|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Re: malicious paravirtualized guests: security and isolation
"Vasiliy Baranov" <vasiliy.baranov@xxxxxxxxx> writes: > Sure. We are not talking about sharing the kernel between dom0 and domU. > domUs are going to have completely different kernels anyways. The question > is, if I have to allow custom modules in domUs (because my users cannot live > without them), does it make sense to disallow custom kernels, i.e. whether > disallowing custom kernels is going to buy me much? First, I'm not really sure how you would disallow custom kernels, without giving users a box with a castrated root. If you have root on a regular linux box, there are several mechanisms for modifying the running kernel without rebooting. A data point: I've been allowing custom kernels from just about anyone on the net willing to give me $5 since 2005, and I haven't had anyone break out from the DomU to the Dom0. I am entirely paravirtualized, though, and from what I understand, HVM has a much larger (and theoretically more buggy) interface between Dom0 and DomU. I have had problems where MAC address conflicts took things down, (lock those MACs down and firewall them!) Oh, the weakest part of my system, in my opinion? PyGrub. (that, or my homemade scripts that give DomU owners access to 'xm console domain') Now, I don't know of any open security holes in PyGrub, but I know there were some in the past. Essentially, PyGrub is a python script that reads /boot/grub/menu.lst from the guest file system and then copies the kernel from the DomU to the Dom0. You can imagine how risky that is. PVGRUB, from Xen 3.3, is theoretically much more secure, as it runs entirely within the DomU. _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |