From: "Philippe Mathieu-Daudé" <philmd@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Peter Maydell" <peter.maydell@linaro.org>,
"Thomas Huth" <thuth@redhat.com>,
"Daniel P. Berrangé" <berrange@redhat.com>,
"Prasad J Pandit" <pjp@fedoraproject.org>,
qemu-block@nongnu.org, "Michael S. Tsirkin" <mst@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@redhat.com>,
"Richard Henderson" <richard.henderson@linaro.org>,
"Markus Armbruster" <armbru@redhat.com>,
"Philippe Mathieu-Daudé" <f4bug@amsat.org>,
xen-devel@lists.xenproject.org,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Eric Blake" <eblake@redhat.com>,
"Eduardo Habkost" <ehabkost@redhat.com>
Subject: [RFC PATCH 01/10] sysemu: Introduce qemu_security_policy_taint() API
Date: Thu, 9 Sep 2021 01:20:15 +0200 [thread overview]
Message-ID: <20210908232024.2399215-2-philmd@redhat.com> (raw)
In-Reply-To: <20210908232024.2399215-1-philmd@redhat.com>
Introduce qemu_security_policy_taint() which allows unsafe (read
"not very maintained") code to 'taint' QEMU security policy.
The "security policy" is the @SecurityPolicy QAPI enum, composed of:
- "none" (no policy, current behavior)
- "warn" (display a warning when the policy is tainted, keep going)
- "strict" (once tainted, exit QEMU before starting the VM)
The qemu_security_policy_is_strict() helper is also provided, which
will be proved useful once a VM is started (example we do not want
to kill a running VM if an unsafe device is hot-added).
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
qapi/run-state.json | 16 +++++++++++
include/qemu-common.h | 19 ++++++++++++
softmmu/vl.c | 67 +++++++++++++++++++++++++++++++++++++++++++
qemu-options.hx | 17 +++++++++++
4 files changed, 119 insertions(+)
diff --git a/qapi/run-state.json b/qapi/run-state.json
index 43d66d700fc..b15a107fa01 100644
--- a/qapi/run-state.json
+++ b/qapi/run-state.json
@@ -638,3 +638,19 @@
{ 'struct': 'MemoryFailureFlags',
'data': { 'action-required': 'bool',
'recursive': 'bool'} }
+
+##
+# @SecurityPolicy:
+#
+# An enumeration of the actions taken when the security policy is tainted.
+#
+# @none: do nothing.
+#
+# @warn: display a warning.
+#
+# @strict: prohibit QEMU to start a VM.
+#
+# Since: 6.2
+##
+{ 'enum': 'SecurityPolicy',
+ 'data': [ 'none', 'warn', 'strict' ] }
diff --git a/include/qemu-common.h b/include/qemu-common.h
index 73bcf763ed8..bf0b054bb66 100644
--- a/include/qemu-common.h
+++ b/include/qemu-common.h
@@ -139,4 +139,23 @@ void page_size_init(void);
* returned. */
bool dump_in_progress(void);
+/**
+ * qemu_security_policy_taint:
+ * @tainting whether any security policy is tainted (compromised).
+ * @fmt: taint reason format string
+ * ...: list of arguments to interpolate into @fmt, like printf().
+ *
+ * Allow unsafe code path to taint the global security policy.
+ * See #SecurityPolicy.
+ */
+void qemu_security_policy_taint(bool tainting, const char *fmt, ...)
+ GCC_FMT_ATTR(2, 3);
+
+/**
+ * qemu_security_policy_is_strict:
+ *
+ * Return %true if the global security policy is 'strict', %false otherwise.
+ */
+bool qemu_security_policy_is_strict(void);
+
#endif
diff --git a/softmmu/vl.c b/softmmu/vl.c
index 55ab70eb97f..92c05ac97ee 100644
--- a/softmmu/vl.c
+++ b/softmmu/vl.c
@@ -489,6 +489,20 @@ static QemuOptsList qemu_action_opts = {
},
};
+static QemuOptsList qemu_security_policy_opts = {
+ .name = "security-policy",
+ .implied_opt_name = "policy",
+ .merge_lists = true,
+ .head = QTAILQ_HEAD_INITIALIZER(qemu_security_policy_opts.head),
+ .desc = {
+ {
+ .name = "policy",
+ .type = QEMU_OPT_STRING,
+ },
+ { /* end of list */ }
+ },
+};
+
const char *qemu_get_vm_name(void)
{
return qemu_name;
@@ -600,6 +614,52 @@ static int cleanup_add_fd(void *opaque, QemuOpts *opts, Error **errp)
}
#endif
+static SecurityPolicy security_policy = SECURITY_POLICY_NONE;
+
+bool qemu_security_policy_is_strict(void)
+{
+ return security_policy == SECURITY_POLICY_STRICT;
+}
+
+static int select_security_policy(const char *p)
+{
+ int policy;
+ char *qapi_value;
+
+ qapi_value = g_ascii_strdown(p, -1);
+ policy = qapi_enum_parse(&SecurityPolicy_lookup, qapi_value, -1, NULL);
+ g_free(qapi_value);
+ if (policy < 0) {
+ return -1;
+ }
+ security_policy = policy;
+
+ return 0;
+}
+
+void qemu_security_policy_taint(bool tainting, const char *fmt, ...)
