Qubes Leverages Xen for Application Security on Linux
-
LinuxInsider takes a look at the Qubes Linux distro and how it leverages Xen to create VM containers for applications in order to increase security.
-
It's interesting that they choose this approach vs something like an unprivileged LXC container.
-
LXC is not as secure.
-
@scottalanmiller said:
LXC is not as secure.
Unprivileged is from the host. I guess maybe not from container to container.
-
@johnhooks said:
@scottalanmiller said:
LXC is not as secure.
Unprivileged is from the host. I guess maybe not from container to container.
The separation in Xen is extreme, though. No kernel sharing even.
-
@scottalanmiller said:
@johnhooks said:
@scottalanmiller said:
LXC is not as secure.
Unprivileged is from the host. I guess maybe not from container to container.
The separation in Xen is extreme, though. No kernel sharing even.
True. With the unprivileged container you would have to find an exploit to allow a normal user to have system access though. Those containers are limited to the users home folder and at worst only what they could access anywhere else.
How secure is running a DE in the Dom0 though?
-
@johnhooks said:
How secure is running a DE in the Dom0 though?
Are they running it there?
-
@scottalanmiller said:
@johnhooks said:
How secure is running a DE in the Dom0 though?
Are they running it there?
Ya.
Dom0 is sort of a system domain separate from the default domains and any other domains you create. The desktop manager runs in this domain. Your login credentials reside there. Much like a super domain, Dom0 is more trusted than any other domain.
It provides just two functions: It runs the window manager and the desktop manager.