Luke Kenneth Casson Leighton wrote:
i notice that there's a management interface on port 8000.
i seek to protect this interface such that nothing but a trusted program
(think selinux) may run, manage, start up or shut down xen oses.
so: where can i find out information about the structure of the
xen management interface?
is the port 8000 stuff just providing a web server (/etc/init.d/xend)
front-end to some extra system calls?
What lives behind port 8000 is xend. This is the management daemon for xen.
It presents its interface over HTTP and implements it using low-level calls
into the xen hypervisor via ioctls. There is no system call
interface that corresponds to the xend api.
is the port 8000 stuff actually running in the xen boot-up stuff?
Xen boots the hypervisor, then domain-0.
Xend runs in domain-0 and is the normal way that all other domains
if it's some extra system calls that's very good because it will be
possible to add selinux security hooks to protect each system call.
You should be able to use selinux rules to specify what gets to talk to xend at
port 8000. You'd need to enable LSM and selinux in the domain-0 kernel, but
otherwise all you should need to do is configure selinux appropriately.
Hope this helps,
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
Xen-devel mailing list