From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:37431)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jcody@redhat.com>) id 1XIHVU-0006Nk-QU
	for qemu-devel@nongnu.org; Fri, 15 Aug 2014 09:25:30 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jcody@redhat.com>) id 1XIHVO-0002Du-Kh
	for qemu-devel@nongnu.org; Fri, 15 Aug 2014 09:25:24 -0400
Received: from mx1.redhat.com ([209.132.183.28]:35036)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jcody@redhat.com>) id 1XIHVO-0002Dm-BY
	for qemu-devel@nongnu.org; Fri, 15 Aug 2014 09:25:18 -0400
Date: Fri, 15 Aug 2014 09:25:14 -0400
From: Jeff Cody <jcody@redhat.com>
Message-ID: <20140815132514.GD2399@localhost.localdomain>
References: <1406900401-19550-1-git-send-email-lkurusa@redhat.com>
	<20140812132034.GM20490@stefanha-thinkpad.redhat.com>
	<20140812133542.GA6876@localhost.localdomain>
	<1643597569.19303034.1408027347194.JavaMail.zimbra@redhat.com>
	<20140814145733.GA2399@localhost.localdomain>
	<20140815105519.GC3770@noname.redhat.com>
	<87ioluhuc0.fsf@blackfin.pond.sub.org>
	<20140815122839.GC2399@localhost.localdomain>
	<53EE0763.2040400@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <53EE0763.2040400@redhat.com>
Subject: Re: [Qemu-devel] [PATCH 0/3] vpc: support probing of fixed size
 images
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Eric Blake <eblake@redhat.com>
Cc: Kevin Wolf <kwolf@redhat.com>, Levente Kurusa <lkurusa@redhat.com>, Fam Zheng <famz@redhat.com>, QEMU Developers <qemu-devel@nongnu.org>, Stefan Weil <sw@weilnetz.de>, Andrew Jones <drjones@redhat.com>, Markus Armbruster <armbru@redhat.com>, Stefan Hajnoczi <stefanha@redhat.com>

On Fri, Aug 15, 2014 at 07:13:07AM -0600, Eric Blake wrote:
> On 08/15/2014 06:28 AM, Jeff Cody wrote:
> 
> > I worry that will subtly alter current behavior in bad ways.  For
> > instance, take this image chain:
> > 
> >     qemu-img create -f qcow2 foo.img 1G
> >     qemu-img create -f qcow2 -b foo.img bar.img 1G
> > 
> >     qemu-kvm -drive file=bar.img,format=qcow2
> > 
> > 
> > If I understand correctly what you are proposing, that means that
> > qemu-kvm would detect 'foo.img' as raw, while current behavior is to
> > detect it as 'qcow2'.
> > 
> 
> Libvirt ALREADY defaults to detecting foo.img as raw, and refuses to
> grant SELinux permissions for qemu to read bar.img, which causes qemu to
> fail to start due to missing permissions.  All because probing is deemed
> too dangerous (a probe that results in an answer of "raw" is
> trustworthy, a probe that results in any other answer is suspect if the
> file has any remote chance of having once been raw).
> 
> > Although if we do that in conjunction with what Kevin proposed (forbid
> > probing on raw), it would behave 'properly', and bail out before doing
> > something bad.  That could be OK.
> 
> The problem is that you can't forbid probing on raw without forbidding
> probing almost everywhere.  Again, an answer of "raw" is trustworthy, it
> is ALL OTHER answers that are suspect.
> 
> 

I agree that raw is trustworthy (as in, the safest default).  My point
is that I think that silently changing behavior on existing chains
(not everyone uses libvirt and selinux rules) would be bad for
existing users.  I think it best to explicitly warn, and then
deprecate.