qemu-kvm/kvm-block-Add-option-to-use-driver-whitelist-even-in-too.patch

From 0739f735f99a6f1760a422023c262c1aa542a2e5 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Fri, 9 Jul 2021 18:41:41 +0200
Subject: [PATCH 19/43] block: Add option to use driver whitelist even in tools
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

RH-Author: Kevin Wolf <None>
RH-MergeRequest: 26: block: Disable unsupported/read-only block drivers even in tools
RH-Commit: [1/2] 6755d5ff4ef43f275ae530de2b2a568ffd2d3497 (kmwolf/centos-qemu-kvm)
RH-Bugzilla: 1957782
RH-Acked-by: Max Reitz <None>
RH-Acked-by: Richard W.M. Jones <None>
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>

Currently, the block driver whitelists are only applied for the system
emulator. All other binaries still give unrestricted access to all block
drivers. There are use cases where this made sense because the main
concern was avoiding customers running VMs on less optimised block
drivers and getting bad performance. Allowing the same image format e.g.
as a target for 'qemu-img convert' is not a problem then.

However, if the concern is the supportability of the driver in general,
either in full or when used read-write, not applying the list driver
whitelist in tools doesn't help - especially since qemu-nbd and
qemu-storage-daemon now give access to more or less the same operations
in block drivers as running a system emulator.

In order to address this, introduce a new configure option that enforces
the driver whitelist in all binaries.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <20210709164141.254097-1-kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit e5f05f8c375157211c7da625a0d3f3ccdb4957d5)
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
 block.c     |  3 +++
 configure   | 14 ++++++++++++--
 meson.build |  1 +
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/block.c b/block.c
index c5b887cec1..76ecede5af 100644
--- a/block.c
+++ b/block.c
@@ -5817,6 +5817,9 @@ BlockDriverState *bdrv_find_backing_image(BlockDriverState *bs,
 
 void bdrv_init(void)
 {
+#ifdef CONFIG_BDRV_WHITELIST_TOOLS
+    use_bdrv_whitelist = 1;
+#endif
     module_call_init(MODULE_INIT_BLOCK);
 }
 
diff --git a/configure b/configure
index 53b2fa583a..7edc08afb3 100755
--- a/configure
+++ b/configure
@@ -243,6 +243,7 @@ cross_prefix=""
 audio_drv_list=""
 block_drv_rw_whitelist=""
 block_drv_ro_whitelist=""
+block_drv_whitelist_tools="no"
 host_cc="cc"
 audio_win_int=""
 libs_qga=""
@@ -1029,6 +1030,10 @@ for opt do
   ;;
   --block-drv-ro-whitelist=*) block_drv_ro_whitelist=$(echo "$optarg" | sed -e 's/,/ /g')
   ;;
+  --enable-block-drv-whitelist-in-tools) block_drv_whitelist_tools="yes"
+  ;;
+  --disable-block-drv-whitelist-in-tools) block_drv_whitelist_tools="no"
+  ;;
   --enable-debug-tcg) debug_tcg="yes"
   ;;
   --disable-debug-tcg) debug_tcg="no"
@@ -1764,10 +1769,12 @@ Advanced options (experts only):
   --block-drv-whitelist=L  Same as --block-drv-rw-whitelist=L
   --block-drv-rw-whitelist=L
                            set block driver read-write whitelist
-                           (affects only QEMU, not qemu-img)
+                           (by default affects only QEMU, not tools like qemu-img)
   --block-drv-ro-whitelist=L
                            set block driver read-only whitelist
-                           (affects only QEMU, not qemu-img)
+                           (by default affects only QEMU, not tools like qemu-img)
+  --enable-block-drv-whitelist-in-tools
+                           use block whitelist also in tools instead of only QEMU
   --enable-trace-backends=B Set trace backend
                            Available backends: $trace_backend_list
   --with-trace-file=NAME   Full PATH,NAME of file to store traces
@@ -5571,6 +5578,9 @@ if test "$audio_win_int" = "yes" ; then
 fi
 echo "CONFIG_BDRV_RW_WHITELIST=$block_drv_rw_whitelist" >> $config_host_mak
 echo "CONFIG_BDRV_RO_WHITELIST=$block_drv_ro_whitelist" >> $config_host_mak
+if test "$block_drv_whitelist_tools" = "yes" ; then
+  echo "CONFIG_BDRV_WHITELIST_TOOLS=y" >> $config_host_mak
+fi
 if test "$xfs" = "yes" ; then
   echo "CONFIG_XFS=y" >> $config_host_mak
 fi
diff --git a/meson.build b/meson.build
index 06c15bd6d2..49b8164ade 100644
--- a/meson.build
+++ b/meson.build
@@ -2606,6 +2606,7 @@ summary_info += {'coroutine pool':    config_host['CONFIG_COROUTINE_POOL'] == '1
 if have_block
   summary_info += {'Block whitelist (rw)': config_host['CONFIG_BDRV_RW_WHITELIST']}
   summary_info += {'Block whitelist (ro)': config_host['CONFIG_BDRV_RO_WHITELIST']}
+  summary_info += {'Use block whitelist in tools': config_host.has_key('CONFIG_BDRV_WHITELIST_TOOLS')}
   summary_info += {'VirtFS support':    have_virtfs}
   summary_info += {'build virtiofs daemon': have_virtiofsd}
   summary_info += {'Live block migration': config_host.has_key('CONFIG_LIVE_BLOCK_MIGRATION')}
-- 
2.27.0
* Sun Jul 25 2021 Miroslav Rezanina <mrezanin@redhat.com> - 6.0.0-10 - kvm-s390x-css-Introduce-an-ESW-struct.patch [bz#1957194] - kvm-s390x-css-Split-out-the-IRB-sense-data.patch [bz#1957194] - kvm-s390x-css-Refactor-IRB-construction.patch [bz#1957194] - kvm-s390x-css-Add-passthrough-IRB.patch [bz#1957194] - kvm-vhost-user-blk-Fail-gracefully-on-too-large-queue-si.patch [bz#1957194] - kvm-vhost-user-blk-Make-sure-to-set-Error-on-realize-fai.patch [bz#1957194] - kvm-vhost-user-blk-Don-t-reconnect-during-initialisation.patch [bz#1957194] - kvm-vhost-user-blk-Improve-error-reporting-in-realize.patch [bz#1957194] - kvm-vhost-user-blk-Get-more-feature-flags-from-vhost-dev.patch [bz#1957194] - kvm-virtio-Fail-if-iommu_platform-is-requested-but-unsup.patch [bz#1957194] - kvm-vhost-user-blk-Check-that-num-queues-is-supported-by.patch [bz#1957194] - kvm-vhost-user-Fix-backends-without-multiqueue-support.patch [bz#1957194] - kvm-file-posix-fix-max_iov-for-dev-sg-devices.patch [bz#1957194] - kvm-scsi-generic-pass-max_segments-via-max_iov-field-in-.patch [bz#1957194] - kvm-osdep-provide-ROUND_DOWN-macro.patch [bz#1957194] - kvm-block-backend-align-max_transfer-to-request-alignmen.patch [bz#1957194] - kvm-block-add-max_hw_transfer-to-BlockLimits.patch [bz#1957194] - kvm-file-posix-try-BLKSECTGET-on-block-devices-too-do-no.patch [bz#1957194] - kvm-block-Add-option-to-use-driver-whitelist-even-in-too.patch [bz#1957782] - kvm-spec-Restrict-block-drivers-in-tools.patch [bz#1957782] - kvm-Move-tools-to-separate-package.patch [bz#1972285] - kvm-Split-qemu-pr-helper-to-separate-package.patch [bz#1972300] - kvm-spec-RPM_BUILD_ROOT-buildroot.patch [bz#1973029] - kvm-spec-More-use-of-name-instead-of-qemu-kvm.patch [bz#1973029] - kvm-spec-Use-qemu-pr-helper.service-from-qemu.git.patch [bz#1973029] - kvm-spec-Use-_sourcedir-for-referencing-sources.patch [bz#1973029] - kvm-spec-Add-tools_only.patch [bz#1973029] - kvm-spec-build-Add-run_configure-helper.patch [bz#1973029] - kvm-spec-build-Disable-more-bits-with-disable_everything.patch [bz#1973029] - kvm-spec-build-Add-macros-for-some-configure-parameters.patch [bz#1973029] - kvm-spec-files-Move-qemu-guest-agent-and-qemu-img-earlie.patch [bz#1973029] - kvm-spec-install-Remove-redundant-bits.patch [bz#1973029] - kvm-spec-install-Add-modprobe_kvm_conf-macro.patch [bz#1973029] - kvm-spec-install-Remove-qemu-guest-agent-etc-qemu-kvm-us.patch [bz#1973029] - kvm-spec-install-clean-up-qemu-ga-section.patch [bz#1973029] - kvm-spec-install-Use-a-single-tools_only-section.patch [bz#1973029] - kvm-spec-Make-tools_only-not-cross-spec-sections.patch [bz#1973029] - kvm-spec-install-Limit-time-spent-in-qemu_kvm_build.patch [bz#1973029] - kvm-spec-misc-syntactic-merges-with-Fedora.patch [bz#1973029] - kvm-spec-Use-Fedora-s-pattern-for-specifying-rc-version.patch [bz#1973029] - kvm-spec-files-don-t-use-fine-grained-docs-file-list.patch [bz#1973029] - kvm-spec-files-Add-licenses-to-qemu-common-too.patch [bz#1973029] - kvm-spec-install-Drop-python3-shebang-fixup.patch [bz#1973029] - Resolves: bz#1957194 (Synchronize RHEL-AV 8.5.0 changes to RHEL 9.0.0 Beta) - Resolves: bz#1957782 (VMDK support should be read-only) - Resolves: bz#1972285 (Split out a qemu-kvm-tools subpackage) - Resolves: bz#1972300 (Split out a qemu-pr-helper subpackage) - Resolves: bz#1973029 (Spec file cleanups) 2021-07-26 02:54:48 +00:00			`From 0739f735f99a6f1760a422023c262c1aa542a2e5 Mon Sep 17 00:00:00 2001`
			`From: Kevin Wolf <kwolf@redhat.com>`
			`Date: Fri, 9 Jul 2021 18:41:41 +0200`
			`Subject: [PATCH 19/43] block: Add option to use driver whitelist even in tools`
			`MIME-Version: 1.0`
			`Content-Type: text/plain; charset=UTF-8`
			`Content-Transfer-Encoding: 8bit`

			`RH-Author: Kevin Wolf <None>`
			`RH-MergeRequest: 26: block: Disable unsupported/read-only block drivers even in tools`
			`RH-Commit: [1/2] 6755d5ff4ef43f275ae530de2b2a568ffd2d3497 (kmwolf/centos-qemu-kvm)`
			`RH-Bugzilla: 1957782`
			`RH-Acked-by: Max Reitz <None>`
			`RH-Acked-by: Richard W.M. Jones <None>`
			`RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>`

			`Currently, the block driver whitelists are only applied for the system`
			`emulator. All other binaries still give unrestricted access to all block`
			`drivers. There are use cases where this made sense because the main`
			`concern was avoiding customers running VMs on less optimised block`
			`drivers and getting bad performance. Allowing the same image format e.g.`
			`as a target for 'qemu-img convert' is not a problem then.`

			`However, if the concern is the supportability of the driver in general,`
			`either in full or when used read-write, not applying the list driver`
			`whitelist in tools doesn't help - especially since qemu-nbd and`
			`qemu-storage-daemon now give access to more or less the same operations`
			`in block drivers as running a system emulator.`

			`In order to address this, introduce a new configure option that enforces`
			`the driver whitelist in all binaries.`

			`Signed-off-by: Kevin Wolf <kwolf@redhat.com>`
			`Message-Id: <20210709164141.254097-1-kwolf@redhat.com>`
			`Reviewed-by: Eric Blake <eblake@redhat.com>`
			`Signed-off-by: Kevin Wolf <kwolf@redhat.com>`
			`(cherry picked from commit e5f05f8c375157211c7da625a0d3f3ccdb4957d5)`
			`Signed-off-by: Kevin Wolf <kwolf@redhat.com>`
			`---`
			`block.c \| 3 +++`
			`configure \| 14 ++++++++++++--`
			`meson.build \| 1 +`
			`3 files changed, 16 insertions(+), 2 deletions(-)`

