WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel] protecting xen startup

To: "Neugebauer, Rolf" <rolf.neugebauer@xxxxxxxxx>
Subject: Re: [Xen-devel] protecting xen startup
From: Luke Kenneth Casson Leighton <lkcl@xxxxxxxx>
Date: Wed, 24 Nov 2004 10:53:00 +0000
Cc: Mark Williamson <maw48@xxxxxxxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 24 Nov 2004 10:48:53 +0000
Envelope-to: xen+James.Bulpin@xxxxxxxxxxxx
In-reply-to: <39CC97884CA19A4D8D6296FE94357BCBF5C747@swsmsx404>
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
List-post: <mailto:xen-devel@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
References: <39CC97884CA19A4D8D6296FE94357BCBF5C747@swsmsx404>
Sender: xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.5.1+cvs20040105i
On Tue, Nov 23, 2004 at 11:58:51PM -0000, Neugebauer, Rolf wrote:

> From a security point of view we probably should/need to restructure the
> current xend significantly into at least two components: a small name
> server and a daemon/tool which knows about assignment of higher level
> devices to domains etc. Note that this will also require changes to
> backend and frontends etc, ie, it's non-trivial.
 
  hi rolf, 

  i'm not familiar enough with the terminology that you are using to
  understand fully what you are saying.

 are you hinting at the allocation of device drivers across domains?

 e.g. having one domain do the hardware side and securely
 proxy-forwarding the access to that device over to another domain?

 for example /dev/console in one domain being proxy-forwarded into
 another domain for it to be accessible as /dev/xendomainconsole0,
 something like that?

 because if so that _would_ be great because it'd be a trivial job in
 selinux to set up an selinux permission to access the device inode
 at the "receiving" end so to speak.

 
 ... but i have to point out that i'm more concerned about leveraging
 what is available - right now - than i am about future versions.

 l.



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel

<Prev in Thread] Current Thread [Next in Thread>