Hello.
I propose the following set of two patches for the cpucontrol module.
The first patch mainly reduces the set of permissions granted to the CPU
microcode updating application and slighlty extends the corresponding
file contexts in order to support different possible locations (the
latter in particular, is very widely open to discussion and comments, as
for example, the standard location appears to be in /usr/local).
The second patch is somewhat optional and not necessarily recommended:
it aims to allow running the CPU microcode application not only as a
short-lived daemon at system bootup but also as a standalone application
that can be executed at any time.
I have only tested it with the application from
http://www.urbanmyth.org/microcode and without the actual microcode, as
I do not have any processor available from the other major vendor.
Kind regards,
Guido Trentalancia