| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 07 Feb 2012 15:18:21 +0200 From: Avi Kivity <avi@...hat.com> To: Anthony Liguori <anthony@...emonkey.ws> CC: Scott Wood <scottwood@...escale.com>, Eric Northup <digitaleric@...gle.com>, qemu-devel <qemu-devel@...gnu.org>, KVM list <kvm@...r.kernel.org>, linux-kernel <linux-kernel@...r.kernel.org> Subject: Re: [Qemu-devel] [RFC] Next gen kvm api On 02/07/2012 02:51 PM, Anthony Liguori wrote: > On 02/07/2012 06:40 AM, Avi Kivity wrote: >> On 02/07/2012 02:28 PM, Anthony Liguori wrote: >>> >>>> It's a potential source of exploits >>>> (from bugs in KVM or in hardware). I can see people wanting to be >>>> selective with access because of that. >>> >>> As is true of the rest of the kernel. >>> >>> If you want finer grain access control, that's exactly why we have >>> things like >>> LSM and SELinux. You can add the appropriate LSM hooks into the KVM >>> infrastructure and setup default SELinux policies appropriately. >> >> LSMs protect objects, not syscalls. There isn't an object to protect >> here >> (except the fake /dev/kvm object). > > A VM can be an object. > Not really, it's not accessible in a namespace. How would you label it? Maybe we can reuse the process label/context (not sure what the right term is for a process). -- I have a truly marvellous patch that fixes the bug which this signature is too narrow to contain. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists