Re: [Xense-devel] [PATCH] ACM: adding get_ssid command and clean

To:	Reiner Sailer <sailer@xxxxxxxxxx>
Subject:	Re: [Xense-devel] [PATCH] ACM: adding get_ssid command and cleanup
From:	David Palmer <dwpalmer.xense@xxxxxxxxx>
Date:	Fri, 2 Sep 2005 11:41:28 -0700
Cc:	xen-devel@xxxxxxxxxxxxxxxxxxx, Stefan Berger <stefanb@xxxxxxxxxx>, xense-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date:	Fri, 02 Sep 2005 18:39:16 +0000
Domainkey-signature:	a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=i71y8Fk/Q2TgMQAjEdqR7tv00SOK9GV+SZ7+XiNpR/Bh/RCmfA9NTejwHLJqV8eKK293uwcdbPwJ4rlVq4bn+N2Ab6tlQCu9VqbnJbpyf8YYozp/46Rj5CJ8myk/NosOVTwd0jUZaZuAW+F7fIrG4J4Ky6pbCZzOcmTysxw5whU=
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to:	<OF93EA0DFA.6835D1D3-ON85257070.001074DC-85257070.0012EDAD@xxxxxxxxxx>
List-help:	<mailto:xense-devel-request@lists.xensource.com?subject=help>
List-id:	"A discussion list for those developing security enhancements for Xen." <xense-devel.lists.xensource.com>
List-post:	<mailto:xense-devel@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=unsubscribe>
References:	<OF93EA0DFA.6835D1D3-ON85257070.001074DC-85257070.0012EDAD@xxxxxxxxxx>
Sender:	xense-devel-bounces@xxxxxxxxxxxxxxxxxxx

Reiner,

I've looked over the code. As input, it takes either an SSID or a DomainID. If given a DomainID, it looks up the domain's SSID. It then returns two arrays of 0's and 1's. One array is a row from the STE-Type matrix and the other is a row from the ChWall-Type matrix corresponding to the given SSID.

My question then: What constitutes a legitimate use vs. a clear abuse of this information?

For example, lets say I create a domain that manages a resource. When another domain connects, the resource domain checks for a specific type using get_ssid() on the subject's DomainID and indexes one of the arrays with the type number. If the type is set, then it provides the "Privileged" interface with the other domain. If it is not set, then it provides the "Unprivileged" interface with the domain. Is this legitimate or an abuse of the function? Why or why not?

Dave

On 9/1/05, Reiner Sailer <sailer@xxxxxxxxxx> wrote:

This patch:

* adds a get_ssid ACM command that allows privileged domains to retrieve types for either a given ssid reference or a given domain id (of a running domain); this command can be used to extend access control into device domains, e.g., to control network traffic currently moving through Domain 0 uncontrolled by the ACM policy

* adds a script getlabel.sh that allows users inside Dom0 to retrieve the label for a given ssid reference or a given domain id (multiple labels might map onto a single ssid reference)

* cleans up label-related code in tools/security by merging common functions into labelfuncs.sh

* cleans up ACM code related to above changes (eventually approximating a common coding style)

Comments welcome.

Thanks
Reiner

Signed-off-by Reiner Sailer <sailer@xxxxxxxxxx>
Signed-off by Stefan Berger <stefanb@xxxxxxxxxx>

_______________________________________________
Xense-devel mailing list
Xense-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xense-devel

_______________________________________________
Xense-devel mailing list
Xense-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xense-devel

WARNING - OLD ARCHIVES

xen-devel

Re: [Xense-devel] [PATCH] ACM: adding get_ssid command and cleanup