 Home |
Products |
Support |
Community |
News |
xen-users
Re: [Xen-users] Vserver like security in Xen
| To: | jimm@xxxxxxxxxxxxxxx |
|---|---|
| Subject: | Re: [Xen-users] Vserver like security in Xen |
| From: | "Henning Sprang" <henning_sprang@xxxxxx> |
| Date: | Wed, 31 Jan 2007 14:12:57 -0600 |
| Cc: | xen-users@xxxxxxxxxxxxxxxxxxx |
| Delivery-date: | Wed, 31 Jan 2007 12:12:50 -0800 |
| Domainkey-signature: | a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=mVMF25+SrtEEoPYWbM1HGrbIYo+S2FIA8r75/OjSdR1wOwQtF+KWXJ+reIvXEihNMLM0B11uGfaqzxOPCTFc/mtN+aLACv0qHwglSjpVeGF2DNZJdQcJmZdeeifLHaI5N1QsJ5Q/024pycCMaubTldYVFkYVnKqdwfN40au6Ktw= |
| Envelope-to: | www-data@xxxxxxxxxxxxxxxxxx |
| In-reply-to: | <004b01c7456d$712943b0$5dd810d1@e3demo> |
| List-help: | <mailto:xen-users-request@lists.xensource.com?subject=help> |
| List-id: | Xen user discussion <xen-users.lists.xensource.com> |
| List-post: | <mailto:xen-users@lists.xensource.com> |
| List-subscribe: | <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe> |
| List-unsubscribe: | <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe> |
| References: | <004b01c7456d$712943b0$5dd810d1@e3demo> |
| Sender: | xen-users-bounces@xxxxxxxxxxxxxxxxxxx |
On 1/31/07, James Miller <jimm@xxxxxxxxxxxxxxx> wrote: Hi everyone, I have been using Xen and vserver for some time now. One feature I would like to reproduce in Xen is Vservers ability to limit/reduce root's privileges using the Linux (POSIX) Capability system. Basically, it's not Xen's Job do go that deep into the OSes privilege system. I think, as of now, when you give somebody root access to your domU, there are no means Xen can prevent root from doing random stuff. And I don't think this will change. Xen is mainly a hypervisor, and the Xen Kernel patches mainly there to talk nicely to the hypervisor to get access to the processor, memory and devices, but not to go into the privilege system. You could use SELinux for things like that, but I am not sure about the state of integration in Xen Linux Kernels, or if there are any problems. Fedora since Version 6 has some feature on using Xen Domain 0 on a SELinux enabled machine - but I don't know about domU. Or look at sHype, but that's at another level, far away from posix capabilities. I can Imagine that sHype will some time, instead of only preventing domU's with conflicting loads run on the same hypervisor, they might one day also just check that these domU can run on the same dom0, but not share memory segments, disks, or other devices. Maybe it's an interesting question to ask what exactly do you want to prevent from happening? Henning _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: [Xen-users] VNC, framebuffer at boot, Henning Sprang |
|---|---|
| Next by Date: | Re: [Xen-users] Errors installing WinXP with Xen 3.0.3, Jim |
| Previous by Thread: | [Xen-users] Vserver like security in Xen, James Miller |
| Next by Thread: | Re: [Xen-users] Vserver like security in Xen, Marduk |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
