Event from dom0

Event from dom0

[Jinesh M.K]

[-- Attachment #1.1: Type: text/plain, Size: 75 bytes --]

Hi,

How to capture a event(eg:file copying) from dom0?

Thanks
Jinesh M.K

[-- Attachment #1.2: Type: text/html, Size: 94 bytes --]

[-- Attachment #2: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Re: Event from dom0

[Pasi Kärkkäinen]

On Wed, Aug 17, 2011 at 10:22:48AM +0530, Jinesh M.K wrote:
>    Hi,
> 
>    How to capture a event(eg:file copying) from dom0?
> 

You should be more specific.. Do you mean "copying file in a domU" perhaps? 

I don't think there's a way to capture things like that,
since hypervisors work at much lower level.

You'd have to write some custom module for the domU kernel or userspace, 
make it communicate with a module/tool in dom0 using xenstore, gntdev, or something like that.

-- Pasi

Re: Event from dom0

[Jinesh M.K]

[-- Attachment #1.1: Type: text/plain, Size: 708 bytes --]

I mean event that happen inside dom0 like moving hard disk image from one
location to another

Jinesh
On 17 August 2011 14:21, Pasi Kärkkäinen <pasik@iki.fi> wrote:

> On Wed, Aug 17, 2011 at 10:22:48AM +0530, Jinesh M.K wrote:
> >    Hi,
> >
> >    How to capture a event(eg:file copying) from dom0?
> >
>
> You should be more specific.. Do you mean "copying file in a domU" perhaps?
>
> I don't think there's a way to capture things like that,
> since hypervisors work at much lower level.
>
> You'd have to write some custom module for the domU kernel or userspace,
> make it communicate with a module/tool in dom0 using xenstore, gntdev, or
> something like that.
>
> -- Pasi
>
>

[-- Attachment #1.2: Type: text/html, Size: 1049 bytes --]

[-- Attachment #2: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Re: Event from dom0

[Pasi Kärkkäinen]

On Wed, Aug 17, 2011 at 05:00:29PM +0530, Jinesh M.K wrote:
>    I mean event that happen inside dom0 like moving hard disk image from one
>    location to another
> 

I assume you're using Linux dom0 so your question is not Xen specific at all..
You could use tools like Linux inotify etc.

-- Pasi


>    Jinesh
>    On 17 August 2011 14:21, Pasi Kärkkäinen <[1]pasik@iki.fi> wrote:
> 
>      On Wed, Aug 17, 2011 at 10:22:48AM +0530, Jinesh M.K wrote:
>      >    Hi,
>      >
>      >    How to capture a event(eg:file copying) from dom0?
>      >
> 
>      You should be more specific.. Do you mean "copying file in a domU"
>      perhaps?
> 
>      I don't think there's a way to capture things like that,
>      since hypervisors work at much lower level.
> 
>      You'd have to write some custom module for the domU kernel or userspace,
>      make it communicate with a module/tool in dom0 using xenstore, gntdev,
>      or something like that.
>      -- Pasi
> 
> References
> 
>    Visible links
>    1. mailto:pasik@iki.fi

Re: Event from dom0

[Wei Liu]

On Wed, Aug 17, 2011 at 12:52 PM, Jinesh M.K <mkjinesh@gmail.com> wrote:
> Hi,
>
> How to capture a event(eg:file copying) from dom0?
>

Well, there is a technique called "system call intercepting".

File copying or any other kinds of operation need the help from the
kernel -- that is, they will issue syscalls. If you can intercept
syscall in Xen, then Xen can tell your little daemon in Dom0 what's
happening in DomU.

It is doable, because my colleage has done something similar before.
However, this kind of operation slows down the whole system, because
it requires virtual machine introspection to eliminate semantic gap
between Dom0 and DomU, and the frequent switching from Xen, Dom0 and
DomU is certainly a performance hit.

Or you can try Pasi's way, depending on your need.

Wei.

Re: Event from dom0

[Jinesh M.K]

[-- Attachment #1.1: Type: text/plain, Size: 2646 bytes --]

Thank you for your information, I tried the attached code for system call
interception.

I am using linux kernal 2.6.38-10-generic and I issue the following command
for make this c code

