[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] protecting xen startup
On Tue, Nov 23, 2004 at 11:00:57PM +0100, Jan Kundr?t wrote: > Luke Kenneth Casson Leighton wrote: > > > > perhaps i should explain: i am looking to use xen to implement > > a new level of paranoid security. > > > > i aim to run single applications, such as firefox and > > openoffice, in their own dedicated virtual machines, a > > localised file server in one (or more if i can get GFS or OCFS2 > > to work) virtual machine(s), and for the applications to each > > connect to the xen master running an x-server [nomachine isn't > > quite suitable, i may have to write my own ssh-based x-proxy]. > > Do you mean running xserver in domain0? um, yes. > You should better setup separate > domain for it. really? is that possible? can i run an xserver in a separate guest OS and still allow the guest OS direct access to the screen? how is that done - via a framebuffer drive? tellmetellme!!!! > But are you sure that such a setup will be usable and fast enough? i gonna find out :) > > allowing a compromised guest OS to fire up another virtual > > machine, connect to the x-server and spoof "please enter your > > password" dialog boxes is therefore to be avoided!!! > > If I'm not mistaken, you can start up new VMs only from domain0 or > through HTTP interface, So you can easily firewall all traffic inside > domain0 to local port 8000 (except for 127.0.0.1/32). yeh, *grumble*, and you can also, in selinux, ban applications from accessing a port. > j. > -- -- <a href="http://lkcl.net">http://lkcl.net</a> -- ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/xen-devel
|
![]() |
Lists.xenproject.org is hosted with RackSpace, monitoring our |