From mboxrd@z Thu Jan  1 00:00:00 1970
From: David Hopwood <david.nospam.hopwood@blueyonder.co.uk>
Subject: Re: Module loading in unpriveledged domains
Date: Tue, 23 Nov 2004 01:53:15 +0000
Message-ID: <41A2980B.8090506@blueyonder.co.uk>
References: <E1CWMBD-0005iA-00@mta1.cl.cam.ac.uk>
Reply-To: david.nospam.hopwood@blueyonder.co.uk
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-admin@lists.sourceforge.net>
In-Reply-To: <E1CWMBD-0005iA-00@mta1.cl.cam.ac.uk>
Sender: xen-devel-admin@lists.sourceforge.net
Errors-To: xen-devel-admin@lists.sourceforge.net
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.sourceforge.net>
List-Help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
To: xen-devel@lists.sourceforge.net
List-Id: xen-devel@lists.xenproject.org

Ian Pratt wrote:
>>Ian Pratt wrote:
>>
>>>>Is there any security risk in enabling loadable module support in the linux
>>>>kernel used for the unpriveledged domains? I ask this question in the context of
>>>>a virtual private server hosting provider.
>>>
>>>There shouldn't be any security risk at all -- Xen should provide
>>>all the isolation you need (modulo any bugs).
>>
>>So the answer to the original question is, "yes, enabling loadable module
>>support will increase your exposure to security risks due to any weaknesses
>>in Xen's isolation." Xen hasn't had particularly extensive security review
>>yet.
> 
> I don't think that preventing loadable module support is going to
> buy you anything. If your users have root they can write to the
> domain's memory image and hence in practice do anything that they
> could if they had kernel modules.

True, unless there are bugs that cause different behaviour depending
on whether a module is compiled-in or loaded (such as
<http://lists.jammed.com/linux-security-module/2003/12/0012.html>).
Nevertheless enabling loadable modules may allow a greater proportion
of script kiddies to be capable of exploiting any given bug.

This is all the same as in standard Linux, so perhaps I should have
said: enable loadable modules iff you would do so in standard Linux.

> Xen has been designed to provide secure isolation between
> guests. It has undergone code review by a bunch of different
> people. It may have security bugs, but at least they're
> relatively obscure...

I remain skeptical.

-- 
David Hopwood <david.nospam.hopwood@blueyonder.co.uk>



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/