From: "Richard W.M. Jones" <rjones@redhat.com>
To: Nir Soffer <nirsof@gmail.com>
Cc: qemu-devel@nongnu.org, eblake@redhat.com, pbonzini@redhat.com,
kwolf@redhat.com, mreitz@redhat.com, qemu-block@nongnu.org
Subject: Re: [Qemu-devel] [PATCH 1/3] nbd: Add option to disallow listing exports
Date: Fri, 13 Apr 2018 22:07:58 +0100 [thread overview]
Message-ID: <20180413210757.GA2209@redhat.com> (raw)
In-Reply-To: <20180413192605.2145-2-nirsof@gmail.com>
On Fri, Apr 13, 2018 at 10:26:03PM +0300, Nir Soffer wrote:
> When a management application expose images using qemu-nbd, it needs a
> secure way to allow temporary access to the disk. Using a random export
> name can solve this problem:
>
> nbd://server:10809/22965f19-9ab5-4d18-94e1-cbeb321fa433
>
> Assuming that the url is passed to the user in a secure way, and the
> user is using TLS to access the image.
>
> However, since qemu-nbd implements NBD_OPT_LIST, anyone can easily find
> the secret export:
>
> $ nbd-client -l server 10809
> Negotiation: ..
> 22965f19-9ab5-4d18-94e1-cbeb321fa433
>
> Add a new --nolist option, disabling listing, similar the "allowlist"
> nbd-server configuration option.
>
> When used, listing exports will fail like this:
>
> $ nbd-client -l localhost 10809
> Negotiation: ..
>
> E: listing not allowed by server.
> Server said: Listing exports is forbidden
>
> Signed-off-by: Nir Soffer <nirsof@gmail.com>
Tested-by: Richard W.M. Jones <rjones@redhat.com>
The code looks good to me too, so ACK.
Rich.
> blockdev-nbd.c | 2 +-
> include/block/nbd.h | 1 +
> nbd/server.c | 7 +++++++
> qemu-nbd.c | 9 ++++++++-
> qemu-nbd.texi | 2 ++
> 5 files changed, 19 insertions(+), 2 deletions(-)
>
> diff --git a/blockdev-nbd.c b/blockdev-nbd.c
> index 65a84739ed..b9a885dc4b 100644
> --- a/blockdev-nbd.c
> +++ b/blockdev-nbd.c
> @@ -37,7 +37,7 @@ static void nbd_accept(QIONetListener *listener, QIOChannelSocket *cioc,
> {
> qio_channel_set_name(QIO_CHANNEL(cioc), "nbd-server");
> nbd_client_new(NULL, cioc,
> - nbd_server->tlscreds, NULL,
> + nbd_server->tlscreds, NULL, true,
> nbd_blockdev_client_closed);
> }
>
> diff --git a/include/block/nbd.h b/include/block/nbd.h
> index fcdcd54502..5c6b6272a0 100644
> --- a/include/block/nbd.h
> +++ b/include/block/nbd.h
> @@ -308,6 +308,7 @@ void nbd_client_new(NBDExport *exp,
> QIOChannelSocket *sioc,
> QCryptoTLSCreds *tlscreds,
> const char *tlsaclname,
> + bool allow_list,
> void (*close_fn)(NBDClient *, bool));
> void nbd_client_get(NBDClient *client);
> void nbd_client_put(NBDClient *client);
> diff --git a/nbd/server.c b/nbd/server.c
> index 9e1f227178..7b91922d1d 100644
> --- a/nbd/server.c
> +++ b/nbd/server.c
> @@ -115,6 +115,7 @@ struct NBDClient {
>
> bool structured_reply;
> NBDExportMetaContexts export_meta;
> + bool allow_list;
>
> uint32_t opt; /* Current option being negotiated */
> uint32_t optlen; /* remaining length of data in ioc for the option being
> @@ -1032,6 +1033,10 @@ static int nbd_negotiate_options(NBDClient *client, uint16_t myflags,
> case NBD_OPT_LIST:
> if (length) {
> ret = nbd_reject_length(client, false, errp);
> + } else if (!client->allow_list) {
> + ret = nbd_negotiate_send_rep_err(client,
> + NBD_REP_ERR_POLICY, errp,
> + "Listing exports is forbidden");
> } else {
> ret = nbd_negotiate_handle_list(client, errp);
> }
> @@ -2141,6 +2146,7 @@ void nbd_client_new(NBDExport *exp,
> QIOChannelSocket *sioc,
> QCryptoTLSCreds *tlscreds,
> const char *tlsaclname,
> + bool allow_list,
> void (*close_fn)(NBDClient *, bool))
> {
> NBDClient *client;
> @@ -2158,6 +2164,7 @@ void nbd_client_new(NBDExport *exp,
> object_ref(OBJECT(client->sioc));
> client->ioc = QIO_CHANNEL(sioc);
> object_ref(OBJECT(client->ioc));
> + client->allow_list = allow_list;
> client->close_fn = close_fn;
>
> co = qemu_coroutine_create(nbd_co_client_start, client);
> diff --git a/qemu-nbd.c b/qemu-nbd.c
> index 0af0560ad1..b63d4d9e8b 100644
> --- a/qemu-nbd.c
> +++ b/qemu-nbd.c
> @@ -52,6 +52,7 @@
> #define QEMU_NBD_OPT_TLSCREDS 261
> #define QEMU_NBD_OPT_IMAGE_OPTS 262
> #define QEMU_NBD_OPT_FORK 263
> +#define QEMU_NBD_OPT_NOLIST 264
>
> #define MBR_SIZE 512
>
> @@ -66,6 +67,7 @@ static int shared = 1;
> static int nb_fds;
> static QIONetListener *server;
> static QCryptoTLSCreds *tlscreds;
> +static bool allow_list = true;
>
> static void usage(const char *name)
> {
> @@ -86,6 +88,7 @@ static void usage(const char *name)
> " -v, --verbose display extra debugging information\n"
> " -x, --export-name=NAME expose export by name\n"
> " -D, --description=TEXT with -x, also export a human-readable description\n"
> +" --nolist do not list export\n"
> "\n"
> "Exposing part of the image:\n"
> " -o, --offset=OFFSET offset into the image\n"
> @@ -355,7 +358,7 @@ static void nbd_accept(QIONetListener *listener, QIOChannelSocket *cioc,
> nb_fds++;
> nbd_update_server_watch();
> nbd_client_new(newproto ? NULL : exp, cioc,
> - tlscreds, NULL, nbd_client_closed);
> + tlscreds, NULL, allow_list, nbd_client_closed);
> }
>
> static void nbd_update_server_watch(void)
> @@ -523,6 +526,7 @@ int main(int argc, char **argv)
> { "object", required_argument, NULL, QEMU_NBD_OPT_OBJECT },
> { "export-name", required_argument, NULL, 'x' },
> { "description", required_argument, NULL, 'D' },
> + { "nolist", no_argument, NULL, QEMU_NBD_OPT_NOLIST },
> { "tls-creds", required_argument, NULL, QEMU_NBD_OPT_TLSCREDS },
> { "image-opts", no_argument, NULL, QEMU_NBD_OPT_IMAGE_OPTS },
> { "trace", required_argument, NULL, 'T' },
> @@ -717,6 +721,9 @@ int main(int argc, char **argv)
> case 'D':
> export_description = optarg;
> break;
> + case QEMU_NBD_OPT_NOLIST:
> + allow_list = false;
> + break;
> case 'v':
> verbose = 1;
> break;
> diff --git a/qemu-nbd.texi b/qemu-nbd.texi
> index 9a84e81eed..010b29588f 100644
> --- a/qemu-nbd.texi
> +++ b/qemu-nbd.texi
> @@ -85,6 +85,8 @@ the new style NBD protocol negotiation
> @item -D, --description=@var{description}
> Set the NBD volume export description, as a human-readable
> string. Requires the use of @option{-x}
> +@item --nolist
> +Do not allow the client to fetch a list of exports from this server.
> @item --tls-creds=ID
> Enable mandatory TLS encryption for the server by setting the ID
> of the TLS credentials object previously created with the --object
> --
> 2.14.3
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine. Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/
next prev parent reply other threads:[~2018-04-13 21:08 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-13 19:26 [Qemu-devel] [PATCH 0/3] qemu-nbd: Disallow listing exports Nir Soffer
2018-04-13 19:26 ` [Qemu-devel] [PATCH 1/3] nbd: Add option to disallow " Nir Soffer
2018-04-13 21:07 ` Richard W.M. Jones [this message]
2018-04-16 10:31 ` Daniel P. Berrangé
2018-04-16 10:53 ` Richard W.M. Jones
2018-04-16 11:00 ` Daniel P. Berrangé
2018-04-17 19:47 ` Eric Blake
2018-04-17 19:41 ` Eric Blake
2018-04-13 19:26 ` [Qemu-devel] [PATCH 2/3] iotests.py: Add helper for running commands Nir Soffer
2018-04-13 19:26 ` [Qemu-devel] [PATCH 3/3] qemu-iotests: Test new qemu-nbd --nolist option Nir Soffer
2018-04-17 19:56 ` Eric Blake
2018-04-18 9:43 ` Vladimir Sementsov-Ogievskiy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180413210757.GA2209@redhat.com \
--to=rjones@redhat.com \
--cc=eblake@redhat.com \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=nirsof@gmail.com \
--cc=pbonzini@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).