+{
+ va_list ap;
+ g_autofree char *efmt = NULL;
+
+ if (security_policy == SECURITY_POLICY_NONE || !tainting) {
+ return;
+ }
+
+ va_start(ap, fmt);
+ if (security_policy == SECURITY_POLICY_STRICT) {
+ efmt = g_strdup_printf("%s taints QEMU security policy, exiting.", fmt);
+ error_vreport(efmt, ap);
+ exit(EXIT_FAILURE);
+ } else if (security_policy == SECURITY_POLICY_WARN) {
+ efmt = g_strdup_printf("%s taints QEMU security policy.", fmt);
+ warn_vreport(efmt, ap);
+ } else {
+ g_assert_not_reached();
+ }
+ va_end(ap);
+}
+
/***********************************************************/
/* QEMU Block devices */
@@ -2764,6 +2824,7 @@ void qemu_init(int argc, char **argv, char **envp)
qemu_add_opts(&qemu_semihosting_config_opts);
qemu_add_opts(&qemu_fw_cfg_opts);
qemu_add_opts(&qemu_action_opts);
+ qemu_add_opts(&qemu_security_policy_opts);
module_call_init(MODULE_INIT_OPTS);
error_init(argv[0]);
@@ -3230,6 +3291,12 @@ void qemu_init(int argc, char **argv, char **envp)
exit(1);
}
break;
+ case QEMU_OPTION_security_policy:
+ if (select_security_policy(optarg) == -1) {
+ error_report("unknown -security-policy parameter");
+ exit(1);
+ }
+ break;
case QEMU_OPTION_parallel:
add_device_config(DEV_PARALLEL, optarg);
default_parallel = 0;
diff --git a/qemu-options.hx b/qemu-options.hx
index 8f603cc7e65..d9939f7ae1d 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -4298,6 +4298,23 @@ SRST
ERST
+DEF("security-policy", HAS_ARG, QEMU_OPTION_security_policy, \
+ "-security-policy none|warn|strict\n" \
+ " action when security policy is tainted [default=none]\n",
+ QEMU_ARCH_ALL)
+SRST
+``-security-policy policy``
+ The policy controls what QEMU will do when an unsecure feature is
+ used, tainting the process security. The default is ``none`` (do
+ nothing). Other possible actions are: ``warn`` (display a warning
+ and keep going) or ``strict`` (exits QEMU before launching a VM).
+
+ Examples:
+
+ ``-security-policy warn``; \ ``-security-policy strict``
+
+ERST
+
DEF("echr", HAS_ARG, QEMU_OPTION_echr, \
"-echr chr set terminal escape character instead of ctrl-a\n",
QEMU_ARCH_ALL)
--
2.31.1
next prev parent reply other threads:[~2021-09-08 23:21 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-08 23:20 [RFC PATCH 00/10] security: Introduce qemu_security_policy_taint() API Philippe Mathieu-Daudé
2021-09-08 23:20 ` Philippe Mathieu-Daudé [this message]
2021-09-09 10:01 ` [RFC PATCH 01/10] sysemu: " Paolo Bonzini
2021-09-09 18:45 ` Eric Blake
2021-09-08 23:20 ` [RFC PATCH 02/10] accel: Use qemu_security_policy_taint(), mark KVM and Xen as safe Philippe Mathieu-Daudé
2021-09-09 10:37 ` Daniel P. Berrangé
2021-10-21 14:47 ` Markus Armbruster
2021-09-09 18:46 ` Eric Blake
2021-09-08 23:20 ` [RFC PATCH 03/10] block: Use qemu_security_policy_taint() API Philippe Mathieu-Daudé
2021-09-09 9:53 ` Philippe Mathieu-Daudé
2021-09-09 10:40 ` Daniel P. Berrangé
2021-09-09 10:55 ` Daniel P. Berrangé
2021-09-09 19:05 ` Eric Blake
2021-09-08 23:20 ` [RFC PATCH 04/10] block/vvfat: Mark the driver as unsafe Philippe Mathieu-Daudé
2021-09-08 23:20 ` [RFC PATCH 05/10] block/null: Mark 'read-zeroes=off' option " Philippe Mathieu-Daudé
2021-09-08 23:20 ` [RFC PATCH 06/10] qdev: Use qemu_security_policy_taint() API Philippe Mathieu-Daudé
2021-09-09 11:03 ` Daniel P. Berrangé
2021-09-08 23:20 ` [RFC PATCH 07/10] hw/display: Mark ATI and Artist devices as unsafe Philippe Mathieu-Daudé
2021-09-08 23:20 ` [RFC PATCH 08/10] hw/misc: Mark testdev " Philippe Mathieu-Daudé
2021-09-08 23:20 ` [RFC PATCH 09/10] hw/net: Mark Tulip device " Philippe Mathieu-Daudé
2021-09-08 23:20 ` [RFC PATCH 10/10] hw/sd: Mark sdhci-pci " Philippe Mathieu-Daudé
2021-09-09 10:28 ` [RFC PATCH 00/10] security: Introduce qemu_security_policy_taint() API Daniel P. Berrangé
2021-09-14 13:30 ` P J P
2021-09-28 11:39 ` P J P
2021-09-30 10:30 ` Daniel P. Berrangé
2021-09-09 12:03 ` Alexander Bulekov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210908232024.2399215-2-philmd@redhat.com \
--to=philmd@redhat.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=eblake@redhat.com \
--cc=ehabkost@redhat.com \
--cc=f4bug@amsat.org \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=pjp@fedoraproject.org \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=thuth@redhat.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).