[PATCH] RFC: net: document "-netdev user" explicitly as unsafe

[PATCH] RFC: net: document "-netdev user" explicitly as unsafe

[marcandre.lureau]

From: Marc-André Lureau <marcandre.lureau@redhat.com>

libslirp is known to have several security flaws, we should make it
explicit by warning the users and in the documentation.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
---
 docs/system/net.rst | 9 +++++++++
 net/slirp.c         | 2 ++
 qemu-options.hx     | 4 +++-
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/docs/system/net.rst b/docs/system/net.rst
index 4b2640c448..1caac062a4 100644
--- a/docs/system/net.rst
+++ b/docs/system/net.rst
@@ -41,6 +41,13 @@ download OpenVPN from : https://openvpn.net/.
 Using the user mode network stack
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
+.. warning::
+   The user mode network stack (`slirp`_) is notoriously unsafe. We strongly
+   discourage its usage in a production environment. It is mostly useful for
+   developers or informed end-users. It is recommended to use other networking
+   solutions, or a dedicated standalone slirp process with the minimum
+   privileges.
+
 By using the option ``-net user`` (default configuration if no ``-net``
 option is specified), QEMU uses a completely user mode network stack
 (you don't need root privilege to use the virtual network). The virtual
@@ -98,3 +105,5 @@ option, it is possible to create emulated networks that span several
 QEMU instances. See the description of the ``-netdev socket`` option in
 :ref:`sec_005finvocation` to have a basic
 example.
+
+.. _slirp: https://gitlab.freedesktop.org/slirp/libslirp
diff --git a/net/slirp.c b/net/slirp.c
index ad3a838e0b..80891eefbb 100644
--- a/net/slirp.c
+++ b/net/slirp.c
@@ -388,6 +388,8 @@ static int net_slirp_init(NetClientState *peer, const char *model,
     char *end;
     struct slirp_config_str *config;
 
+    warn_report("User mode network stack is unsafe!");
+
     if (!ipv4 && (vnetwork || vhost || vnameserver)) {
         error_setg(errp, "IPv4 disabled but netmask/host/dns provided");
         return -1;
diff --git a/qemu-options.hx b/qemu-options.hx
index 14258784b3..b46a231ba6 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -2652,7 +2652,9 @@ SRST
 
 ``-netdev user,id=id[,option][,option][,...]``
     Configure user mode host network backend which requires no
-    administrator privilege to run. Valid options are:
+    administrator privilege to run, but is notoriously **unsafe**!
+
+    Valid options are:
 
     ``id=id``
         Assign symbolic name for use in monitor commands.
-- 
2.29.0

Re: [PATCH] RFC: net: document "-netdev user" explicitly as unsafe

[Peter Maydell]

On Mon, 7 Jun 2021 at 12:50, <marcandre.lureau@redhat.com> wrote:
>
> From: Marc-André Lureau <marcandre.lureau@redhat.com>
>
> libslirp is known to have several security flaws, we should make it
> explicit by warning the users and in the documentation.
>
> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>

> --- a/net/slirp.c
> +++ b/net/slirp.c
> @@ -388,6 +388,8 @@ static int net_slirp_init(NetClientState *peer, const char *model,
>      char *end;
>      struct slirp_config_str *config;
>
> +    warn_report("User mode network stack is unsafe!");

Not enthusiastic about generating new warnings for a huge range
of end-users, especially without detailed information about
what they should do about it and suitable new command lines
(including ones which will work for everybody, not just "I'm
on an x86 PC with pluggable network devices").

Also, -net user is perfectly fine for quite a lot of usecases.

thanks
-- PMM