Architecture

Architecture Overivew

VXE creates virtual environment (VE, security domain or a sandbox), by defining resorces available to a subsystem. Where subsystem is some initial process and its subprocesses. Resources are defined in terms of syscalls and their arguments.

Term definitions:

VXE - Virtual Execution Environment;

VXED - VXE Definition; description of resorces available for the subsystem;

VXEI - VXE Instance; runtime instance governed by VXED;

To make VXED creation easier two modes are available: learning (or logging) and production modes. In learning mode all VXED violations are logged, but allowed. VXE administrator can include resources listed in violations into VXED. In production mode violations are logged and offending system calls are denied.

Pic. 1

VXE LKM is VXE Kernel Module. It inspects system calls and applies limitations imposed be VXEDs.

VXE LKM communicates with user space cervices over Netlink. There are two VXE user spcece services Logger and GUI. Logger collects violations reported by LKM. GUI provides REST API and GUI.