Re: Xen support on Squeeze

To: debian-devel@lists.debian.org
Subject: Re: Xen support on Squeeze
From: Romain Francoise <rfrancoise@debian.org>
Date: Sun, 03 Jan 2010 12:03:29 +0100
Message-id: <[🔎] 87aawvfo1q.fsf@elegiac.orebokech.com>
References: <[🔎] 20100103010140.GF3014@microcomaustralia.com.au> <[🔎] e13a36b31001022047h435ff4ccxe6efefe2c15f1ab5@mail.gmail.com> <[🔎] 20100103054806.GG3014@microcomaustralia.com.au>

Brian May <bam@snoopy.debian.net> writes:

> http://blog.orebokech.com/2007/05/xen-security-or-lack-thereof.html links to
> http://taviso.decsystem.org/virtsec.pdf.

> I don't know for certain this applies to KVM, however I would assume so.

Only to a certain extent. Nowadays Linux guests in KVM use virtio
for disk/network devices and you can disable most of the rest
(vga/cdrom, etc) if you only need a Xen replacement, leaving only a
few emulated devices.

You can additionally run the kvm processes unprivileged and chrooted
on the host, and in some distributions you can even sandbox them
using SELinux (Fedora/RHEL) or AppArmor (Ubuntu). Sadly, it seems
that Debian isn't quite there yet.

Also, it is my impression that QEMU receives much more attention now
that KVM is popular, so its security record will probably improve
over time.

-- 
Romain Francoise <rfrancoise@debian.org>
http://people.debian.org/~rfrancoise/

Reply to:

References:
- Xen support on Squeeze
  - From: Brian May <bam@snoopy.debian.net>
- Re: Xen support on Squeeze
  - From: Paul Wise <pabs@debian.org>
- Re: Xen support on Squeeze
  - From: Brian May <bam@snoopy.debian.net>

Prev by Date: Re: Increasing developer productivity through tools
Next by Date: Re: defaulting to net.ipv6.bindv6only=1 for squeeze
Previous by thread: Re: Xen support on Squeeze
Next by thread: Re: Xen support on Squeeze
Index(es):
- Date
- Thread