From nobody Thu May 15 10:11:00 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 152810275443710.398674424951423;
 Mon, 4 Jun 2018 01:59:14 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com
 [10.5.11.26])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 91BF530BB205;
	Mon,  4 Jun 2018 08:59:12 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 0C7A83001A50;
	Mon,  4 Jun 2018 08:59:12 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 4A55B4CA80;
	Mon,  4 Jun 2018 08:59:10 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com
	[10.11.54.4])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id w548x8dO018637 for <libvir-list@listman.util.phx.redhat.com>;
	Mon, 4 Jun 2018 04:59:08 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 18CC62026E0E; Mon,  4 Jun 2018 08:59:08 +0000 (UTC)
Received: from angien.brq.redhat.com (unknown [10.43.2.136])
	by smtp.corp.redhat.com (Postfix) with ESMTP id B11D22026DEF
	for <libvir-list@redhat.com>; Mon,  4 Jun 2018 08:59:07 +0000 (UTC)
From: Peter Krempa <pkrempa@redhat.com>
To: libvir-list@redhat.com
Date: Mon,  4 Jun 2018 10:58:44 +0200
Message-Id: 
 <407ab3e587967a095137b7731596045cefc6a923.1528102541.git.pkrempa@redhat.com>
In-Reply-To: <cover.1528102541.git.pkrempa@redhat.com>
References: <cover.1528102541.git.pkrempa@redhat.com>
In-Reply-To: <cover.1528102541.git.pkrempa@redhat.com>
References: <cover.1528102541.git.pkrempa@redhat.com>
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4
X-loop: libvir-list@redhat.com
Subject: [libvirt] [PATCH 02/10] qemu: conf: Remove
	'allow_disk_format_probing' config option
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.26
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.47]);
 Mon, 04 Jun 2018 08:59:13 +0000 (UTC)
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

The option is insecure and it has been long enough for users to migrate
their disk files to use explicit format. Drop the option and related
code.

The config parser still parses it and rejects statup if it's still
present in the config in enabled state.

The augeas lens is also kept so that users can disable it.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: J=EF=BF=BDn Tomko <jtomko@redhat.com>
---
 src/qemu/qemu.conf                 | 12 ---------
 src/qemu/qemu_conf.c               |  8 +++++-
 src/qemu/qemu_conf.h               |  1 -
 src/qemu/qemu_domain.c             | 54 +++++++++++-----------------------=
----
 src/qemu/qemu_driver.c             | 20 +++++---------
 src/qemu/test_libvirtd_qemu.aug.in |  1 -
 6 files changed, 28 insertions(+), 68 deletions(-)

diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index c8e1a62d1c..9be4d2c1e7 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -650,18 +650,6 @@
 #relaxed_acs_check =3D 1


-# If allow_disk_format_probing is enabled, libvirt will probe disk
-# images to attempt to identify their format, when not otherwise
-# specified in the XML. This is disabled by default.
-#
-# WARNING: Enabling probing is a security hole in almost all
-# deployments. It is strongly recommended that users update their
-# guest XML <disk> elements to include  <driver type=3D'XXXX'/>
-# elements instead of enabling this option.
-#
-#allow_disk_format_probing =3D 1
-
-
 # In order to prevent accidentally starting two domains that
 # share one writable disk, libvirt offers two approaches for
 # locking files. The first one is sanlock, the other one,
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 5f35a49e91..873c5fd123 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -481,6 +481,7 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr =
cfg,
     char **nvram =3D NULL;
     char *corestr =3D NULL;
     char **namespaces =3D NULL;
+    bool tmp;

     /* Just check the file is readable before opening it, otherwise
      * libvirt emits an error.
@@ -773,8 +774,13 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr=
 cfg,
         goto cleanup;
     if (virConfGetValueBool(conf, "clear_emulator_capabilities", &cfg->cle=
arEmulatorCapabilities) < 0)
         goto cleanup;
-    if (virConfGetValueBool(conf, "allow_disk_format_probing", &cfg->allow=
DiskFormatProbing) < 0)
+    if (virConfGetValueBool(conf, "allow_disk_format_probing", &tmp) < 0)
         goto cleanup;
+    if (tmp) {
+        virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                       _("allow_disk_format_probing is no longer supported=
"));
+        goto cleanup;
+    }
     if (virConfGetValueBool(conf, "set_process_name", &cfg->setProcessName=
) < 0)
         goto cleanup;
     if (virConfGetValueUInt(conf, "max_processes", &cfg->maxProcesses) < 0)
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index 6d25c3e74f..be7d5a1e96 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -161,7 +161,6 @@ struct _virQEMUDriverConfig {
     bool vncAllowHostAudio;
     bool nogfxAllowHostAudio;
     bool clearEmulatorCapabilities;
-    bool allowDiskFormatProbing;
     bool setProcessName;

     unsigned int maxProcesses;
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index a7c76c1afd..d230ead359 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -5917,39 +5917,23 @@ qemuDomainDeviceDiskDefPostParseRestoreSecAlias(vir=
DomainDiskDefPtr disk,
 static int
 qemuDomainDeviceDiskDefPostParse(virDomainDiskDefPtr disk,
                                  virQEMUCapsPtr qemuCaps,
-                                 unsigned int parseFlags,
-                                 virQEMUDriverConfigPtr cfg)
+                                 unsigned int parseFlags)
 {
     /* set default disk types and drivers */
-    /* assign default storage format and driver according to config */
-    if (cfg->allowDiskFormatProbing) {
-        /* default disk format for drives */
-        if (virDomainDiskGetFormat(disk) =3D=3D VIR_STORAGE_FILE_NONE &&
-            (virDomainDiskGetType(disk) =3D=3D VIR_STORAGE_TYPE_FILE ||
-             virDomainDiskGetType(disk) =3D=3D VIR_STORAGE_TYPE_BLOCK))
-            virDomainDiskSetFormat(disk, VIR_STORAGE_FILE_AUTO);
-
-        /* default disk format for mirrored drive */
-        if (disk->mirror &&
-            disk->mirror->format =3D=3D VIR_STORAGE_FILE_NONE)
-            disk->mirror->format =3D VIR_STORAGE_FILE_AUTO;
-    } else {
-        /* default driver if probing is forbidden */
-        if (!virDomainDiskGetDriver(disk) &&
-            virDomainDiskSetDriver(disk, "qemu") < 0)
-            return -1;
+    if (!virDomainDiskGetDriver(disk) &&
+        virDomainDiskSetDriver(disk, "qemu") < 0)
+        return -1;

-        /* default disk format for drives */
-        if (virDomainDiskGetFormat(disk) =3D=3D VIR_STORAGE_FILE_NONE &&
-            (virDomainDiskGetType(disk) =3D=3D VIR_STORAGE_TYPE_FILE ||
-             virDomainDiskGetType(disk) =3D=3D VIR_STORAGE_TYPE_BLOCK))
-            virDomainDiskSetFormat(disk, VIR_STORAGE_FILE_RAW);
+    /* default disk format for drives */
+    if (virDomainDiskGetFormat(disk) =3D=3D VIR_STORAGE_FILE_NONE &&
+        (virDomainDiskGetType(disk) =3D=3D VIR_STORAGE_TYPE_FILE ||
+         virDomainDiskGetType(disk) =3D=3D VIR_STORAGE_TYPE_BLOCK))
+        virDomainDiskSetFormat(disk, VIR_STORAGE_FILE_RAW);

-        /* default disk format for mirrored drive */
-        if (disk->mirror &&
-            disk->mirror->format =3D=3D VIR_STORAGE_FILE_NONE)
-            disk->mirror->format =3D VIR_STORAGE_FILE_RAW;
-    }
+    /* default disk format for mirrored drive */
+    if (disk->mirror &&
+        disk->mirror->format =3D=3D VIR_STORAGE_FILE_NONE)
+        disk->mirror->format =3D VIR_STORAGE_FILE_RAW;

     if (qemuDomainDeviceDiskDefPostParseRestoreSecAlias(disk, qemuCaps,
                                                         parseFlags) < 0)
@@ -6044,7 +6028,6 @@ qemuDomainDeviceDefPostParse(virDomainDeviceDefPtr de=
v,
      * function shall not fail in that case. It will be re-run on VM start=
up
      * with the capabilities populated. */
     virQEMUCapsPtr qemuCaps =3D parseOpaque;
-    virQEMUDriverConfigPtr cfg =3D virQEMUDriverGetConfig(driver);
     int ret =3D -1;

     switch ((virDomainDeviceType) dev->type) {
@@ -6054,7 +6037,7 @@ qemuDomainDeviceDefPostParse(virDomainDeviceDefPtr de=
v,

     case VIR_DOMAIN_DEVICE_DISK:
         ret =3D qemuDomainDeviceDiskDefPostParse(dev->data.disk, qemuCaps,
-                                               parseFlags, cfg);
+                                               parseFlags);
         break;

     case VIR_DOMAIN_DEVICE_VIDEO:
@@ -6112,7 +6095,6 @@ qemuDomainDeviceDefPostParse(virDomainDeviceDefPtr de=
v,
         break;
     }

-    virObjectUnref(cfg);
     return ret;
 }

@@ -7126,11 +7108,6 @@ void qemuDomainObjCheckDiskTaint(virQEMUDriverPtr dr=
iver,
                                  qemuDomainLogContextPtr logCtxt)
 {
     virQEMUDriverConfigPtr cfg =3D virQEMUDriverGetConfig(driver);
-    int format =3D virDomainDiskGetFormat(disk);
-
-    if ((!format || format =3D=3D VIR_STORAGE_FILE_AUTO) &&
-        cfg->allowDiskFormatProbing)
-        qemuDomainObjTaint(driver, obj, VIR_DOMAIN_TAINT_DISK_PROBING, log=
Ctxt);

     if (disk->rawio =3D=3D VIR_TRISTATE_BOOL_YES)
         qemuDomainObjTaint(driver, obj, VIR_DOMAIN_TAINT_HIGH_PRIVILEGES,
@@ -8085,8 +8062,7 @@ qemuDomainDetermineDiskChain(virQEMUDriverPtr driver,
     qemuDomainGetImageIds(cfg, vm, src, disk->src, &uid, &gid);

     if (virStorageFileGetMetadata(src,
-                                  uid, gid,
-                                  cfg->allowDiskFormatProbing,
+                                  uid, gid, false,
                                   report_broken) < 0)
         goto cleanup;

diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index b7c3348550..0283a906af 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -365,8 +365,6 @@ qemuSecurityInit(virQEMUDriverPtr driver)
     virQEMUDriverConfigPtr cfg =3D virQEMUDriverGetConfig(driver);
     unsigned int flags =3D 0;

-    if (cfg->allowDiskFormatProbing)
-        flags |=3D VIR_SECURITY_MANAGER_ALLOW_DISK_PROBE;
     if (cfg->securityDefaultConfined)
         flags |=3D VIR_SECURITY_MANAGER_DEFAULT_CONFINED;
     if (cfg->securityRequireConfined)
@@ -11939,8 +11937,7 @@ qemuStorageLimitsRefresh(virQEMUDriverPtr driver,
     if (virStorageSourceUpdateBackingSizes(src, fd, &sb) < 0)
         goto cleanup;

-    if (virStorageSourceUpdateCapacity(src, buf, len,
-                                       cfg->allowDiskFormatProbing) < 0)
+    if (virStorageSourceUpdateCapacity(src, buf, len, false) < 0)
         goto cleanup;

     /* If guest is not using raw disk format and is on a host block
@@ -14169,16 +14166,11 @@ qemuDomainSnapshotCreateInactiveExternal(virQEMUD=
riverPtr driver,
                                    defdisk->src->path,
                                    virStorageFileFormatTypeToString(defdis=
k->src->format));
         } else {
-            if (!cfg->allowDiskFormatProbing) {
-                virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
-                               _("unknown image format of '%s' and "
-                                 "format probing is disabled"),
-                               defdisk->src->path);
-                goto cleanup;
-            }
-
-            /* adds cmd line arg: backing_file=3D/path/to/backing/file */
-            virCommandAddArgFormat(cmd, "backing_file=3D%s", defdisk->src-=
>path);
+            virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+                           _("unknown image format of '%s' and "
+                             "format probing is disabled"),
+                           defdisk->src->path);
+            goto cleanup;
         }

         /* adds cmd line args: /path/to/target/file */
diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qe=
mu.aug.in
index 912161c272..587e8f6521 100644
--- a/src/qemu/test_libvirtd_qemu.aug.in
+++ b/src/qemu/test_libvirtd_qemu.aug.in
@@ -79,7 +79,6 @@ module Test_libvirtd_qemu =3D
 { "dump_guest_core" =3D "1" }
 { "mac_filter" =3D "1" }
 { "relaxed_acs_check" =3D "1" }
-{ "allow_disk_format_probing" =3D "1" }
 { "lock_manager" =3D "lockd" }
 { "max_queued" =3D "0" }
 { "keepalive_interval" =3D "5" }
--=20
2.16.2

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list