Re: [Xen-devel] Module loading in unpriveledged domains

[Steven Hand <Steven.Hand@xxxxxxxxxxxx>]

>Ian Pratt wrote:
>>>Is there any security risk in enabling loadable module support in the linux
>>>kernel used for the unpriveledged domains? I ask this question in the contex
t of
>>>a virtual private server hosting provider.
>> 
>> There shouldn't be any security risk at all -- Xen should provide
>> all the isolation you need (modulo any bugs).
>
>So the answer to the original question is, "yes, enabling loadable module
>support will increase your exposure to security risks due to any weaknesses
>in Xen's isolation." Xen hasn't had particularly extensive security review
>yet.

Well only if you're not already giving root access to the virtual 
machine in question (or believe that by not giving it you're protected). 
"Security risk" is not particularly well formulated in non-assessed 
operating systems (aka pretty much all commodity ones). The immunix 
guys have a great demo of linux being hosed by about 5 different 
freely downloadable exploits (which vary through time, but retain a
similar number), and being stopped by immunix. Of course one can 
imagine a further N exploits which crack immunix :-) 

In short: please feel free to enable loadable module support in an 
unprivileged kernel. The trust barrier is xen<->guestOS, and so that's
what you should trust. We cannot guarantee that it's bulletproof but 
we're more likely to respond to vulnerabilities in Xen than ones 
inherent in linux.


cheers,

S.



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel