On Wed, 2013-02-13 at 17:08 -0800, H. Peter Anvin wrote: > Well, for at least things with device nodes (/dev/mem, /dev/msr and so > on) it should be possible, no? ioperm() and iopl() are another matter.
Sure, if we can guarantee that a signed userspace loads a signed SELinux policy before any unsigned code runs. But, realistically, that's not going to be possible. -- Matthew Garrett | mj...@srcf.ucam.org
