WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-devel] protecting xen startup

from [Mark Williamson] [Permanent Link][Original]
To: Luke Kenneth Casson Leighton <lkcl@xxxxxxxx>
Subject: Re: [Xen-devel] protecting xen startup
From: Mark Williamson <maw48@xxxxxxxxxxxxxxxx>
Date: Wed, 24 Nov 2004 08:17:27 +0000 (GMT)
Cc: Jan Kundr?t <jan.kundrat@xxxxxx>, Ian Pratt <Ian.Pratt@xxxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 24 Nov 2004 21:16:48 +0000
Envelope-to: xen+James.Bulpin@xxxxxxxxxxxx
In-reply-to: <20041124002137.GJ5146@xxxxxxxx>
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
List-post: <mailto:xen-devel@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
References: <20041123205152.GA5146@xxxxxxxx> <E1CWhp6-0004YC-00@xxxxxxxxxxxxxxxxx> <20041123215231.GE5146@xxxxxxxx> <41A3B319.6090401@xxxxxx> <20041124002137.GJ5146@xxxxxxxx>
Sender: xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx 
can i run an xserver in a separate guest OS and still allow the guest
OS direct access to the screen?

how is that done - via a framebuffer drive?

tellmetellme!!!!
There was a very brave chap who had a second PCI graphics card and a second PCI USB controller, which he had given a domain (!=dom0) privileges to access and was trying to persuade X to run. I'm not sure how far he's got now but it's not straightforward. 


If I'm not mistaken, you can start up new VMs only from domain0 or
through HTTP interface, So you can easily firewall all traffic inside
domain0 to local port 8000 (except for 127.0.0.1/32).


yeh, *grumble*, and you can also, in selinux, ban applications from
accessing a port.
Well by setting Xend to only receive connections from localhost and then applying SELinux, you can at least restrict access to the control interface to root... 

Cheers,
Mark


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ 
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-devel] Kernel running in dom0 wants init= argument, John Christian
Next by Date:  [Xen-devel] Re: Module loading in unpriveledged domains, Scott Mohekey
Previous by Thread:  Re: [Xen-devel] protecting xen startup, Luke Kenneth Casson Leighton
Next by Thread:  Re: [Xen-devel] protecting xen startup, Luke Kenneth Casson Leighton
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy