| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4F311E64.10604@codemonkey.ws> Date: Tue, 07 Feb 2012 06:51:48 -0600 From: Anthony Liguori <anthony@...emonkey.ws> To: Avi Kivity <avi@...hat.com> CC: Scott Wood <scottwood@...escale.com>, Eric Northup <digitaleric@...gle.com>, qemu-devel <qemu-devel@...gnu.org>, KVM list <kvm@...r.kernel.org>, linux-kernel <linux-kernel@...r.kernel.org> Subject: Re: [Qemu-devel] [RFC] Next gen kvm api On 02/07/2012 06:40 AM, Avi Kivity wrote: > On 02/07/2012 02:28 PM, Anthony Liguori wrote: >> >>> It's a potential source of exploits >>> (from bugs in KVM or in hardware). I can see people wanting to be >>> selective with access because of that. >> >> As is true of the rest of the kernel. >> >> If you want finer grain access control, that's exactly why we have things like >> LSM and SELinux. You can add the appropriate LSM hooks into the KVM >> infrastructure and setup default SELinux policies appropriately. > > LSMs protect objects, not syscalls. There isn't an object to protect here > (except the fake /dev/kvm object). A VM can be an object. Regards, Anthony Liguori > In theory, kvm is exactly the same as other syscalls, but in practice, it is > used by only very few user programs, so there may be many unexercised paths. > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists