From: "Daniel P. Berrangé" <berrange@redhat.com>
To: P J P <ppandit@redhat.com>
Cc: "Kevin Wolf" <kwolf@redhat.com>,
"Peter Maydell" <peter.maydell@linaro.org>,
"Stefano Stabellini" <sstabellini@kernel.org>,
"Michael S. Tsirkin" <mst@redhat.com>,
"Cornelia Huck" <cohuck@redhat.com>,
"Christian Schoenebeck" <qemu_oss@crudebyte.com>,
"Michael Roth" <mdroth@linux.vnet.ibm.com>,
"QEMU Developers" <qemu-devel@nongnu.org>,
"Greg Kurz" <groug@kaod.org>,
"Stefan Hajnoczi" <stefanha@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@redhat.com>
Subject: Re: [PATCH 1/1] MAINTAINERS: introduce cve or security quotient field
Date: Thu, 16 Jul 2020 10:39:47 +0100 [thread overview]
Message-ID: <20200716093947.GH227735@redhat.com> (raw)
In-Reply-To: <nycvar.YSQ.7.78.906.2007161428570.950384@xnncv>
On Thu, Jul 16, 2020 at 02:51:55PM +0530, P J P wrote:
> +-- On Thu, 16 Jul 2020, Daniel P. Berrangé wrote --+
> | > Failing to start (with a message that explains why) if one of the command
> | > line options is not covered by a specified security policy is not
> | > unreasonable (after all, we fail to start for other cases of incompatible
> | > command line options as well.)
>
> Yes, that's right.
>
> | > However, we also need to cover dynamically-added devices. Aborting seems
> | > very bad there, just failing to add the device seems like what we'd want.
> |
> | Yep, aborting is simply not an option for the inner code. It all has to
> | propagate to a proper Error **errp object. The ultimate entry-point at the
> | CLI vs QMP then decides whether to turn the error into an abort or feed back
> | to the client app.
>
> True, handling dynamic devices is tricky.
>
> Though it seems kind of uniform workflow to check for '--security' flag at
> options parsing OR while handling dynamic devices at run time; It is a huge
> task to cover all options/use-cases for all QEMU emulators across various
> architectures.
Yes, I mentioned earlier in the thread that doing this security check at
runtime is going to be a huge amount of work, because it will need to be
wired up across a wide range of subsystems and APIS and implemnetations
in the QEMU codebase.
I don't think option parsing time will be the place you want a check
at all. You need to parse the --security flag, but once that's done
I think everything else needs to be done at time of object creation,
not config parsing. That ensures the check is present in all possible
codepaths that lead to the functionality being used.
> * If this approach is reasonable, I'll try to make an initial patch towards
> it.
>
> * We'd still need to figure out similar way for compile time option, to
> exclude building insecure features at build time.
My suggestion is to do compile time stuff first, as that ought to be a
simpler problem. Having said that, if Paolo's work on meson is likely
to arrive any time soon, then it might make sense to wait for that,
instead of implementing something for Make and then throwing it away
a release later and doing it from scratch in Meson.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2020-07-16 9:41 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-14 8:36 [PATCH 0/1] MAINTAINERS: add security quotient field P J P
2020-07-14 8:36 ` [PATCH 1/1] MAINTAINERS: introduce cve or " P J P
2020-07-14 9:42 ` Peter Maydell
2020-07-14 9:52 ` Daniel P. Berrangé
2020-07-14 10:12 ` Michael S. Tsirkin
2020-07-14 10:22 ` Peter Maydell
2020-07-14 11:02 ` Michael S. Tsirkin
2020-07-14 13:10 ` P J P
2020-07-16 6:55 ` Cornelia Huck
2020-07-16 8:36 ` Daniel P. Berrangé
2020-07-16 9:21 ` P J P
2020-07-16 9:39 ` Daniel P. Berrangé [this message]
2020-07-16 9:45 ` Christian Schoenebeck
2020-07-16 10:01 ` Daniel P. Berrangé
2020-07-16 12:22 ` Christian Schoenebeck
2020-07-16 12:54 ` Daniel P. Berrangé
2020-07-14 13:30 ` Daniel P. Berrangé
2020-07-14 13:48 ` Kevin Wolf
2020-07-14 13:56 ` Thomas Huth
2020-07-14 15:04 ` Christian Schoenebeck
2020-07-14 14:02 ` Daniel P. Berrangé
2020-07-14 10:18 ` Philippe Mathieu-Daudé
2020-07-14 11:51 ` Cornelia Huck
2020-07-16 8:56 ` Dr. David Alan Gilbert
2020-07-16 9:44 ` P J P
2020-07-16 10:09 ` Daniel P. Berrangé
2020-07-16 10:43 ` Markus Armbruster
2020-07-14 9:46 ` [PATCH 0/1] MAINTAINERS: add " Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200716093947.GH227735@redhat.com \
--to=berrange@redhat.com \
--cc=cohuck@redhat.com \
--cc=groug@kaod.org \
--cc=kwolf@redhat.com \
--cc=mdroth@linux.vnet.ibm.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=philmd@redhat.com \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu_oss@crudebyte.com \
--cc=sstabellini@kernel.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).