From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Daniel P. Berrangé" <berrange@redhat.com>,
"Pierrick Bouvier" <pierrick.bouvier@oss.qualcomm.com>,
"Thomas Huth" <thuth@redhat.com>,
"Cédric Le Goater" <clg@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
"Mauro Matteo Cascella" <mcascell@redhat.com>
Subject: [PULL 4/4] docs: outline some guidelines for security classification
Date: Tue, 7 Jul 2026 18:50:27 +0100 [thread overview]
Message-ID: <20260707175027.3029620-5-berrange@redhat.com> (raw)
In-Reply-To: <20260707175027.3029620-1-berrange@redhat.com>
Beyond the overall virt/non-virt use case classification, there are
a number of scenarios which we have decided will not be treated as
security issues. Start to document some of these to give consistency
in our treatment of incoming disclosures.
Reviewed-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Mauro Matteo Cascella <mcascell@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
docs/system/security.rst | 63 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 63 insertions(+)
diff --git a/docs/system/security.rst b/docs/system/security.rst
index 53992048e6..52bbf0cc7a 100644
--- a/docs/system/security.rst
+++ b/docs/system/security.rst
@@ -75,6 +75,69 @@ Bugs affecting the non-virtualization use case are not considered security
bugs at this time. Users with non-virtualization use cases must not rely on
QEMU to provide guest isolation or any security guarantees.
+Security boundary scope
+'''''''''''''''''''''''
+
+Even where a flaw affects the virtualization use case described above,
+not all scenarios will be considered in scope. The following guidelines
+are used to evaluate whether to apply the full security process, or treat
+an issue as a normal bug.
+
+* **assert** / **abort**. If triggering the code path requires kernel
+ privileges (or root account access) in the guest, asserts/aborts in
+ QEMU are a self inflicted denial of service. These will **not** be
+ treated as security flaws, at most hardening bugs. If triggering the
+ code path can be done by an unprivileged guest OS account, this
+ **may** justify handling as a security bug.
+
+* **vhost-user/vfio-user backends**. The backend processes have
+ shared memory regions co-mapped with the QEMU process. The intent
+ of the process separation is operational resilience & flexibility
+ and allowing for independent software suppliers. There is not
+ considered to be security boundary between QEMU and the vhost-user
+ & vfio-user backends. Thus flaws in the backends which can cause
+ crashes / undesirable behaviour in QEMU will **not** be treated as
+ security flaws, but should be fixed as hardening bugs.
+
+* **memory allocation bounds**. There are many ways in which a QEMU
+ process can legitimately consume an amount of memory that is
+ significantly larger than the assigned guest RAM. QEMU's worst
+ case memory usage should be considered effectively unbounded. As
+ such the QEMU deployment on the host should account for the
+ possibility of large memory peaks and apply countermeasures to
+ provide continuity of host operations. It is typical for the Linux
+ OOM killer to reap the process triggering host memory overcommit
+ in the case of exccessive usage, offering a degree of protection.
+ As such, bugs which can lead to excessive/unbounded memory allocations
+ will usually not be classified as security flaws, but should be
+ fixed as hardening bugs.
+
+* **degraded guest behaviour**. There are a set of bugs which can
+ lead guest hardware devices to misbehave. For example, a flawed
+ virtual IOMMU operation may not offer the guest device isolation
+ that would otherwise be expected. If a guest triggered exploit
+ requires kernel privileges (or root account access), and leads
+ to sub-optimal behaviour of the virtual device this is considered
+ a self inflicted service degradation. These will **not** be
+ treated as security flaws, at most hardening bugs. If triggering
+ the code path can be done by an unprivileged guest OS account,
+ this may justify handling as a security bug.
+
+* **nested virtualization**. The scope for nested virtualization
+ is to prevent a level 2 guest from breaking out into a level
+ 1 guest. As noted above, a number of scenarios exclude security
+ handling for flaws only exploitable by the guest kernel / root
+ account with affect the guest's own service/availability. In the
+ context of nested virtualization with PCI device assignment, it
+ may may be possible for a level 2 guest kernel to trigger flaws
+ that affect the level 0 QEMU process. While these bugs should be
+ fixed, they will not be triaged as security flaws at this time.
+
+* **low severity impact**. As a catch all rule, issues which
+ are judged to have a "low" severity impact on the system will
+ usually not justify handling as security bugs, nor assignment
+ of CVEs. They will be fixed as routine bugs when time allows.
+
Architecture
------------
--
2.55.0
next prev parent reply other threads:[~2026-07-07 17:52 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-07 17:50 [PULL 0/4] Misc patches queues Daniel P. Berrangé
2026-07-07 17:50 ` [PULL 1/4] crypto/x509-utils: fix gnutls error code in crt_init failure path Daniel P. Berrangé
2026-07-07 17:50 ` [PULL 2/4] util/filemonitor-inotify: Use QEMU_LOCK_GUARD() Daniel P. Berrangé
2026-07-07 17:50 ` [PULL 3/4] io/channel-socket: Document why we can ignore socket_set_cork() errors Daniel P. Berrangé
2026-07-07 17:50 ` Daniel P. Berrangé [this message]
2026-07-09 5:22 ` [PULL 4/4] docs: outline some guidelines for security classification Michael S. Tsirkin
2026-07-09 5:52 ` Michael S. Tsirkin
2026-07-09 8:03 ` [PULL 0/4] Misc patches queues Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260707175027.3029620-5-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=clg@redhat.com \
--cc=mcascell@redhat.com \
--cc=mst@redhat.com \
--cc=pierrick.bouvier@oss.qualcomm.com \
--cc=qemu-devel@nongnu.org \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.