From: David Hopwood <david.nospam.hopwood@blueyonder.co.uk>
To: xen-devel@lists.sourceforge.net
Subject: Re: Module loading in unpriveledged domains
Date: Tue, 23 Nov 2004 01:53:15 +0000 [thread overview]
Message-ID: <41A2980B.8090506@blueyonder.co.uk> (raw)
In-Reply-To: <E1CWMBD-0005iA-00@mta1.cl.cam.ac.uk>
Ian Pratt wrote:
>>Ian Pratt wrote:
>>
>>>>Is there any security risk in enabling loadable module support in the linux
>>>>kernel used for the unpriveledged domains? I ask this question in the context of
>>>>a virtual private server hosting provider.
>>>
>>>There shouldn't be any security risk at all -- Xen should provide
>>>all the isolation you need (modulo any bugs).
>>
>>So the answer to the original question is, "yes, enabling loadable module
>>support will increase your exposure to security risks due to any weaknesses
>>in Xen's isolation." Xen hasn't had particularly extensive security review
>>yet.
>
> I don't think that preventing loadable module support is going to
> buy you anything. If your users have root they can write to the
> domain's memory image and hence in practice do anything that they
> could if they had kernel modules.
True, unless there are bugs that cause different behaviour depending
on whether a module is compiled-in or loaded (such as
<http://lists.jammed.com/linux-security-module/2003/12/0012.html>).
Nevertheless enabling loadable modules may allow a greater proportion
of script kiddies to be capable of exploiting any given bug.
This is all the same as in standard Linux, so perhaps I should have
said: enable loadable modules iff you would do so in standard Linux.
> Xen has been designed to provide secure isolation between
> guests. It has undergone code review by a bunch of different
> people. It may have security bugs, but at least they're
> relatively obscure...
I remain skeptical.
--
David Hopwood <david.nospam.hopwood@blueyonder.co.uk>
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
next prev parent reply other threads:[~2004-11-23 1:53 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-11-22 7:44 Module loading in unpriveledged domains Scott Mohekey
2004-11-22 8:32 ` Ian Pratt
2004-11-22 19:37 ` David Hopwood
2004-11-22 21:57 ` Ian Pratt
2004-11-23 1:53 ` David Hopwood [this message]
2004-11-23 8:57 ` Scott Mohekey
2004-11-24 21:57 ` Jan Kundrát
2004-11-26 19:20 ` Nuutti Kotivuori
2004-11-23 16:43 ` Nuutti Kotivuori
2004-11-23 17:02 ` Brian Wolfe
2004-11-23 17:10 ` David Hopwood
2004-11-22 22:33 ` Steven Hand
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41A2980B.8090506@blueyonder.co.uk \
--to=david.nospam.hopwood@blueyonder.co.uk \
--cc=xen-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.