> Limit the damage if the Zone's VBox application is somehow
> subverted by the guest OS.

There are VBox modules in the kernel and the containers framework
can't stop misbehavior in kernelspace.

>
>
> Beyond security, running VBox in a Zone allows you to make
> use of Zone Resource Controls and Crossbow networking.
> Cool stuff!

No question about cool features. My concern is if running VBox in a
local zone has any security advantage regarding an evil guest over
running it in the global one. And if so, why? VBox process itself
doesn't run as a root but there are its drivers the attack may go
through.

Petr

>
> John
> groenv...@acm.org
> _______________________________________________
> zones-discuss mailing list
> zones-discuss@opensolaris.org
>
_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org

Reply via email to