On 08.07.2009 18:38, Avi Kivity wrote:
On 07/08/2009 07:09 PM, Ian Jackson wrote:
I'm sure something like SELinux can be used to prevent a root QEMU
process from doing a firmware upgrade.
*boggle* You're not serious, are you ?
selinux can prevent anything. In fact, I'm sure it does.
I doubt SELinux has a builtin ATAPI command filter which knows all
_undocumented_ firmware upgrade commands. In fact, there are some ATAPI
devices which abuse existing and documented-as-harmless ATAPI commands
(which are regularly used for CD burning) for firmware upgrades.