This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] Module loading in unpriveledged domains

To: xen-devel@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-devel] Module loading in unpriveledged domains
From: David Hopwood <david.nospam.hopwood@xxxxxxxxxxxxxxxx>
Date: Tue, 23 Nov 2004 01:53:15 +0000
Delivery-date: Tue, 23 Nov 2004 01:54:29 +0000
Envelope-to: xen+James.Bulpin@xxxxxxxxxxxx
In-reply-to: <E1CWMBD-0005iA-00@xxxxxxxxxxxxxxxxx>
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
List-post: <mailto:xen-devel@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
References: <E1CWMBD-0005iA-00@xxxxxxxxxxxxxxxxx>
Reply-to: david.nospam.hopwood@xxxxxxxxxxxxxxxx
Sender: xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx
User-agent: Mozilla Thunderbird 0.9 (Windows/20041103)
Ian Pratt wrote:
Ian Pratt wrote:

Is there any security risk in enabling loadable module support in the linux
kernel used for the unpriveledged domains? I ask this question in the context of
a virtual private server hosting provider.

There shouldn't be any security risk at all -- Xen should provide
all the isolation you need (modulo any bugs).

So the answer to the original question is, "yes, enabling loadable module
support will increase your exposure to security risks due to any weaknesses
in Xen's isolation." Xen hasn't had particularly extensive security review

I don't think that preventing loadable module support is going to
buy you anything. If your users have root they can write to the
domain's memory image and hence in practice do anything that they
could if they had kernel modules.

True, unless there are bugs that cause different behaviour depending
on whether a module is compiled-in or loaded (such as
Nevertheless enabling loadable modules may allow a greater proportion
of script kiddies to be capable of exploiting any given bug.

This is all the same as in standard Linux, so perhaps I should have
said: enable loadable modules iff you would do so in standard Linux.

Xen has been designed to provide secure isolation between
guests. It has undergone code review by a bunch of different
people. It may have security bugs, but at least they're
relatively obscure...

I remain skeptical.

David Hopwood <david.nospam.hopwood@xxxxxxxxxxxxxxxx>

SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/
Xen-devel mailing list