From mboxrd@z Thu Jan  1 00:00:00 1970
From: Charles Duffy <Charles_Duffy@messageone.com>
Subject: Re: How to use current KVM with non-modular kernel
Date: Wed, 03 Sep 2008 12:39:57 -0500
Message-ID: <g9mi5r$5de$1@ger.gmane.org>
References: <48BE41E0.4030103@gmx.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
To: kvm@vger.kernel.org
Return-path: <kvm-owner@vger.kernel.org>
Received: from main.gmane.org ([80.91.229.2]:45845 "EHLO ciao.gmane.org"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1757202AbYICRkX (ORCPT <rfc822;kvm@vger.kernel.org>);
	Wed, 3 Sep 2008 13:40:23 -0400
Received: from list by ciao.gmane.org with local (Exim 4.43)
	id 1KawL4-0007fp-UJ
	for kvm@vger.kernel.org; Wed, 03 Sep 2008 17:40:19 +0000
Received: from rrcs-71-41-149-67.sw.biz.rr.com ([71.41.149.67])
        by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <kvm@vger.kernel.org>; Wed, 03 Sep 2008 17:40:18 +0000
Received: from Charles_Duffy by rrcs-71-41-149-67.sw.biz.rr.com with local (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <kvm@vger.kernel.org>; Wed, 03 Sep 2008 17:40:18 +0000
In-Reply-To: <48BE41E0.4030103@gmx.net>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

Would it not address your security concerns to build a modular kernel, 
load the current kvm module, and then drop CAP_SYS_MODULE as part of 
your boot scripts?