Get Target Guest Info (Linux)
Start Target VM with FLASK label
According to our setup in Update XSM FLASK Policy, a VM labeled with domU has priviledges to intropsect another domU’s physical memory. Now we can label TinyVMI with domU to grant the VM of TinyVMI with those privileges.
Change xl config file for the target VM. Add the following line to this file:
seclabel='system_u:system_r:domU_t'
An example configuration file:
# Kernel image file.
kernel = "mini-os.gz"
# Initial memory allocation (in megabytes) for the new domain.
memory = 64
# A name for your domain. All domains must have different names.
name = "TinyVMI"
on_crash = 'destroy'
seclabel='system_u:system_r:domU_t'
Now you can start target VM by running xl create <domain_config_file>
Get Guest Kernel Offsets
This method is totally derived from how LibVMI get info from guest kernel.
Download the linux-offset-finder from LibVMI repo. Then you can use this program to get the offset values needed for the ~/etc/libvmi.conf file. To use, follow the steps below.
- Copy the files in this directory to the target VM.
- Log into the target VM as root.
- cd into the directory with this program, then run make.
- insmod findoffsets.ko
- if you are logged into the console, you will see the output. Otherwise, see /var/log/syslog or dmesg for the output.
- rmmod findoffsets
- copy the output into your ~/etc/libvmi.conf file in dom0, be sure to update the domain name and sysmap location.
Get Guest Kernel Sysmap
Copy the system map file to dom0. For example, on a guest VM running with Ubuntu 16.04, you can find system map file at /boot/Sysmap.map-<kernel_version>, then copy it in ~/etc/Sysmap.map-<kernel_version>. The current kernel_verion can be got by run uname -r.
Now we have the following info from the target guest VM:
- target VM name and ID.
- ~/etc/libvmi.conf. Acquired by
linux-offset-finderin target VM. - ~/etc/System.map-<kernel_version>. Copied from /boot/System.map-* on target VM.
Next, we will use those info to configure TinyVMI.