From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1MObX9-0006EA-KM
	for qemu-devel@nongnu.org; Wed, 08 Jul 2009 14:06:19 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1MObX4-0006Ay-FZ
	for qemu-devel@nongnu.org; Wed, 08 Jul 2009 14:06:18 -0400
Received: from [199.232.76.173] (port=41415 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1MObX4-0006At-5j
	for qemu-devel@nongnu.org; Wed, 08 Jul 2009 14:06:14 -0400
Received: from mail-px0-f201.google.com ([209.85.216.201]:35637)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <anthony@codemonkey.ws>) id 1MObX3-0002NI-Nf
	for qemu-devel@nongnu.org; Wed, 08 Jul 2009 14:06:13 -0400
Received: by pxi39 with SMTP id 39so2175292pxi.4
	for <qemu-devel@nongnu.org>; Wed, 08 Jul 2009 11:06:13 -0700 (PDT)
Message-ID: <4A54E011.6090204@codemonkey.ws>
Date: Wed, 08 Jul 2009 13:06:09 -0500
From: Anthony Liguori <anthony@codemonkey.ws>
MIME-Version: 1.0
Subject: Re: [Qemu-devel] [PATCH 0/5] ATAPI pass through v2
References: <200907011931.53521.alexandre.bique@citrix.com>
	<20090707200327.GA3902@miranda.arrow>
	<4A53D2FD.4040004@codemonkey.ws>
	<5d3bb3090907071421i506a2f0bh5aca170c35a26f62@mail.gmail.com>
	<200907072344.33893.paul@codesourcery.com>
	<5d3bb3090907071550s6e832c45k804bca769aa57f70@mail.gmail.com>
	<4A53D3B1.2020903@codemonkey.ws>
	<19028.50372.333318.144669@mariner.uk.xensource.com>
	<4A54D57B.8080603@codemonkey.ws> <20090708174829.GA7078@snarc.org>
In-Reply-To: <20090708174829.GA7078@snarc.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Vincent Hanquez <tab@snarc.org>
Cc: Ian Jackson <Ian.Jackson@eu.citrix.com>, Paul Brook <paul@codesourcery.com>, Alexandre Bique <bique.alexandre@gmail.com>, qemu-devel@nongnu.org

Vincent Hanquez wrote:
> On Wed, Jul 08, 2009 at 12:20:59PM -0500, Anthony Liguori wrote:
>   
>>>> I'm sure something like SELinux can be used to prevent a root QEMU  
>>>> process from doing a firmware upgrade.
>>>>     
>>>>         
>>> *boggle*  You're not serious, are you ?
>>>   
>>>       
>> Yes, I'm actually a fan of SELinux in the context of a dedicated  
>> virtualization system.
>>     
>
> do you really expect to put a SCSI packet inspector (to detect firmware update
> for example) in a SELinux layer ?
>   

SELinux uses LSM to provide security hooks for enforcement so if there 
isn't already, one would add an LSM hook in the Linux ATAPI driver for 
firmware updates.

Regards,

Anthony Liguori