For KVM, we've implement SVirt. We don't trust the main userspace (qemu-kvm) process, and assume that it has been subverted by the guest. We contain it using SELinux rules.
http://selinuxproject.org/page/SVirt
This is now a standard feature in Fedora (since Fedora 11):
http://fedoraproject.org/wiki/Features/SVirt_Mandatory_Acces...