Re: [PATCH v3 1/4] block: Add trivial backing_fmt support to qcow, sheepdog, vmdk

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kevin Wolf <kwolf@redhat.com>
To: "Daniel P. Berrangé" <berrange@redhat.com>
Cc: Eric Blake <eblake@redhat.com>, Fam Zheng <fam@euphon.net>,
	pkrempa@redhat.com,
	"open list:Sheepdog" <sheepdog@lists.wpkg.org>,
	qemu-block@nongnu.org, libvir-list@redhat.com,
	Michael Tokarev <mjt@tls.msk.ru>,
	qemu-devel@nongnu.org, mreitz@redhat.com,
	"open list:Trivial patches" <qemu-trivial@nongnu.org>,
	Liu Yuan <namei.unix@gmail.com>,
	Laurent Vivier <laurent@vivier.eu>
Subject: Re: [PATCH v3 1/4] block: Add trivial backing_fmt support to qcow, sheepdog, vmdk
Date: Mon, 9 Mar 2020 16:57:13 +0100	[thread overview]
Message-ID: <20200309155713.GE6478@linux.fritz.box> (raw)
In-Reply-To: <20200309154412.GL3033513@redhat.com>

Am 09.03.2020 um 16:44 hat Daniel P. Berrangé geschrieben:
> We could support "-F ..." and validate any non-raw formats, while raising a
> runtime error in the case of "-F raw", as only the "raw" backing format has
> the probing security risk.
> 
> Users who need  to use qcow, with a backing file, without a format can
> just not pass "-F" and in doing so will be insecure.

Hm, this is actually an interesting option. We wouldn't lose features
compared to today without -F, but we would allow -F when we can verify
that the operation is safe (the image is already non-raw).

> We could take this opportunity to deprecate 'qcow' perhaps, declare it
> a read-only format, restricted to qemu-img/qemu-io for purpose of data
> liberation ?

I'm against making any format read-only because that immediately means
that it becomes untestable.

> For sheepdog, if it is something we genuinely still care about, then
> adding a backing file format record seems neccessary, unless we either
> forbid use of raw backing files, or forbid use of non-raw backing files,
> either way would be safe.

In case of doubt, we can use the same logic as you suggested for qcow
(accept only non-raw with -F, but no restrictions without -F).

Kevin

WARNING: multiple messages have this Message-ID (diff)

From: Kevin Wolf <kwolf@redhat.com>
To: "Daniel P. Berrangé" <berrange@redhat.com>
Cc: Fam Zheng <fam@euphon.net>,
	pkrempa@redhat.com,
	"open list:Sheepdog" <sheepdog@lists.wpkg.org>,
	qemu-block@nongnu.org, libvir-list@redhat.com,
	Michael Tokarev <mjt@tls.msk.ru>,
	qemu-devel@nongnu.org, mreitz@redhat.com,
	"open list:Trivial patches" <qemu-trivial@nongnu.org>,
	Liu Yuan <namei.unix@gmail.com>,
	Laurent Vivier <laurent@vivier.eu>
Subject: Re: [PATCH v3 1/4] block: Add trivial backing_fmt support to qcow, sheepdog, vmdk
Date: Mon, 9 Mar 2020 16:57:13 +0100	[thread overview]
Message-ID: <20200309155713.GE6478@linux.fritz.box> (raw)
In-Reply-To: <20200309154412.GL3033513@redhat.com>

Am 09.03.2020 um 16:44 hat Daniel P. Berrangé geschrieben:
> We could support "-F ..." and validate any non-raw formats, while raising a
> runtime error in the case of "-F raw", as only the "raw" backing format has
> the probing security risk.
> 
> Users who need  to use qcow, with a backing file, without a format can
> just not pass "-F" and in doing so will be insecure.

Hm, this is actually an interesting option. We wouldn't lose features
compared to today without -F, but we would allow -F when we can verify
that the operation is safe (the image is already non-raw).

> We could take this opportunity to deprecate 'qcow' perhaps, declare it
> a read-only format, restricted to qemu-img/qemu-io for purpose of data
> liberation ?

I'm against making any format read-only because that immediately means
that it becomes untestable.

> For sheepdog, if it is something we genuinely still care about, then
> adding a backing file format record seems neccessary, unless we either
> forbid use of raw backing files, or forbid use of non-raw backing files,
> either way would be safe.

In case of doubt, we can use the same logic as you suggested for qcow
(accept only non-raw with -F, but no restrictions without -F).

Kevin

next prev parent reply	other threads:[~2020-03-09 15:57 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-03-06 22:51 [PATCH v3 0/4] Tighten qemu-img rules on missing backing format Eric Blake
2020-03-06 22:51 ` [PATCH v3 1/4] block: Add trivial backing_fmt support to qcow, sheepdog, vmdk Eric Blake
2020-03-06 22:51   ` Eric Blake
2020-03-09 15:21   ` Kevin Wolf
2020-03-09 15:21     ` Kevin Wolf
2020-03-09 15:32     ` Eric Blake
2020-03-09 15:32       ` Eric Blake
2020-03-09 15:44       ` Daniel P. Berrangé
2020-03-09 15:52         ` Eric Blake
2020-03-09 15:57         ` Kevin Wolf [this message]
2020-03-09 15:57           ` Kevin Wolf
2020-03-09 15:48       ` Kevin Wolf
2020-03-09 15:48         ` Kevin Wolf
2020-03-09 15:55         ` Eric Blake
2020-03-09 15:55           ` Eric Blake
2020-03-09 15:36     ` Daniel P. Berrangé
2020-03-09 15:36       ` Daniel P. Berrangé
2020-03-09 15:50       ` Eric Blake
2020-03-06 22:51 ` [PATCH v3 2/4] iotests: Specify explicit backing format where sensible Eric Blake
2020-03-06 22:51 ` [PATCH v3 3/4] block: Add support to warn on backing file change without format Eric Blake
2020-03-06 22:51 ` [PATCH v3 4/4] qemu-img: Deprecate use of -b without -F Eric Blake
2020-03-09 15:31   ` Kashyap Chamarthy
2020-03-09 15:42     ` Eric Blake
2020-03-10  9:47       ` Kashyap Chamarthy
2020-03-10 12:15         ` Eric Blake
2020-03-10 14:53           ` Kashyap Chamarthy
2020-03-10 10:57       ` Kashyap Chamarthy
2020-03-10 12:17         ` Eric Blake
2020-03-10 12:19         ` Eric Blake
2020-03-10 14:50           ` Kashyap Chamarthy
2020-03-13 18:20     ` Eric Blake

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200309155713.GE6478@linux.fritz.box \
    --to=kwolf@redhat.com \
    --cc=berrange@redhat.com \
    --cc=eblake@redhat.com \
    --cc=fam@euphon.net \
    --cc=laurent@vivier.eu \
    --cc=libvir-list@redhat.com \
    --cc=mjt@tls.msk.ru \
    --cc=mreitz@redhat.com \
    --cc=namei.unix@gmail.com \
    --cc=pkrempa@redhat.com \
    --cc=qemu-block@nongnu.org \
    --cc=qemu-devel@nongnu.org \
    --cc=qemu-trivial@nongnu.org \
    --cc=sheepdog@lists.wpkg.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.