Elmar, Do you have documentation of your labours available?
Sincerely, Joh On Monday 30 November 2015 18:20:00 Elmar Stellnberger wrote: > Dear Henriette, > > Yes, I am using qemu-kvm based virtualization. According to my > experience that was sufficient to protect the host from the guest. The > most vulnerable part will be the graphics output as I have already said. > Nonetheless I did also receive the many messages about vulnerabilities > in the Wifi stack. Gonna have to tell that I do only have practical > experience with qemu-kvm/ethernet. You can use a mobile wifi router > through which you plug in your ethernet port (or wait for and trust in > the fixes). Separating the Wifi driver in its own Xen-domain would of > course be another solution as long as all graphcis output still becomes > filtered by emulating a virtual graphics card/device. > > Best Elmar > > On 29.11.2015 22:31, Henriette wrote: > > Hey Elmar, > > > > I was looking into using virtualization for security purposes too. However > > I refrained from using a full grown vbox installation so far. > > > > I saw that qemu provides a user-mode virtualization. I could imagine that > > this brings already some security if you are able to specify access only > > to certain directories etc. However I couldn't find any info with some > > quick google searches on how to use qemu to improve systems security by > > virt. Are you using this mode to get some security or is there no way > > around a full virtualization to improve security? > > > > Best Henriette > > > > Am Sun, 29 Nov 2015 21:26:41 +0100 > > > > schrieb Elmar Stellnberger <[email protected]>: > >> SELinux is more elaborate and more complicated than Apparmor; tomoyo > >> relatively new. I would personally regard none of those MAC systems as > >> ultimate remedy to hard security problems. In 2011 I had a > >> RedHat/SELinux system in its default configuration and it was > >> compromised within minutes by simply viewing the page of my bank with a > >> web browser (read the whole at: > >> http://www.elstel.org/Censorship.html.en). Note that a single faulty > >> system call in the Linux kernel may be used to obtain root rights > >> leaving all additional security gains that MAC systems should deliver > >> behind. Please note also that a system can not be secured without > >> securing your X-server (formerly one could even paste text into any > >> other window like a root console without being in need of root rights). > >> Finally the security profiles of MAC systems are very complicated so > >> that they would hardly deliver the security as possible in theory. If > >> you wanna ask me for my security solution it is qemu based and puts the > >> most vulnerable system components like browsers and email programs into > >> a virtual machine namely qemu which is maintained by the Open Source > >> commnunity. > >> > >> Regards, > >> Elmar > >> > >> On 29.11.2015 18:29, c4p0 wrote: > >>> I read the fucking manuals but don't have clear what is the better > >>> option of "Mandatory Access Control" for debian jessie. > >>> (AppArmor, SElinux, tomoyo, etc ..) > >>> > >>> someone can give me your opinion about it? > >>> thanks in advance
