On Tue, Dec 28, 2010 at 06:45:00AM -0800, Orvar Korvar wrote:
> "....My advice to the paranoid regarding regarding VMs would be to disable
> extensions allowing the guest broader communication channels to services
> on the host..."
> I didnt understand. You mean, for each local zone: disabling ssh and
> all other connections to the outside world?
No, I mean don't enable too many features that involve the guest talking
to the host. For example, in VBox, don't enable display sharing, nor
file sharing between the gues and the host.
In LDoms-type architectures I'd avoid the use of shared memory for
inter-guest, cross-backplane communications (this might mean having to
use NICs to communicate between the guests, which is rather
In Zones this pinciple is harder to apply because the g-z's kernel is
shared with all guests. For example, not using VNICs isn't likely to
reduce the attack surface all that much. But g-z user-land services for
ngzs could still be avoided.
zones-discuss mailing list