|
|
|
|
|
|
|
|
|
|
xen-devel
Re: [Xen-devel] how to scan domU to get the inode info?
Sucan wrote:
hi,
I have installed xen 3.2 in my computer , security is very important!
although linux is more secure than windows.i need to protect the domu
filesystem against hacking or virus. so each time when domu need to
write to disk. it send the request to dom0, when i recieve the request
in dom0, i will make sure the file it write is not in the /usr/bin
directory. if domu is trying to change files under /usr/bin directory,
it will be stoped by dom0.
this way, i can protect the /usr/bin dir not been changed for ever,
even if you have root privilage in domu , you can't change the files in
/usr/bin.
so ,the first thing i need to do is to scan files in /usr/bin
directory to get all the inode info. save each inode number in a file.
and transfer the file to dom0, each time domu submit a request to a file
, the request will send to dom0. next ,dom0 will compare the inode
number in that file .if find the same inode number, dom0 will stop the
write request. if not found, domu can write the file as normal.
my question is how to scan a directory(such as /usr/bin) and get all
inode info? which funtions may i use in the linux kernel api? Can
someone please shed some light on this problem? or any suggestions on my
ideas above to protect the domu linux filesystem against invasion?
I'm not a security expert, but I think that write protecting /usr/bin will only
stop a small number of security threats. I recommend that you ask this question
on a list dedicated to security issues rather than here.
However... if you just want a read-only /usr you can create a vbd and mount it
as read-only on /usr. You can also ensure it is read-only in dom0, by changing
permission on the corresponding /dev file (or loopback file), and by setting the
permissions in the 'disk' list in /etc/xen/your-vm-config.
Regards,
Alex
--
Best regards,
Sucan
Computer Department,Beijing Institute of Technology,China
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
|
|
|
|