From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1MOawG-0005tp-Lu
	for qemu-devel@nongnu.org; Wed, 08 Jul 2009 13:28:12 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1MOawB-0005nJ-Mi
	for qemu-devel@nongnu.org; Wed, 08 Jul 2009 13:28:11 -0400
Received: from [199.232.76.173] (port=51912 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1MOawB-0005mz-EH
	for qemu-devel@nongnu.org; Wed, 08 Jul 2009 13:28:07 -0400
Received: from mail.gmx.net ([213.165.64.20]:41575)
	by monty-python.gnu.org with smtp (Exim 4.60)
	(envelope-from <c-d.hailfinger.devel.2006@gmx.net>)
	id 1MOawA-0003VB-SV
	for qemu-devel@nongnu.org; Wed, 08 Jul 2009 13:28:07 -0400
Message-ID: <4A54D722.3040602@gmx.net>
Date: Wed, 08 Jul 2009 19:28:02 +0200
From: Carl-Daniel Hailfinger <c-d.hailfinger.devel.2006@gmx.net>
MIME-Version: 1.0
Subject: Re: [Qemu-devel] [PATCH 0/5] ATAPI pass through v2
References: <200907011931.53521.alexandre.bique@citrix.com>	<20090707200327.GA3902@miranda.arrow>	<4A53D2FD.4040004@codemonkey.ws>	<5d3bb3090907071421i506a2f0bh5aca170c35a26f62@mail.gmail.com>	<200907072344.33893.paul@codesourcery.com>	<5d3bb3090907071550s6e832c45k804bca769aa57f70@mail.gmail.com>	<4A53D3B1.2020903@codemonkey.ws>	<19028.50372.333318.144669@mariner.uk.xensource.com>
	<4A54CB88.7050809@redhat.com>
In-Reply-To: <4A54CB88.7050809@redhat.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Avi Kivity <avi@redhat.com>
Cc: Ian Jackson <Ian.Jackson@eu.citrix.com>, Paul Brook <paul@codesourcery.com>, Alexandre Bique <bique.alexandre@gmail.com>, qemu-devel@nongnu.org

On 08.07.2009 18:38, Avi Kivity wrote:
> On 07/08/2009 07:09 PM, Ian Jackson wrote:
>>> I'm sure something like SELinux can be used to prevent a root QEMU
>>> process from doing a firmware upgrade.
>>>      
>>
>> *boggle*  You're not serious, are you ?    
>
> selinux can prevent anything.  In fact, I'm sure it does.

I doubt SELinux has a builtin ATAPI command filter which knows all
_undocumented_ firmware upgrade commands. In fact, there are some ATAPI
devices which abuse existing and documented-as-harmless ATAPI commands
(which are regularly used for CD burning) for firmware upgrades.

Unless SELinux knows every single firmware upgrade mechanism for every
ATAPI device ever released (including special hacked RPC1 firmware
etc.), the only way to prevent firmware upgrades is to disable ATAPI
command passthrough. It's like wanting to secure a completely unpatched
Windows server by placing it behind a Linux firewall. You can hope, but
nobody is going to vouch for the security of that Windows machine.

So yes, SELinux can probably prevent firmware upgrades, but only by
disabling raw ATAPI access completely. In that case, the ATAPI
passthrough is pointless.

Regards,
Carl-Daniel

-- 
http://www.hailfinger.org/