Re: [Qemu-devel][PATCH] Qemu image over raw devices

["Daniel P. Berrange" <berrange@redhat.com>]

On Tue, Dec 16, 2008 at 10:40:03AM +0100, Kevin Wolf wrote:
> Shahar Frank schrieb:
> > ----- "Kevin Wolf" <kwolf@suse.de> wrote:
> > 
> >> Shahar Frank schrieb:
> >>> The following patch enables QEMU to create and use images with any
> >>> format on top of a raw device. Note that -f <format> is not enough
> >> for
> >>> bcking files support.
> >> When would I need to explicitly specify the type of a backing file?
> > 
> > The patch doesn't allow you to specify a type (image format). It allows you to force probing. This is done to override the default block-device => raw semantics.
> 
> Ok, I see. But didn't we want to get rid of the probing whenever
> possible because you can't tell raw files from whatever other format
> reliably?

Autoprobing of formats is usally a security flaw. ie, host admin configures
the guest with raw file, but autoprobing is enabled.  Guest admin now
writes magic into their disk to match the qcow header and reboots, qemu
now autoprobes the guest's disk as a grow on demand qcow format, letting
them basically create any size disk they like beyond the initial raw file
allocation. Even worse the guest could admin could have written a backing 
file location into the header and thus more or less get access to any file
they  like on the host. Autoprobing: just say no.

NB, I'm talking about context of qemu here, not qemu-img which is all
under host admin's control anyway so not an issue.

Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|