[Qemu-devel] [PATCH v8 6/9] module: add configurable module whitelist

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Fam Zheng <famz@redhat.com>
To: qemu-devel@nongnu.org
Cc: peter.maydell@linaro.org, famz@redhat.com, mjt@tls.msk.ru,
	alex@alex.org.uk, pbonzini@redhat.com, vilanova@ac.upc.edu,
	rth@twiddle.net
Subject: [Qemu-devel] [PATCH v8 6/9] module: add configurable module whitelist
Date: Fri, 13 Sep 2013 16:38:51 +0800	[thread overview]
Message-ID: <1379061534-19171-7-git-send-email-famz@redhat.com> (raw)
In-Reply-To: <1379061534-19171-1-git-send-email-famz@redhat.com>

Accept configure option "--enable-modules=L", to restrict qemu to only
load whitelisted modules.

Signed-off-by: Fam Zheng <famz@redhat.com>
---
 configure             | 12 +++++++++++-
 rules.mak             |  7 ++++++-
 scripts/create_config |  7 +++++++
 util/module.c         | 16 ++++++++++++++++
 4 files changed, 40 insertions(+), 2 deletions(-)

diff --git a/configure b/configure
index 3043059..01e3665 100755
--- a/configure
+++ b/configure
@@ -652,7 +652,9 @@ for opt do
   ;;
   --disable-debug-info)
   ;;
-  --enable-modules) modules="yes"
+  --enable-modules|--enable-modules=*)
+      modules="yes"
+      module_list=`echo "$optarg" | sed -e 's/,/ /g'`
   ;;
   --cpu=*)
   ;;
@@ -1060,6 +1062,8 @@ echo "  --sysconfdir=PATH        install config in PATH$confsuffix"
 echo "  --localstatedir=PATH     install local state in PATH (set at runtime on win32)"
 echo "  --with-confsuffix=SUFFIX suffix for QEMU data inside datadir and sysconfdir [$confsuffix]"
 echo "  --enable-modules         enable modules support"
+echo "  --enable-modules=L       enable modules and provide a whitelist"
+echo "                           Available modules: curl iscsi gluster ssh rbd"
 echo "  --enable-debug-tcg       enable TCG debugging"
 echo "  --disable-debug-tcg      disable TCG debugging (default)"
 echo "  --enable-debug-info       enable debugging information (default)"
@@ -3590,6 +3594,9 @@ if test "$slirp" = "yes" ; then
     echo "smbd              $smbd"
 fi
 echo "module support    $modules"
+if test -n "$module_list"; then
+    echo "module whitelist  $module_list"
+fi
 echo "host CPU          $cpu"
 echo "host big endian   $bigendian"
 echo "target list       $target_list"
@@ -3711,6 +3718,9 @@ echo "ARCH=$ARCH" >> $config_host_mak
 echo "CONFIG_FINGERPRINT=$(date +%s$$$RANDOM)" >> $config_host_mak
 if test "$modules" = "yes"; then
   echo "CONFIG_MODULES=y" >> $config_host_mak
+  if test -n "$module_list"; then
+      echo "CONFIG_MODULE_WHITELIST=$module_list" >> $config_host_mak
+  fi
 fi
 case "$cpu" in
   arm|i386|x86_64|x32|ppc|aarch64)
diff --git a/rules.mak b/rules.mak
index 0670366..e5529da 100644
--- a/rules.mak
+++ b/rules.mak
@@ -165,13 +165,18 @@ $(if $(nested-dirs),
   $(call unnest-vars-1))
 endef
 
+is-whitelisted = $(if $(CONFIG_MODULE_WHITELIST),$(strip \
+    $(filter $(CONFIG_MODULE_WHITELIST),$(basename $(notdir $1)))),\
+	yes)
 define add-modules
 $(foreach o,$(filter %.o,$($1)),
 	$(eval $(patsubst %.o,%.mo,$o): $o) \
 	$(eval $(patsubst %.o,%.mo,$o)-objs := $o))
 $(foreach o,$(filter %.mo,$($1)),$(eval \
     $o: $($o-objs)))
-$(eval modules-m += $(patsubst %.o,%.mo,$($1)))
+$(eval t := $(patsubst %.o,%.mo,$($1)))
+$(foreach o,$t,$(if $(call is-whitelisted,$o),$(eval \
+	modules-m += $o)))
 endef
 
