"Vasiliy Baranov" <vasiliy.baranov@xxxxxxxxx> writes:
> Sure. We are not talking about sharing the kernel between dom0 and domU.
> domUs are going to have completely different kernels anyways. The question
> is, if I have to allow custom modules in domUs (because my users cannot live
> without them), does it make sense to disallow custom kernels, i.e. whether
> disallowing custom kernels is going to buy me much?
First, I'm not really sure how you would disallow custom kernels, without
giving users a box with a castrated root. If you have root on a
regular linux box, there are several mechanisms for modifying the running
kernel without rebooting.
A data point: I've been allowing custom kernels from just about anyone
on the net willing to give me $5 since 2005, and I haven't had anyone break
out from the DomU to the Dom0.
I am entirely paravirtualized, though, and from what I understand, HVM has
a much larger (and theoretically more buggy) interface between Dom0 and DomU.
I have had problems where MAC address conflicts took things down, (lock
those MACs down and firewall them!)
Oh, the weakest part of my system, in my opinion? PyGrub. (that, or my
homemade scripts that give DomU owners access to 'xm console domain')
Now, I don't know of any open security holes in PyGrub, but I know there
were some in the past.
Essentially, PyGrub is a python script that reads /boot/grub/menu.lst from
the guest file system and then copies the kernel from the DomU to the Dom0.
You can imagine how risky that is.
PVGRUB, from Xen 3.3, is theoretically much more secure, as it runs
entirely within the DomU.
Xen-users mailing list