LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

typo

typo

Posted Aug 1, 2010 13:36 UTC (Sun) by copsewood (subscriber, #199)
In reply to: Is virtualisation a viable alternative to MAC ? by copsewood
Parent article: AppArmor set to be merged for 2.6.36

"implementing the kind of DAC solution" in my previous comment should have read MAC.

(Log in to post comments)

typo

Posted Aug 1, 2010 20:09 UTC (Sun) by drag (subscriber, #31333) [Link]

Absolutely.. a properly designed MAC policy combined with virtualization should yield superior results.

But the thing to remember, especially with container-style virtualization, is that even when combined with a MAC policy mechanism losing a single VM + having a single kernel-level exploit can easily lead to the loss of your entire machine.

For a full VM solution it's a bit better as the attacker has to find a exploit in the VM software first and theoretically it is going to be more difficult then finding a local kernel exploit. But I don't know much about that.

So in this case it's still good to think of it as your losing security compared to having dedicated hosting in exchange for much lower cost.. and the provider can use MAC to recover some of the lost security. But it's still not as nice as having a separate real machine. :)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds