1 / 11

XEN STE P OLICY

XEN STE P OLICY. Basic Idea Implementation Improvement. Basic Idea. Subject domain Object file, dir, device, domain Rules access control array. Basic Idea. Type Basic type, can not be used directly Label Encapsulate types Subject Label Object Label Rule

jens
Download Presentation

XEN STE P OLICY

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. XEN STE POLICY • Basic Idea • Implementation • Improvement

  2. Basic Idea • Subject • domain • Object • file, dir, device, domain • Rules • access control array

  3. Basic Idea • Type • Basic type, can not be used directly • Label • Encapsulate types • Subject Label • Object Label • Rule • Only two labels share at least one common type that access can be permit

  4. Implementation • policy management services(7) • domain management control hooks(2) • event channel control hooks(2) • grant table control hooks(2) • generic domain-requested decision hooks(2) • other(1)

  5. Implementation • domain_create(...,ssidref) • xsm_domain_create(d,ssidref) • xsm_ops->domain_create(d,ssidref) • acm_domain_create(d,ssidref) • acm_primary_ops->domain_create() acm_primary_ops->acm_init_domain_ssid • ste_domain_create() • ste_pre_domain_create()

  6. Implementation • acm_primary_ops->acm_init_domain_ssid • ste_init_domain_ssid

  7. Domain ssid struct acm_binary_policy{ …. u16 primary_policy_code; …. }; struct acm_ssid_domain { struct list_head node; int datatype; ssidref_t ssidref; ssidref_t old_ssidref; void *primary_ssid; void *secondary_ssid; struct domain *subject; domid_t domainid; }; struct ste_ssid { ssidref_t ste_ssidref; struct acm_ste_cache_line \ ste_cache[ACM_TE_CACHE_SIZE]; }; struct domain { ….. void *ssid ….. };

  8. Implementation-another example • __gnttab_map_grant_ref • xsm_grant_mapref(ld,rd,op->flags) • acm_grant_mapref(ld,rd,op->flags) • acm_pre_grant_map_ref(id) • acm_primary_ops->pre_grant_map_ref(id) • ste_pre_grant_map_ref • share_common_type(subj,obj)

  9. Implementation-another example • GET_SSIDP() • have_common_type(ref_s,ref_o); dom1 dom2 domx

  10. Improvement • Add Time Limit • Dynamic change rules • To be continue......

  11. Thank You!

More Related