On January 25, 2018 5:56:41 PM GMT+01:00, "taii...@gmx.com" <taii...@gmx.com> 
wrote:
>On 01/18/2018 04:00 PM, Alex Dubois wrote:
>Correct me if I am wrong but I don't see the issue with an apparmor 
>restricted qemu running in dom0...

Well, AppArmor might reduce the attack surface, but remember that:

1. Qubes was not intended to run QEMU in dom0 and
2. Qubes dom0 is often based on outdated Fedora. While ITL provides security 
updates for security-critical components, it does not necessarily cover all 
vulnerabilities in kernel and apparmor, because of #1.
3. Linux kernel is considered as quite weaker than Xen in terms of attack 
surface, so exploits in Linux kernel are more likely. AppArmor might mitigate 
*some* of them, but not all.

Regards,
Vít Šesták 'v6ak'

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/203975FF-A8A0-4EEF-8C0B-20AC09EC19EE%40v6ak.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to