Re: [Qemu-devel] [RFC] Next gen kvm api

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [RFC] Next gen kvm api

From:	Avi Kivity
Subject:	Re: [Qemu-devel] [RFC] Next gen kvm api
Date:	Tue, 07 Feb 2012 14:40:29 +0200
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20120131 Thunderbird/10.0

On 02/07/2012 02:28 PM, Anthony Liguori wrote:

 It's a potential source of exploits
(from bugs in KVM or in hardware).  I can see people wanting to be
selective with access because of that.
As is true of the rest of the kernel.
If you want finer grain access control, that's exactly why we havethings like LSM and SELinux. You can add the appropriate LSM hooksinto the KVM infrastructure and setup default SELinux policiesappropriately.

LSMs protect objects, not syscalls. There isn't an object to protecthere (except the fake /dev/kvm object).

In theory, kvm is exactly the same as other syscalls, but in practice,it is used by only very few user programs, so there may be manyunexercised paths.


--
I have a truly marvellous patch that fixes the bug which this
signature is too narrow to contain.

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Qemu-devel] [RFC] Next gen kvm api, (continued)
- Re: [Qemu-devel] [RFC] Next gen kvm api, Rob Earhart, 2012/02/03
  - Re: [Qemu-devel] [RFC] Next gen kvm api, Rob Earhart, 2012/02/03
  - Re: [Qemu-devel] [RFC] Next gen kvm api, Avi Kivity, 2012/02/05
    - Re: [Qemu-devel] [RFC] Next gen kvm api, Rob Earhart, 2012/02/06

Prev by Date: Re: [Qemu-devel] [RFC PATCH] replication agent module
Next by Date: Re: [Qemu-devel] [RFC] Next gen kvm api
Previous by thread: Re: [Qemu-devel] [RFC] Next gen kvm api
Next by thread: Re: [Qemu-devel] [RFC] Next gen kvm api
Index(es):
- Date
- Thread