| 摘要 |
In one embodiment, a mechanism to implement security in process-based virtualization is disclosed. In one embodiment, a method includes maintaining a security policy for a process-based virtualization system, initializing a virtual machine (VM) in the process-based virtualization system, assigning a security label to the VM, and enforcing the security policy on the VM based on the security label of the VM in order to isolate the VM from other VM's in the process-based virtualization system. |
| 主权项 |
1. A method, comprising:
maintaining, by a processing device of a computing device, a security policy for a process-based virtualization system executed by the processing device on the computing device; initializing, by the processing device, a virtual machine (VM) in the process-based virtualization system; allocating, by the processing device to the VM, a category from a plurality of categories of a multi-category system (MCS) label of a SELINUX operating system (OS) to the VM, wherein the allocated category for the VM is distinctive to the VM and differentiates the VM from other VMs initialized in the process-based virtualization system, wherein the security policy comprises an access control method in the SELINUX OS that uses the plurality of categories to isolate the VM from the other VMs, and wherein the plurality of categories of the MCS label is repurposed for each category of the plurality of categories to be different from one another in order to isolate the VM from the other VMs; assigning, by the processing device, the allocated category of the MCS label to an MCS field of an SELINUX OS multi-level security (MLS) label of the SELINUX OS associated with the VM; mapping, by the processing device, a unique identifier (UUID) of the VM to the MCS label of the VM; and enforcing, by the processing device, the security policy on the VM based on the MCS field of the MLS label of the VM in order to isolate the VM from the other VMs initialized in the process-based virtualization system. |
