i just had an idea about a relatively simple hack to allow
kvm tools to work sanely in kaslr space, even if they're not
fully converted yet.

a secmodel overlay that has a way to allow a uid/gid combo
to retrieve the addresses, not just root, and then have that
combo set to */kvm.  then, kvm tools don't drop gid kvm until
after doing sysctl.

this would restrict the sysctls to gid kvm.

we still would have to audit the tools to ensure they do not
expose these addresses directly (ie, printf), but only use
them internally, but until functional parity is achieved it
would allow both security and usability today.

just an idea..


Reply via email to