This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] Module loading in unpriveledged domains

To: david.nospam.hopwood@xxxxxxxxxxxxxxxx
Subject: Re: [Xen-devel] Module loading in unpriveledged domains
From: Steven Hand <Steven.Hand@xxxxxxxxxxxx>
Date: Mon, 22 Nov 2004 22:33:57 +0000
Cc: xen-devel@xxxxxxxxxxxxxxxxxxxxx, Steven.Hand@xxxxxxxxxxxx
Delivery-date: Mon, 22 Nov 2004 22:35:18 +0000
Envelope-to: xen+James.Bulpin@xxxxxxxxxxxx
In-reply-to: Message from David Hopwood <david.nospam.hopwood@xxxxxxxxxxxxxxxx> of "Mon, 22 Nov 2004 19:37:56 GMT." <41A24014.9060400@xxxxxxxxxxxxxxxx>
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
List-post: <mailto:xen-devel@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
Sender: xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx
>Ian Pratt wrote:
>>>Is there any security risk in enabling loadable module support in the linux
>>>kernel used for the unpriveledged domains? I ask this question in the contex
t of
>>>a virtual private server hosting provider.
>> There shouldn't be any security risk at all -- Xen should provide
>> all the isolation you need (modulo any bugs).
>So the answer to the original question is, "yes, enabling loadable module
>support will increase your exposure to security risks due to any weaknesses
>in Xen's isolation." Xen hasn't had particularly extensive security review

Well only if you're not already giving root access to the virtual 
machine in question (or believe that by not giving it you're protected). 
"Security risk" is not particularly well formulated in non-assessed 
operating systems (aka pretty much all commodity ones). The immunix 
guys have a great demo of linux being hosed by about 5 different 
freely downloadable exploits (which vary through time, but retain a
similar number), and being stopped by immunix. Of course one can 
imagine a further N exploits which crack immunix :-) 

In short: please feel free to enable loadable module support in an 
unprivileged kernel. The trust barrier is xen<->guestOS, and so that's
what you should trust. We cannot guarantee that it's bulletproof but 
we're more likely to respond to vulnerabilities in Xen than ones 
inherent in linux.



SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
Xen-devel mailing list