From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:37992) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XkDkO-0005aG-P8 for qemu-devel@nongnu.org; Fri, 31 Oct 2014 11:04:33 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XkAot-0008JF-3v for qemu-devel@nongnu.org; Fri, 31 Oct 2014 07:56:49 -0400 Received: from mx1.redhat.com ([209.132.183.28]:43801) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XkAos-0008JB-TU for qemu-devel@nongnu.org; Fri, 31 Oct 2014 07:56:43 -0400 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s9VBufkn017452 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Fri, 31 Oct 2014 07:56:42 -0400 Date: Fri, 31 Oct 2014 12:56:39 +0100 From: Kevin Wolf Message-ID: <20141031115639.GD4496@noname.str.redhat.com> References: <1414512220-19058-1-git-send-email-armbru@redhat.com> <1414512220-19058-3-git-send-email-armbru@redhat.com> <5452001E.9070907@redhat.com> <20141030092722.GB30746@stefanha-thinkpad.redhat.com> <20141030093635.GB9097@noname.str.redhat.com> <20141031112423.GE10332@stefanha-thinkpad.redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="dTy3Mrz/UPE2dbVg" Content-Disposition: inline In-Reply-To: <20141031112423.GE10332@stefanha-thinkpad.redhat.com> Subject: Re: [Qemu-devel] [PATCH RFC 2/2] block: Warn on insecure format probing List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Stefan Hajnoczi Cc: qemu-devel@nongnu.org, jcody@redhat.com, Markus Armbruster , Max Reitz --dTy3Mrz/UPE2dbVg Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Am 31.10.2014 um 12:24 hat Stefan Hajnoczi geschrieben: > On Thu, Oct 30, 2014 at 10:36:35AM +0100, Kevin Wolf wrote: > > Am 30.10.2014 um 10:27 hat Stefan Hajnoczi geschrieben: > > > The guest may legitimately use raw devices that contain image format > > > data. Imagine tools similar to libguestfs. > > >=20 > > > It's perfectly okay for them to lay out image format data onto a raw > > > device. > > >=20 > > > Probing is the problem, not putting image format data onto a raw devi= ce. > >=20 > > Agreed, that's why any restrictions only apply when probing was used to > > detect a raw image. If you want to do anything exotic like storing a > > qcow2 image for nested virt on a disk that is a raw image in the host, > > then making sure to pass format=3Draw shouldn't be too much. >=20 > Because at that point the solution is way over-engineered. >=20 > Probing checks should be in the QEMU command-line code, not sprinkled > across the codebase and even at run-time. >=20 > Isn't Markus approach much simpler and cleaner? I don't think so. My code isn't "sprinkled across the codebase", it has the checks right where the problem arises, in the raw block driver. It's with Markus's approach that we'll have to have code in many different places as I showed. Its fundamental assumption that there is always a filename string and the filename isn't passed in some QDict option is simply wrong. Specifying the image is driver-dependent and therefore you'd have to add functionality to each driver in order to get the filename extension (or the information that there isn't anything close enough to a filename). The only argument brought up so far that I can reasonably buy is that in the unlikely case of the restrictions applying it may be surprising for the user to see requests failing. To address this, we could print a warning when an image is opened in the "restricted raw" mode. This way the user knows what's going on, and at the same time we still effectively protect them instead of only printing a warning without real protection. Kevin --dTy3Mrz/UPE2dbVg Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJUU3j3AAoJEH8JsnLIjy/W5UYP/RT3l8cTeWQ90dWSOPdAzee7 UA+fqJ5HldG50RCGIIuvab6cndZJ3t1AyzigHN/wb3OqVDro+g91BkZKQ7Vsbi65 NrRsLF2lMelgqc4VtaD+6zI/b7t9tzYA3Vu+gOrqiLk9Cy2Z3ftHRvJ2n7BFi80f 3wEvwizcx5IegsXnJwSsjIXh6f1gGxAO6NovAuYyvjPz1sQF1oHwXXYOFBORIrwu aJzP41HiiNhbxY1JeZLweJiZmXDm+5T2CFPZNdRFAmjrXh9nkjqKbzlsEMOGhDoi cUe2Ir0BMHXwhuhQBxzARiA7oN0X8+CeZjRUPIPTa0XnEb8d0VS11wxDyQwB3Fuo luVGULc073zqVa+2CGcycyURYy7GzPD/m1pxzrNt5ge07NoTbosnqz/Zy10/UcXh FP6cVgIP5VhS7YS8thFCjbtsO+RqPn9Pde/Kk+5P3PAEg9cKVxFbZU5hVh4i3rJa MROhWWsNoVB9qZ94SMaNwuoXOyl/7MuOubKKd84l4P82Ll5b+V6NFGmDj+jy/VUC Ffgq3wYH/zi1MzSjI4+YXCpg9QGBLnw4ID12ApomHC46abF0hEI9dHL47/1GnsRj qDVewP6d3Jptodyl8I6lF1cUf36bv1RunBBtYHA9s+VgpXiKJXq1VfV4roMPh8Dt UBaCHPeuCJb3ELMfDEO7 =m0DY -----END PGP SIGNATURE----- --dTy3Mrz/UPE2dbVg--