the domu linux filesystem against invasion? -- Best regards, Sucan Computer Department,Beijing Institute of Technology,China _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Alex Zeffertt
2009-May-06 09:34 UTC
Re: [Xen-devel] how to scan domU to get the inode info?
Sucan wrote:> hi, > > I have installed xen 3.2 in my computer , security is very important! > although linux is more secure than windows.i need to protect the domu > filesystem against hacking or virus. so each time when domu need to > write to disk. it send the request to dom0, when i recieve the request > in dom0, i will make sure the file it write is not in the /usr/bin > directory. if domu is trying to change files under /usr/bin directory, > it will be stoped by dom0. > this way, i can protect the /usr/bin dir not been changed for ever, > even if you have root privilage in domu , you can''t change the files in > /usr/bin. > so ,the first thing i need to do is to scan files in /usr/bin > directory to get all the inode info. save each inode number in a file. > and transfer the file to dom0, each time domu submit a request to a file > , the request will send to dom0. next ,dom0 will compare the inode > number in that file .if find the same inode number, dom0 will stop the > write request. if not found, domu can write the file as normal. > my question is how to scan a directory(such as /usr/bin) and get all > inode info? which funtions may i use in the linux kernel api? Can > someone please shed some light on this problem? or any suggestions on my > ideas above to protect the domu linux filesystem against invasion? >I''m not a security expert, but I think that write protecting /usr/bin will only stop a small number of security threats. I recommend that you ask this question on a list dedicated to security issues rather than here. However... if you just want a read-only /usr you can create a vbd and mount it as read-only on /usr. You can also ensure it is read-only in dom0, by changing permission on the corresponding /dev file (or loopback file), and by setting the permissions in the ''disk'' list in /etc/xen/your-vm-config. Regards, Alex> -- > Best regards, > Sucan > Computer Department,Beijing Institute of Technology,China >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel