WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-devel] protecting xen startup

from [Luke Kenneth Casson Leighton] [Permanent Link][Original]
To: Jan Kundr?t <jan.kundrat@xxxxxx>
Subject: Re: [Xen-devel] protecting xen startup
From: Luke Kenneth Casson Leighton <lkcl@xxxxxxxx>
Date: Wed, 24 Nov 2004 00:21:37 +0000
Cc: Ian Pratt <Ian.Pratt@xxxxxxxxxxxx>, Mark Williamson <maw48@xxxxxxxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxxx
Delivery-date: Wed, 24 Nov 2004 00:20:30 +0000
Envelope-to: xen+James.Bulpin@xxxxxxxxxxxx
In-reply-to: <41A3B319.6090401@xxxxxx>
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
List-post: <mailto:xen-devel@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
References: <20041123205152.GA5146@xxxxxxxx> <E1CWhp6-0004YC-00@xxxxxxxxxxxxxxxxx> <20041123215231.GE5146@xxxxxxxx> <41A3B319.6090401@xxxxxx>
Sender: xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.5.1+cvs20040105i 
On Tue, Nov 23, 2004 at 11:00:57PM +0100, Jan Kundr?t wrote:
> Luke Kenneth Casson Leighton wrote:
> > 
> > perhaps i should explain: i am looking to use xen to implement
> > a new level of paranoid security.
> > 
> > i aim to run single applications, such as firefox and
> > openoffice, in their own dedicated virtual machines, a
> > localised file server in one (or more if i can get GFS or OCFS2
> > to work) virtual machine(s), and for the applications to each
> > connect to the xen master running an x-server [nomachine isn't
> > quite suitable, i may have to write my own ssh-based x-proxy].
> 
> Do you mean running xserver in domain0? 

 um, yes.

> You should better setup separate 
> domain for it.

 really?  is that possible?

 can i run an xserver in a separate guest OS and still allow the guest
 OS direct access to the screen?

 how is that done - via a framebuffer drive?

 tellmetellme!!!!

> But are you sure that such a setup will be usable and fast enough? 

 i gonna find out :)

> > allowing a compromised guest OS to fire up another virtual
> > machine, connect to the x-server and spoof "please enter your
> > password" dialog boxes is therefore to be avoided!!!
> 
> If I'm not mistaken, you can start up new VMs only from domain0 or 
> through HTTP interface, So you can easily firewall all traffic inside 
> domain0 to local port 8000 (except for 127.0.0.1/32).
 
 yeh, *grumble*, and you can also, in selinux, ban applications from
 accessing a port.

> j.
> 

-- 
--
<a href="http://lkcl.net";>http://lkcl.net</a>
--


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-devel] Re: domU kernel panic with root fs, Ian Pratt
Next by Date:  Re: [Xen-devel] Re: domU kernel panic with root fs, Mark Williamson
Previous by Thread:  Re: [Xen-devel] protecting xen startup, Jan Kundrát
Next by Thread:  Re: [Xen-devel] protecting xen startup, Mark Williamson
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy