From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Hopwood Subject: Re: Module loading in unpriveledged domains Date: Mon, 22 Nov 2004 19:37:56 +0000 Message-ID: <41A24014.9060400@blueyonder.co.uk> References: Reply-To: david.nospam.hopwood@blueyonder.co.uk Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: Sender: xen-devel-admin@lists.sourceforge.net Errors-To: xen-devel-admin@lists.sourceforge.net List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , List-Archive: To: xen-devel@lists.sourceforge.net List-Id: xen-devel@lists.xenproject.org Ian Pratt wrote: >>Is there any security risk in enabling loadable module support in the linux >>kernel used for the unpriveledged domains? I ask this question in the context of >>a virtual private server hosting provider. > > There shouldn't be any security risk at all -- Xen should provide > all the isolation you need (modulo any bugs). So the answer to the original question is, "yes, enabling loadable module support will increase your exposure to security risks due to any weaknesses in Xen's isolation." Xen hasn't had particularly extensive security review yet. -- David Hopwood ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/