From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1MObUA-00051D-Id
	for qemu-devel@nongnu.org; Wed, 08 Jul 2009 14:03:14 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1MObU6-00050o-2p
	for qemu-devel@nongnu.org; Wed, 08 Jul 2009 14:03:14 -0400
Received: from [199.232.76.173] (port=34010 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1MObU6-00050l-0T
	for qemu-devel@nongnu.org; Wed, 08 Jul 2009 14:03:10 -0400
Received: from mail-px0-f201.google.com ([209.85.216.201]:57292)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <anthony@codemonkey.ws>) id 1MObU5-0001Ot-FX
	for qemu-devel@nongnu.org; Wed, 08 Jul 2009 14:03:09 -0400
Received: by pxi39 with SMTP id 39so2174171pxi.4
	for <qemu-devel@nongnu.org>; Wed, 08 Jul 2009 11:03:08 -0700 (PDT)
Message-ID: <4A54DF57.6080303@codemonkey.ws>
Date: Wed, 08 Jul 2009 13:03:03 -0500
From: Anthony Liguori <anthony@codemonkey.ws>
MIME-Version: 1.0
Subject: Re: [Qemu-devel] [PATCH 0/5] ATAPI pass through v2
References: <200907011931.53521.alexandre.bique@citrix.com>	<20090707200327.GA3902@miranda.arrow>	<4A53D2FD.4040004@codemonkey.ws>	<5d3bb3090907071421i506a2f0bh5aca170c35a26f62@mail.gmail.com>	<200907072344.33893.paul@codesourcery.com>	<5d3bb3090907071550s6e832c45k804bca769aa57f70@mail.gmail.com>	<4A53D3B1.2020903@codemonkey.ws>	<19028.50372.333318.144669@mariner.uk.xensource.com>	<4A54CB88.7050809@redhat.com>
	<4A54D722.3040602@gmx.net>
In-Reply-To: <4A54D722.3040602@gmx.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Carl-Daniel Hailfinger <c-d.hailfinger.devel.2006@gmx.net>
Cc: qemu-devel@nongnu.org, Ian Jackson <Ian.Jackson@eu.citrix.com>, Avi Kivity <avi@redhat.com>, Alexandre Bique <bique.alexandre@gmail.com>, Paul Brook <paul@codesourcery.com>

Carl-Daniel Hailfinger wrote:
> On 08.07.2009 18:38, Avi Kivity wrote:
>   
>> On 07/08/2009 07:09 PM, Ian Jackson wrote:
>>     
>>>> I'm sure something like SELinux can be used to prevent a root QEMU
>>>> process from doing a firmware upgrade.
>>>>      
>>>>         
>>> *boggle*  You're not serious, are you ?    
>>>       
>> selinux can prevent anything.  In fact, I'm sure it does.
>>     
>
> I doubt SELinux has a builtin ATAPI command filter which knows all
> _undocumented_ firmware upgrade commands. In fact, there are some ATAPI
> devices which abuse existing and documented-as-harmless ATAPI commands
> (which are regularly used for CD burning) for firmware upgrades.
>   

So then we can't prevent it either which means the whole discussion is 
moot :-)

Regards,

Anthony Liguori