From: Markus Armbruster <armbru@redhat.com>
To: Gerd Hoffmann <kraxel@redhat.com>
Cc: qemu-devel@nongnu.org, "Paolo Bonzini" <pbonzini@redhat.com>,
"Eduardo Habkost" <eduardo@habkost.net>,
"Eric Blake" <eblake@redhat.com>,
"Daniel P. Berrangé" <berrange@redhat.com>
Subject: Re: [PATCH v3 4/4] qdev: add device policy [RfC]
Date: Wed, 12 Jun 2024 10:30:21 +0200 [thread overview]
Message-ID: <87le3aftr6.fsf@pond.sub.org> (raw)
In-Reply-To: <20240606143010.1318226-5-kraxel@redhat.com> (Gerd Hoffmann's message of "Thu, 6 Jun 2024 16:30:10 +0200")
Gerd Hoffmann <kraxel@redhat.com> writes:
> Add policies for devices which are deprecated or not secure.
> There are three options: allow, warn and deny.
>
> It's implemented for devices only. Devices will probably be the main
> user of this. Also object_new() can't fail as of today so it's a bit
> hard to implement policy checking at object level, especially the 'deny'
> part of it.
>
> TODO: add a command line option to actually set these policies.
>
> Comments are welcome.
>
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> ---
> hw/core/qdev.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++++-
> 1 file changed, 59 insertions(+), 1 deletion(-)
>
> diff --git a/hw/core/qdev.c b/hw/core/qdev.c
> index f3a996f57dee..0c4e5cec743c 100644
> --- a/hw/core/qdev.c
> +++ b/hw/core/qdev.c
> @@ -43,6 +43,15 @@
> static bool qdev_hot_added = false;
> bool qdev_hot_removed = false;
>
> +enum qdev_policy {
> + QDEV_ALLOW = 0,
> + QDEV_WARN = 1,
> + QDEV_DENY = 2,
> +};
> +
> +static enum qdev_policy qdev_deprecated_policy;
> +static enum qdev_policy qdev_not_secure_policy;
> +
> const VMStateDescription *qdev_get_vmsd(DeviceState *dev)
> {
> DeviceClass *dc = DEVICE_GET_CLASS(dev);
> @@ -144,6 +153,43 @@ bool qdev_set_parent_bus(DeviceState *dev, BusState *bus, Error **errp)
> return true;
> }
>
> +static bool qdev_class_check(const char *name, ObjectClass *oc)
> +{
> + bool allow = true;
> +
> + if (oc->deprecated) {
> + switch (qdev_deprecated_policy) {
> + case QDEV_WARN:
> + warn_report("device \"%s\" is deprecated", name);
> + break;
> + case QDEV_DENY:
> + error_report("device \"%s\" is deprecated", name);
> + allow = false;
> + break;
> + default:
> + /* nothing */
> + break;
> + }
> + }
> +
> + if (oc->not_secure) {
> + switch (qdev_not_secure_policy) {
> + case QDEV_WARN:
> + warn_report("device \"%s\" is not secure", name);
> + break;
> + case QDEV_DENY:
> + error_report("device \"%s\" is not secure", name);
> + allow = false;
> + break;
> + default:
> + /* nothing */
> + break;
> + }
> + }
> +
> + return allow;
> +}
> +
> DeviceState *qdev_new(const char *name)
> {
> ObjectClass *oc = object_class_by_name(name);
> @@ -162,14 +208,26 @@ DeviceState *qdev_new(const char *name)
> error_report("unknown type '%s'", name);
> abort();
> }
> +
> + if (!qdev_class_check(name, oc)) {
Anti-pattern: use of error_report() from within a function that returns
an error via Error **errp argument.
One such call chain: QMP core -> qmp_device_add() -> qdev_device_add()
-> qdev_device_add_from_qdict() -> qdev_new(). Your error message goes
to stderr, which is wrong.
> + exit(1);
Worse, QMP command device_add can now kill the guest instantly.
You need to lift the check up the call chains some.
> + }
> +
> return DEVICE(object_new(name));
> }
>
> DeviceState *qdev_try_new(const char *name)
> {
> - if (!module_object_class_by_name(name)) {
> + ObjectClass *oc = module_object_class_by_name(name);
> +
> + if (!oc) {
> return NULL;
> }
> +
> + if (!qdev_class_check(name, oc)) {
> + return NULL;
> + }
> +
> return DEVICE(object_new(name));
> }
next prev parent reply other threads:[~2024-06-12 8:30 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-06 14:30 [PATCH v3 0/4] allow to deprecate objects and devices Gerd Hoffmann
2024-06-06 14:30 ` [PATCH v3 1/4] qom: allow to mark objects as deprecated or not secure Gerd Hoffmann
2024-06-06 14:38 ` Daniel P. Berrangé
2024-06-07 6:24 ` Philippe Mathieu-Daudé
2024-06-12 11:07 ` Markus Armbruster
2024-06-12 11:24 ` Daniel P. Berrangé
2024-06-12 11:44 ` Markus Armbruster
2024-06-06 14:30 ` [PATCH v3 2/4] usb/hub: mark as deprecated Gerd Hoffmann
2024-06-06 14:41 ` Daniel P. Berrangé
2024-06-12 15:52 ` Alex Bennée
2024-06-13 8:31 ` Markus Armbruster
2024-06-13 8:34 ` Daniel P. Berrangé
2024-06-13 10:38 ` Markus Armbruster
2024-06-13 10:48 ` Daniel P. Berrangé
2024-06-13 14:49 ` Alex Bennée
2024-06-14 7:03 ` Gerd Hoffmann
2024-06-13 8:44 ` Daniel P. Berrangé
2024-06-14 8:40 ` Gerd Hoffmann
2024-06-06 14:30 ` [PATCH v3 3/4] vga/cirrus: mark as not secure Gerd Hoffmann
2024-06-06 14:37 ` Daniel P. Berrangé
2024-06-06 14:30 ` [PATCH v3 4/4] qdev: add device policy [RfC] Gerd Hoffmann
2024-06-06 14:49 ` Peter Maydell
2024-06-12 8:30 ` Markus Armbruster [this message]
2024-06-12 11:40 ` [PATCH v3 0/4] allow to deprecate objects and devices Markus Armbruster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87le3aftr6.fsf@pond.sub.org \
--to=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=eblake@redhat.com \
--cc=eduardo@habkost.net \
--cc=kraxel@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.