Re: [Qemu-devel] [PATCH 0/5] ATAPI pass through v2

[Carl-Daniel Hailfinger]

On 08.07.2009 18:38, Avi Kivity wrote:
> On 07/08/2009 07:09 PM, Ian Jackson wrote:
>>> I'm sure something like SELinux can be used to prevent a root QEMU
>>> process from doing a firmware upgrade.
>>>      
>>
>> *boggle*  You're not serious, are you ?    
>
> selinux can prevent anything.  In fact, I'm sure it does.

I doubt SELinux has a builtin ATAPI command filter which knows all
_undocumented_ firmware upgrade commands. In fact, there are some ATAPI
devices which abuse existing and documented-as-harmless ATAPI commands
(which are regularly used for CD burning) for firmware upgrades.

Unless SELinux knows every single firmware upgrade mechanism for every
ATAPI device ever released (including special hacked RPC1 firmware
etc.), the only way to prevent firmware upgrades is to disable ATAPI
command passthrough. It's like wanting to secure a completely unpatched
Windows server by placing it behind a Linux firewall. You can hope, but
nobody is going to vouch for the security of that Windows machine.

So yes, SELinux can probably prevent firmware upgrades, but only by
disabling raw ATAPI access completely. In that case, the ATAPI
passthrough is pointless.

Regards,
Carl-Daniel

-- 
http://www.hailfinger.org/