From: Christian Schoenebeck <qemu_oss@crudebyte.com>
To: qemu-devel@nongnu.org, "Daniel P. Berrangé" <berrange@redhat.com>
Cc: "Kevin Wolf" <kwolf@redhat.com>,
"Peter Maydell" <peter.maydell@linaro.org>,
"Stefano Stabellini" <sstabellini@kernel.org>,
"Michael Roth" <mdroth@linux.vnet.ibm.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
"Cornelia Huck" <cohuck@redhat.com>, "P J P" <ppandit@redhat.com>,
"Greg Kurz" <groug@kaod.org>,
"Stefan Hajnoczi" <stefanha@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@redhat.com>
Subject: Re: [PATCH 1/1] MAINTAINERS: introduce cve or security quotient field
Date: Thu, 16 Jul 2020 14:22:14 +0200 [thread overview]
Message-ID: <5717837.yeCYy4G0CH@silver> (raw)
In-Reply-To: <20200716100157.GK227735@redhat.com>
On Donnerstag, 16. Juli 2020 12:01:57 CEST Daniel P. Berrangé wrote:
> > My concern here is that just distinguishing between either 'low' or 'high'
> > is a far too rough classification.
> >
> > In our preceding communication regarding 9pfs, I made clear that a) we do
> > care about security relevant 9pfs issues, and only b) the avarage use
> > cases (as far we know) for 9pfs are above a certain trust level.
> >
> > However b) does not imply 9pfs being 'unsafe', nor that we want users to
> > refrain using it in a security relevant environment. So 9pfs would
> > actually be somewhere in between.
>
> We shouldn't overthink this and invent many classification levels.
>
> This is essentially about distinguishing code that is written with the
> intent of protecting from a malicous guest, from code that assumes a
> non-malicious guest. That is a pretty clear demarcation on when it is
> reasonable to use any given feature in QEMU.
>
> Within the set of code that is assuming a malicious guest, there are
> still going to be varying levels of quality, and that is ok. We don't
> need to express that programatically, the docs are still there to
> describe the fine nuances of any given feature. We're just saying that
> in general, this set of code is acceptable to use in combination with
> a malicious guest, and if you find bugs we'll triage them as security
> flaws.
Yes, that would be a base consideration for any security classification. And
it applies to 9pfs hence it would suggest 'high' for 9pfs, but ...
> 9p is generally written from the POV of protecting against a malicious
> guest, so it would be considered part of the high security set, and
> flaws will be treated as CVEs. We don't need to be break it down into
> any more detail than that.
... this is where it already differs from reality, as 9pfs security issues
were both handled as CVEs as well as normal reports for years, which nobody
objected.
So I wonder how helpful it would be trying to either put 9pfs into either
'high' or 'low', because another observed problematic with 9pfs is that the
degree of participation is so low, that if you try to impose certain formal
minimum requirements to contributors, you usually never hear from them again.
And BTW Prasad actually suggested the opposite classification:
> @@ -1761,6 +1927,7 @@ virtio-9p
>
> M: Greg Kurz <groug@kaod.org>
> M: Christian Schoenebeck <qemu_oss@crudebyte.com>
> S: Odd Fixes
>
> +C: Low
>
> F: hw/9pfs/
> X: hw/9pfs/xen-9p*
> F: fsdev/
Even though we discussed this issue with him in detail before, which probably
shows that a simple binary security classification is too coarse and too
ambiguous.
Best regards,
Christian Schoenebeck
next prev parent reply other threads:[~2020-07-16 12:23 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-14 8:36 [PATCH 0/1] MAINTAINERS: add security quotient field P J P
2020-07-14 8:36 ` [PATCH 1/1] MAINTAINERS: introduce cve or " P J P
2020-07-14 9:42 ` Peter Maydell
2020-07-14 9:52 ` Daniel P. Berrangé
2020-07-14 10:12 ` Michael S. Tsirkin
2020-07-14 10:22 ` Peter Maydell
2020-07-14 11:02 ` Michael S. Tsirkin
2020-07-14 13:10 ` P J P
2020-07-16 6:55 ` Cornelia Huck
2020-07-16 8:36 ` Daniel P. Berrangé
2020-07-16 9:21 ` P J P
2020-07-16 9:39 ` Daniel P. Berrangé
2020-07-16 9:45 ` Christian Schoenebeck
2020-07-16 10:01 ` Daniel P. Berrangé
2020-07-16 12:22 ` Christian Schoenebeck [this message]
2020-07-16 12:54 ` Daniel P. Berrangé
2020-07-14 13:30 ` Daniel P. Berrangé
2020-07-14 13:48 ` Kevin Wolf
2020-07-14 13:56 ` Thomas Huth
2020-07-14 15:04 ` Christian Schoenebeck
2020-07-14 14:02 ` Daniel P. Berrangé
2020-07-14 10:18 ` Philippe Mathieu-Daudé
2020-07-14 11:51 ` Cornelia Huck
2020-07-16 8:56 ` Dr. David Alan Gilbert
2020-07-16 9:44 ` P J P
2020-07-16 10:09 ` Daniel P. Berrangé
2020-07-16 10:43 ` Markus Armbruster
2020-07-14 9:46 ` [PATCH 0/1] MAINTAINERS: add " Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5717837.yeCYy4G0CH@silver \
--to=qemu_oss@crudebyte.com \
--cc=berrange@redhat.com \
--cc=cohuck@redhat.com \
--cc=groug@kaod.org \
--cc=kwolf@redhat.com \
--cc=mdroth@linux.vnet.ibm.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=philmd@redhat.com \
--cc=ppandit@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=sstabellini@kernel.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).