WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel] how to scan domU to get the inode info?

To: Sucan <bitzsk@xxxxxxxxx>
Subject: Re: [Xen-devel] how to scan domU to get the inode info?
From: Alex Zeffertt <alex.zeffertt@xxxxxxxxxxxxx>
Date: Wed, 06 May 2009 10:34:42 +0100
Cc: "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>, "9907yruby@xxxxxxxxx" <9907yruby@xxxxxxxxx>
Delivery-date: Wed, 06 May 2009 02:35:07 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <a160a7d60905052013m5a845abahc90807aef4799ccd@xxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <a160a7d60905052013m5a845abahc90807aef4799ccd@xxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.21 (X11/20090409)
Sucan wrote:
hi,

I have installed xen 3.2 in my computer , security is very important! although linux is more secure than windows.i need to protect the domu filesystem against hacking or virus. so each time when domu need to write to disk. it send the request to dom0, when i recieve the request in dom0, i will make sure the file it write is not in the /usr/bin directory. if domu is trying to change files under /usr/bin directory, it will be stoped by dom0. this way, i can protect the /usr/bin dir not been changed for ever, even if you have root privilage in domu , you can't change the files in /usr/bin. so ,the first thing i need to do is to scan files in /usr/bin directory to get all the inode info. save each inode number in a file. and transfer the file to dom0, each time domu submit a request to a file , the request will send to dom0. next ,dom0 will compare the inode number in that file .if find the same inode number, dom0 will stop the write request. if not found, domu can write the file as normal. my question is how to scan a directory(such as /usr/bin) and get all inode info? which funtions may i use in the linux kernel api? Can someone please shed some light on this problem? or any suggestions on my ideas above to protect the domu linux filesystem against invasion?


I'm not a security expert, but I think that write protecting /usr/bin will only stop a small number of security threats. I recommend that you ask this question on a list dedicated to security issues rather than here.

However... if you just want a read-only /usr you can create a vbd and mount it as read-only on /usr. You can also ensure it is read-only in dom0, by changing permission on the corresponding /dev file (or loopback file), and by setting the permissions in the 'disk' list in /etc/xen/your-vm-config.

Regards,

Alex

--
Best regards,
Sucan
Computer Department,Beijing Institute of Technology,China



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

<Prev in Thread] Current Thread [Next in Thread>