sudo make -C /usr/src/linux-headers-`uname -r` SUBDIRS=$PWD modules

But I got the errors like this

make: Entering directory `/usr/src/linux-headers-2.6.38-10-generic'
  CC [M]  /home/bios/intercept/intercept_open.o
/home/bios/intercept/intercept_open.c: In function ‘our_fake_open_function’:
/home/bios/intercept/intercept_open.c:30:9: error: implicit declaration of
function ‘user_path_walk’
/home/bios/intercept/intercept_open.c:35:25: error: ‘struct nameidata’ has
no member named ‘dentry’
/home/bios/intercept/intercept_open.c:50:37: error: ‘struct nameidata’ has
no member named ‘dentry’
/home/bios/intercept/intercept_open.c: In function ‘my_init’:
/home/bios/intercept/intercept_open.c:63:9: warning: ISO C90 forbids mixed
declarations and code
/home/bios/intercept/intercept_open.c:64:39: error: ‘system_utsname’
undeclared (first use in this function)
/home/bios/intercept/intercept_open.c:64:39: note: each undeclared
identifier is reported only once for each function it appears in
/home/bios/intercept/intercept_open.c:81:41: warning: initialization makes
integer from pointer without a cast
/home/bios/intercept/intercept_open.c: In function ‘my_exit’:
/home/bios/intercept/intercept_open.c:91:9: warning: initialization makes
integer from pointer without a cast
make[1]: *** [/home/bios/intercept/intercept_open.o] Error 1
make: *** [_module_/home/bios/intercept] Error 2
make: Leaving directory `/usr/src/linux-headers-2.6.38-10-generic'


Anu help for this issue.

Thanks
Jinesh M.K

On 18 August 2011 07:03, Wei Liu <liuw@liuw.name> wrote:

> On Wed, Aug 17, 2011 at 12:52 PM, Jinesh M.K <mkjinesh@gmail.com> wrote:
> > Hi,
> >
> > How to capture a event(eg:file copying) from dom0?
> >
>
> Well, there is a technique called "system call intercepting".
>
> File copying or any other kinds of operation need the help from the
> kernel -- that is, they will issue syscalls. If you can intercept
> syscall in Xen, then Xen can tell your little daemon in Dom0 what's
> happening in DomU.
>
> It is doable, because my colleage has done something similar before.
> However, this kind of operation slows down the whole system, because
> it requires virtual machine introspection to eliminate semantic gap
> between Dom0 and DomU, and the frequent switching from Xen, Dom0 and
> DomU is certainly a performance hit.
>
> Or you can try Pasi's way, depending on your need.
>
> Wei.
>

[-- Attachment #1.2: Type: text/html, Size: 3130 bytes --]

[-- Attachment #2: intercept_open.c --]
[-- Type: text/x-csrc, Size: 2220 bytes --]

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/syscalls.h>
#include <linux/unistd.h>
#include <linux/proc_fs.h>
#include <asm/uaccess.h>
#include <linux/namei.h>
#include <linux/fs.h>


int flag=0;

#define MAX_TRY 1024;

MODULE_LICENSE ("GPL");

unsigned long *sys_call_table;

asmlinkage long (*original_sys_open) (const char __user * filename, int
flags, int mode);

asmlinkage int our_fake_open_function(const char __user *filename, int
flags, int mode)
{
        int error;
        struct nameidata nd,nd_t;
        struct inode *inode,*inode_t;
        mm_segment_t fs;

        error=user_path_walk(filename,&nd);

        if(!error)
        {

                inode=nd.dentry->d_inode;

                /*Have to do this before calling user_path_walk( )
                from kernel space:*/
                fs=get_fs( );
                set_fs(get_ds( ));

                /*Protect /tmp/test. Change this to whatever file you
                want to protect*/
                error=user_path_walk("/tmp/test",&nd_t);

                set_fs(fs);

                if(!error)
                {
                        inode_t=nd_t.dentry->d_inode;

                        if(inode==inode_t)
                                return -EACCES;
                }
        }
  
        return original_sys_open(filename,flags,mode);
}
        
static int __init my_init (void)
{
        int i=MAX_TRY;
        unsigned long *sys_table;
        sys_table = (unsigned long *)&system_utsname;

        while(i)
        {
                if(sys_table[__NR_read] == (unsigned long)sys_read)
                {
                        sys_call_table=sys_table;
                        flag=1;
                        break;   
                }
                i--;
                sys_table++;
                
        }
                
        if(flag)
        {
            original_sys_open =(void * )xchg(&sys_call_table[__NR_open],
our_fake_open_function);
        }
                                
        return 0;

}
        
static void my_exit (void)
{
        xchg(&sys_call_table[__NR_open], original_sys_open);
}
        
module_init(my_init);
module_exit(my_exit);

[-- Attachment #3: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Re: Event from dom0

[Wei Liu]

On Thu, Aug 18, 2011 at 2:24 PM, Jinesh M.K <mkjinesh@gmail.com> wrote:
> Thank you for your information, I tried the attached code for system call
> interception.
>
>

Well well, I think this technique doesn't fit your scenario -- I
misunderstood your case, I originally thought that you needed to know
what operation is happend inside other domain (and not letting it be
awared of this).

If you trust Dom0 (from a security perspective of view), then syscall
interception is not a good idea, there should be other better method.
Maybe, like Pasi said, inotify?

If you don't trust Dom0, then who is to be trusted? Xen has very
limited capabilities to serve high level needs, eventually,
complicated operations are passed to some guests to handle.

I think it is better to clarify you scenario.

Wei.