cooldharma06
2013-Aug-02 11:30 UTC
XEN : XSM policy and want some clarification for understanding.
hi,
i am trying to create new policy between dom''s.
By the XSM Flask document
-domU_t is a domain that can communicate with any other domU_t
- isolated_domU_t can only communicate with dom0
i analysed the policy..
by -domain_self_comms(domU_t)
- domain_comms(dom0_t, isolated_domU_t)
above things are achieved.
From dom0 by making hypercall we call check that policy is working.
but from domU how we can check this..?
And also "how i can find that communication between these doms are
established..??"
Is there any tool or userspace program is available for that.??
Clarify me because i cant able to move further by this one.
regards,
cooldharma06.
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
Daniel De Graaf
2013-Aug-02 13:38 UTC
Re: XEN : XSM policy and want some clarification for understanding.
On 08/02/2013 07:30 AM, cooldharma06 wrote:> hi, > > i am trying to create new policy between dom''s. > > By the XSM Flask document > > -domU_t is a domain that can communicate with any other domU_t > - isolated_domU_t can only communicate with dom0 > > i analysed the policy.. > > by -domain_self_comms(domU_t) > - domain_comms(dom0_t, isolated_domU_t) > > above things are achieved. > >>From dom0 by making hypercall we call check that policy is working. > but from domU how we can check this..?Do you mean just checking if XSM is enabled? The XSM hypercall to get enforcing mode will also work from domUs, if you really need to check it directly. But most of the time, a domU will only need to notice when it tries to do something not allowed by the policy. Ideally the only domains that would care if XSM was enabled or not would be toolstack domains that need to do things like set labels, or domains that enforce their own security policy using XSM labels.> And also "how i can find that communication between these doms are > established..??" > > Is there any tool or userspace program is available for that.??One easy way to test this is to use the libvchan client to communicate between domains that are allowed (domU_t to domU_t) and then notice that it gives an error when used between domU_t and isolated_domU_t.> Clarify me because i cant able to move further by this one. > > > regards, > cooldharma06. >-- Daniel De Graaf National Security Agency
cooldharma06
2013-Aug-03 05:55 UTC
Re: XEN : XSM policy and want some clarification for understanding.
hi, i searched for enabling "libvchan" library. And to achieve the communication between domU''s. i am unable to find the proper guide or document for this. can u send me the guide or document for this. regards, cooldharma06. On Fri, Aug 2, 2013 at 7:08 PM, Daniel De Graaf <dgdegra@tycho.nsa.gov>wrote:> On 08/02/2013 07:30 AM, cooldharma06 wrote: > >> hi, >> >> i am trying to create new policy between dom''s. >> >> By the XSM Flask document >> >> -domU_t is a domain that can communicate with any other domU_t >> - isolated_domU_t can only communicate with dom0 >> >> i analysed the policy.. >> >> by -domain_self_comms(domU_t) >> - domain_comms(dom0_t, isolated_domU_t) >> >> above things are achieved. >> >> From dom0 by making hypercall we call check that policy is working. >>> >> but from domU how we can check this..? >> > > Do you mean just checking if XSM is enabled? The XSM hypercall to get > enforcing mode will also work from domUs, if you really need to check > it directly. But most of the time, a domU will only need to notice > when it tries to do something not allowed by the policy. > > Ideally the only domains that would care if XSM was enabled or not > would be toolstack domains that need to do things like set labels, > or domains that enforce their own security policy using XSM labels. > > > And also "how i can find that communication between these doms are >> established..??" >> >> Is there any tool or userspace program is available for that.?? >> > > One easy way to test this is to use the libvchan client to communicate > between domains that are allowed (domU_t to domU_t) and then notice > that it gives an error when used between domU_t and isolated_domU_t. > > > Clarify me because i cant able to move further by this one. >> >> >> regards, >> cooldharma06. >> >> > > -- > Daniel De Graaf > National Security Agency >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel