Re: [Xen-devel] XEN : XSM policy and want some clarification for understanding.

[Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>]

On 08/02/2013 07:30 AM, cooldharma06 wrote:
> hi,
>
> i am trying to create new policy between dom's.
>
> By the XSM Flask document
>
> -domU_t is a domain that can communicate with any other domU_t
> - isolated_domU_t can only communicate with dom0
>
> i analysed the policy..
>
> by -domain_self_comms(domU_t)
>       - domain_comms(dom0_t, isolated_domU_t)
>
> above things are achieved.
>
> > From dom0 by making hypercall we call check that policy is working.
> but from domU how we can check this..?
Do you mean just checking if XSM is enabled? The XSM hypercall to get
enforcing mode will also work from domUs, if you really need to check
it directly. But most of the time, a domU will only need to notice
when it tries to do something not allowed by the policy.

Ideally the only domains that would care if XSM was enabled or not
would be toolstack domains that need to do things like set labels,
or domains that enforce their own security policy using XSM labels.

> And also "how i can find that communication between these doms are
> established..??"
>
> Is there any tool or userspace program is available for that.??
One easy way to test this is to use the libvchan client to communicate
between domains that are allowed (domU_t to domU_t) and then notice
that it gives an error when used between domU_t and isolated_domU_t.

> Clarify me because i cant able to move further by this one.
>
>
> regards,
> cooldharma06.

--
Daniel De Graaf
National Security Agency

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel