i just had an idea about a relatively simple hack to allow kvm tools to work sanely in kaslr space, even if they're not fully converted yet.
a secmodel overlay that has a way to allow a uid/gid combo to retrieve the addresses, not just root, and then have that combo set to */kvm. then, kvm tools don't drop gid kvm until after doing sysctl. this would restrict the sysctls to gid kvm. we still would have to audit the tools to ensure they do not expose these addresses directly (ie, printf), but only use them internally, but until functional parity is achieved it would allow both security and usability today. just an idea.. .mrg.
