120 likes | 279 Views
ACM实践与分析. ACM策略(/etc/xen/acm-security/policy). <SimpleTypeEnforcement> <SimpleTypeEnforcementTypes> <Type> <ChineseWall> <ChineseWallTypes> <Type> <ConflictSets> <Conflict> <Type>. ACM策略-Types. ACM策略-Labels. <SecurityLabelTemplate> <SubjectLabels> <VirtualMachineLabel>
E N D
<SimpleTypeEnforcement> <SimpleTypeEnforcementTypes> <Type> <ChineseWall> <ChineseWallTypes> <Type> <ConflictSets> <Conflict> <Type> ACM策略-Types
ACM策略-Labels <SecurityLabelTemplate> <SubjectLabels> <VirtualMachineLabel> <Name> <SimpleTypeEnforcementTypes> <Type> <ChineseWallTypes> <Type> <ObjectLabels> <ResourceLabel> <Name> <SimpleTypeEnforcementTypes> <Type>
源码结构 • Xen/xsm • Xen/xsm/acm • Xen/include/xsm • Xen/include/xsm/acm • /xen/include/public/xsm
XSM钩子 • dom0_ops.c|domain.c|grant_table.c • event_channel.c|setup.c|mm.c
ACM实现钩子 struct xsm_operations acm_xsm_ops = { .domain_create = acm_domain_create, .free_security_domain = acm_domain_destroy, .grant_mapref = acm_grant_mapref, .evtchn_unbound = acm_evtchn_unbound, .evtchn_interdomain = acm_evtchn_interdomain, .security_domaininfo = acm_security_domaininfo, .__do_xsm_op = do_acm_op, };
ACM钩子 • policy management functions • domain management control hooks • event channel control hooks • grant table control hooks • generic domain-requested decision hooks • determine whether the default policy is installed • acm_operations • acm_null_ops • acm_chinesewall_ops • acm_simple_type_enforcement_ops
XSM初始化 _start_xen() do_xsm_initcalls __xsm_initcall_start xsm_init() ....... xsm_policy_init() __xsm_initcall_start
ACM初始化 acm_init acm_setup do_acm_set_policy acm_init_binary_policy _acm_update_policy dom0_ste_ssidref dom0_chwall_ssidref acm_init_binary_policy register_xsm
ChineseWall冲突判别算法 ssidrefs conflict_sets