 define unnest-vars
diff --git a/scripts/create_config b/scripts/create_config
index ecc5d4d..ab430c7 100755
--- a/scripts/create_config
+++ b/scripts/create_config
@@ -37,6 +37,13 @@ case $line in
  CONFIG_MODULES=*)
     echo "#define CONFIG_MODULES \"${line#*=}\""
     ;;
+ CONFIG_MODULE_WHITELIST=*)
+    echo "#define CONFIG_MODULE_WHITELIST\\"
+    for mod in ${line#*=}; do
+      echo "    \"${mod}\",\\"
+    done
+    echo "    NULL"
+    ;;
  CONFIG_AUDIO_DRIVERS=*)
     drivers=${line#*=}
     echo "#define CONFIG_AUDIO_DRIVERS \\"
diff --git a/util/module.c b/util/module.c
index 9135c14..cb882f0 100644
--- a/util/module.c
+++ b/util/module.c
@@ -124,7 +124,14 @@ void module_load(module_load_type type)
     const char *path;
     char *fname = NULL;
     DIR *dp;
+#ifdef CONFIG_MODULE_WHITELIST
+    const char **mp;
+    const char *module_whitelist[] = {
+        CONFIG_MODULE_WHITELIST
+    };
+#else
     struct dirent *ep = NULL;
+#endif
 
     if (!g_module_supported()) {
         return;
@@ -149,10 +156,19 @@ void module_load(module_load_type type)
         fprintf(stderr, "Failed to open dir %s\n", path);
         return;
     }
+#ifdef CONFIG_MODULE_WHITELIST
+    for (mp = &module_whitelist[0]; *mp; mp++) {
+        fname = g_strdup_printf("%s%s" HOST_DSOSUF, path, *mp);
+        module_load_file(fname);
+        g_free(fname);
+    }
+#else
     for (ep = readdir(dp); ep; ep = readdir(dp)) {
         fname = g_strdup_printf("%s%s", path, ep->d_name);
         module_load_file(fname);
         g_free(fname);
     }
 #endif
+
+#endif
 }
-- 
1.8.3.1

next prev parent reply	other threads:[~2013-09-13  8:40 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-09-13  8:38 [Qemu-devel] [PATCH v8 0/9] Shared Library Module Support Fam Zheng
2013-09-13  8:38 ` [Qemu-devel] [PATCH v8 1/9] ui/Makefile.objs: delete unnecessary cocoa.o dependency Fam Zheng
2013-09-13  8:38 ` [Qemu-devel] [PATCH v8 2/9] make.rule: fix $(obj) to a real relative path Fam Zheng
2013-09-13  8:38 ` [Qemu-devel] [PATCH v8 3/9] rule.mak: allow per object cflags and libs Fam Zheng
2013-09-13  8:38 ` [Qemu-devel] [PATCH v8 4/9] build-sys: introduce common-obj-m and block-obj-m for DSO Fam Zheng
2013-09-13  8:38 ` [Qemu-devel] [PATCH v8 5/9] module: implement module loading function Fam Zheng
2013-09-13  9:56   ` Alex Bligh
2013-09-13 10:02     ` Paolo Bonzini
2013-09-13 10:38       ` Alex Bligh
2013-09-13 10:05     ` Fam Zheng
2013-09-13  8:38 ` Fam Zheng [this message]
2013-09-13  9:03   ` [Qemu-devel] [PATCH v8 6/9] module: add configurable module whitelist Daniel P. Berrange
2013-09-13  9:57     ` Fam Zheng
2013-09-13  8:38 ` [Qemu-devel] [PATCH v8 7/9] Makefile: install modules with "make install" Fam Zheng
2013-09-13  8:38 ` [Qemu-devel] [PATCH v8 8/9] .gitignore: ignore module related files (dll, so, mo) Fam Zheng
2013-09-13  8:38 ` [Qemu-devel] [PATCH v8 9/9] block: convert block drivers linked with libs to modules Fam Zheng

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:3043059 dfblob:01e3665 dfblob:0670366 dfblob:e5529da
dfblob:ecc5d4d dfblob:ab430c7 dfblob:9135c14 dfblob:cb882f0 )
 OR (
bs:"[Qemu-devel] [PATCH v8 6/9] module: add configurable module whitelist" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1379061534-19171-7-git-send-email-famz@redhat.com \
    --to=famz@redhat.com \
    --cc=alex@alex.org.uk \
    --cc=mjt@tls.msk.ru \
    --cc=pbonzini@redhat.com \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    --cc=rth@twiddle.net \
    --cc=vilanova@ac.upc.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).