			`diff --git a/block.c b/block.c`
			`index c5b887cec1..76ecede5af 100644`
			`--- a/block.c`
			`+++ b/block.c`
			`@@ -5817,6 +5817,9 @@ BlockDriverState bdrv_find_backing_image(BlockDriverState bs,`

			`void bdrv_init(void)`
			`{`
			`+#ifdef CONFIG_BDRV_WHITELIST_TOOLS`
			`+ use_bdrv_whitelist = 1;`
			`+#endif`
			`module_call_init(MODULE_INIT_BLOCK);`
			`}`

			`diff --git a/configure b/configure`
			`index 53b2fa583a..7edc08afb3 100755`
			`--- a/configure`
			`+++ b/configure`
			`@@ -243,6 +243,7 @@ cross_prefix=""`
			`audio_drv_list=""`
			`block_drv_rw_whitelist=""`
			`block_drv_ro_whitelist=""`
			`+block_drv_whitelist_tools="no"`
			`host_cc="cc"`
			`audio_win_int=""`
			`libs_qga=""`
			`@@ -1029,6 +1030,10 @@ for opt do`
			`;;`
			`--block-drv-ro-whitelist=*) block_drv_ro_whitelist=$(echo "$optarg" \| sed -e 's/,/ /g')`
			`;;`
			`+ --enable-block-drv-whitelist-in-tools) block_drv_whitelist_tools="yes"`
			`+ ;;`
			`+ --disable-block-drv-whitelist-in-tools) block_drv_whitelist_tools="no"`
			`+ ;;`
			`--enable-debug-tcg) debug_tcg="yes"`
			`;;`
			`--disable-debug-tcg) debug_tcg="no"`
			`@@ -1764,10 +1769,12 @@ Advanced options (experts only):`
			`--block-drv-whitelist=L Same as --block-drv-rw-whitelist=L`
			`--block-drv-rw-whitelist=L`
			`set block driver read-write whitelist`
			`- (affects only QEMU, not qemu-img)`
			`+ (by default affects only QEMU, not tools like qemu-img)`
			`--block-drv-ro-whitelist=L`
			`set block driver read-only whitelist`
			`- (affects only QEMU, not qemu-img)`
			`+ (by default affects only QEMU, not tools like qemu-img)`
			`+ --enable-block-drv-whitelist-in-tools`
			`+ use block whitelist also in tools instead of only QEMU`
			`--enable-trace-backends=B Set trace backend`
			`Available backends: $trace_backend_list`
			`--with-trace-file=NAME Full PATH,NAME of file to store traces`
			`@@ -5571,6 +5578,9 @@ if test "$audio_win_int" = "yes" ; then`
			`fi`
			`echo "CONFIG_BDRV_RW_WHITELIST=$block_drv_rw_whitelist" >> $config_host_mak`
			`echo "CONFIG_BDRV_RO_WHITELIST=$block_drv_ro_whitelist" >> $config_host_mak`
			`+if test "$block_drv_whitelist_tools" = "yes" ; then`
			`+ echo "CONFIG_BDRV_WHITELIST_TOOLS=y" >> $config_host_mak`
			`+fi`
			`if test "$xfs" = "yes" ; then`
			`echo "CONFIG_XFS=y" >> $config_host_mak`
			`fi`
			`diff --git a/meson.build b/meson.build`
			`index 06c15bd6d2..49b8164ade 100644`
			`--- a/meson.build`
			`+++ b/meson.build`
			`@@ -2606,6 +2606,7 @@ summary_info += {'coroutine pool': config_host['CONFIG_COROUTINE_POOL'] == '1`
			`if have_block`
			`summary_info += {'Block whitelist (rw)': config_host['CONFIG_BDRV_RW_WHITELIST']}`
			`summary_info += {'Block whitelist (ro)': config_host['CONFIG_BDRV_RO_WHITELIST']}`
			`+ summary_info += {'Use block whitelist in tools': config_host.has_key('CONFIG_BDRV_WHITELIST_TOOLS')}`
			`summary_info += {'VirtFS support': have_virtfs}`
			`summary_info += {'build virtiofs daemon': have_virtiofsd}`
			`summary_info += {'Live block migration': config_host.has_key('CONFIG_LIVE_BLOCK_MIGRATION')}`
			`--`
			`2.27.0`