Brian May <b...@snoopy.debian.net> writes: > http://blog.orebokech.com/2007/05/xen-security-or-lack-thereof.html links to > http://taviso.decsystem.org/virtsec.pdf.
> I don't know for certain this applies to KVM, however I would assume so. Only to a certain extent. Nowadays Linux guests in KVM use virtio for disk/network devices and you can disable most of the rest (vga/cdrom, etc) if you only need a Xen replacement, leaving only a few emulated devices. You can additionally run the kvm processes unprivileged and chrooted on the host, and in some distributions you can even sandbox them using SELinux (Fedora/RHEL) or AppArmor (Ubuntu). Sadly, it seems that Debian isn't quite there yet. Also, it is my impression that QEMU receives much more attention now that KVM is popular, so its security record will probably improve over time. -- Romain Francoise <rfranco...@debian.org> http://people.debian.org/~rfrancoise/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org