[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] stubdomains vs dm_restric


  • To: xen-users@xxxxxxxxxxxxxxxxxxxx
  • From: Éliás Tamás <et@xxxxxxx>
  • Date: Wed, 26 Jun 2019 16:04:58 +0200
  • Delivery-date: Wed, 26 Jun 2019 14:06:31 +0000
  • Dkim-filter: OpenDKIM Filter v2.10.3 mail.etit.hu 66521BC6FDE
  • List-id: Xen user discussion <xen-users.lists.xenproject.org>

Hi All.

I'm playing around with xen 4.12 on linux v5.

I hvae some windows 10 domus running in stubdomains. I was satisfied
with them, so far. In xen 4.12 dm_restrict came into the game, and I'm
wondering which solution is more secure.

Due to as per my current understanding, both solutions had been mainly
invented to increase HVMs (Windows guests) security.

Stubdomains at this stage however seemes to be more mature and a better
approach for me.

stubdomains ar erunning a minios and that runs in a root process on the
host, while dm_restrict runs on the full-blown qemu but un non-root user
accounts.

I have a feeling, that for a non-friendly guest braking out a stubdomain
seemes to more complicated (having less attack vector) then a dm_restrict.

Anyone has some ideas please?


-- 

Éliás Tamás
Thomas Elias

ETIT[nwpro] KFT, Ügyvezető-Hálózatbiztonsági specialista
ETIT[nwpro] Ltd, General Manager-Network security specialist

Tel. HU: +36/30-497-1626
OpenPGP pubkey: http://etit.hu/doc/et-pub.asc

Okleveles mérnök-informatikus (MSC)
Master of Science in Information Technology (MSC)
Licenced Penetration Tester (TM15-047)

Kapcsolat: http://etit.hu/index.php/hu/kapcsolat
Jogi nyilatkozat: http://etit.hu/disclaimer-email-hu.txt
Contact: http://etit.hu/index.php/en/contact
Disclaimer: http://etit.hu/disclaimer-email-en.txt

Attachment: pEpkey.asc
Description: application/pgp-keys

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.