The following changes since commit 812b835fb4d23dd108b2f9802158472d50b73579:

Merge remote-tracking branch 'remotes/maxreitz/tags/pull-block-2019-05-07' into staging (2019-05-09 16:31:12 +0100)

https://github.com/stefanha/qemu.git tags/block-pull-request

for you to fetch changes up to e84125761f78919fe63616d9888ea45e72dc956f:

docs: add Security chapter to the documentation (2019-05-10 10:53:52 +0100)

Andrey Shinkevich (1):

block/io.c: fix for the allocation failure

Jules Irenge (3):

util/readline: add a space to fix errors by checkpatch tool

util: readline: replace tab indent by four spaces to fix checkpatch

errors

util/readline: Add braces to fix checkpatch errors

Nikita Alekseev (1):

block: Add coroutine_fn to bdrv_check_co_entry

Paolo Bonzini (1):

aio-posix: ensure poll mode is left when aio_notify is called

Stefan Hajnoczi (2):

docs: add Secure Coding Practices to developer docs

docs: add Security chapter to the documentation

Makefile | 2 +-

block.c | 2 +-

block/io.c | 2 +-

util/aio-posix.c | 12 +-

util/readline.c | 174 ++++++++++++++-----------

docs/devel/index.rst | 1 +

docs/devel/secure-coding-practices.rst | 106 +++++++++++++++

docs/security.texi | 131 +++++++++++++++++++

qemu-doc.texi | 3 +

9 files changed, 347 insertions(+), 86 deletions(-)

create mode 100644 docs/devel/secure-coding-practices.rst

create mode 100644 docs/security.texi

2.21.0

This new chapter in the QEMU documentation covers the security

requirements that QEMU is designed to meet and principles for securely

deploying QEMU.

It is just a starting point that can be extended in the future with more

information.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>

Acked-by: Stefano Garzarella <sgarzare@redhat.com>

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

Reviewed-by: Li Qiang <liq3ea@gmail.com>

Message-id: 20190509121820.16294-3-stefanha@redhat.com

Message-Id: <20190509121820.16294-3-stefanha@redhat.com>

Makefile | 2 +-

docs/security.texi | 131 +++++++++++++++++++++++++++++++++++++++++++++

qemu-doc.texi | 3 ++

3 files changed, 135 insertions(+), 1 deletion(-)

create mode 100644 docs/security.texi

diff --git a/Makefile b/Makefile

--- a/Makefile

+++ b/Makefile

@@ -XXX,XX +XXX,XX @@ qemu-doc.html qemu-doc.info qemu-doc.pdf qemu-doc.txt: \

    qemu-img.texi qemu-nbd.texi qemu-options.texi qemu-option-trace.texi \

    qemu-deprecated.texi qemu-monitor.texi qemu-img-cmds.texi qemu-ga.texi \

    qemu-monitor-info.texi docs/qemu-block-drivers.texi \

-    docs/qemu-cpu-models.texi

+    docs/qemu-cpu-models.texi docs/security.texi

docs/interop/qemu-ga-ref.dvi docs/interop/qemu-ga-ref.html \

docs/interop/qemu-ga-ref.info docs/interop/qemu-ga-ref.pdf \

diff --git a/docs/security.texi b/docs/security.texi

+++ b/docs/security.texi

@@ -XXX,XX +XXX,XX @@

+@node Security

+@chapter Security

+

+@section Overview

+

+This chapter explains the security requirements that QEMU is designed to meet

+and principles for securely deploying QEMU.

+

+@section Security Requirements

+

+QEMU supports many different use cases, some of which have stricter security

+requirements than others. The community has agreed on the overall security

+requirements that users may depend on. These requirements define what is

+considered supported from a security perspective.

+

+@subsection Virtualization Use Case

+

+The virtualization use case covers cloud and virtual private server (VPS)

+hosting, as well as traditional data center and desktop virtualization. These

+use cases rely on hardware virtualization extensions to execute guest code

+safely on the physical CPU at close-to-native speed.

+

+The following entities are untrusted, meaning that they may be buggy or

+malicious:

+

+@itemize

+@item Guest

+@item User-facing interfaces (e.g. VNC, SPICE, WebSocket)

+@item Network protocols (e.g. NBD, live migration)

+@item User-supplied files (e.g. disk images, kernels, device trees)

+@item Passthrough devices (e.g. PCI, USB)

+@end itemize

+

+Bugs affecting these entities are evaluated on whether they can cause damage in

+real-world use cases and treated as security bugs if this is the case.

+

+@subsection Non-virtualization Use Case

+

+The non-virtualization use case covers emulation using the Tiny Code Generator

+(TCG). In principle the TCG and device emulation code used in conjunction with

+the non-virtualization use case should meet the same security requirements as

+the virtualization use case. However, for historical reasons much of the

+non-virtualization use case code was not written with these security

+requirements in mind.

+

+Bugs affecting the non-virtualization use case are not considered security

+bugs at this time. Users with non-virtualization use cases must not rely on

+QEMU to provide guest isolation or any security guarantees.

+

+@section Architecture

+

+This section describes the design principles that ensure the security

+requirements are met.

+

+@subsection Guest Isolation

+

+Guest isolation is the confinement of guest code to the virtual machine. When

+guest code gains control of execution on the host this is called escaping the

+virtual machine. Isolation also includes resource limits such as throttling of

+CPU, memory, disk, or network. Guests must be unable to exceed their resource

+limits.

+

+QEMU presents an attack surface to the guest in the form of emulated devices.

+The guest must not be able to gain control of QEMU. Bugs in emulated devices

+could allow malicious guests to gain code execution in QEMU. At this point the

+guest has escaped the virtual machine and is able to act in the context of the

+QEMU process on the host.

+

+Guests often interact with other guests and share resources with them. A

+malicious guest must not gain control of other guests or access their data.

+Disk image files and network traffic must be protected from other guests unless

+explicitly shared between them by the user.

+

+@subsection Principle of Least Privilege

+

+The principle of least privilege states that each component only has access to

+the privileges necessary for its function. In the case of QEMU this means that

+each process only has access to resources belonging to the guest.

+

+The QEMU process should not have access to any resources that are inaccessible

+to the guest. This way the guest does not gain anything by escaping into the

+QEMU process since it already has access to those same resources from within

+the guest.

+

+Following the principle of least privilege immediately fulfills guest isolation

+requirements. For example, guest A only has access to its own disk image file

+@code{a.img} and not guest B's disk image file @code{b.img}.

+

+In reality certain resources are inaccessible to the guest but must be

+available to QEMU to perform its function. For example, host system calls are

+necessary for QEMU but are not exposed to guests. A guest that escapes into

+the QEMU process can then begin invoking host system calls.

+

+New features must be designed to follow the principle of least privilege.

+Should this not be possible for technical reasons, the security risk must be

+clearly documented so users are aware of the trade-off of enabling the feature.

+

+@subsection Isolation mechanisms

+

+Several isolation mechanisms are available to realize this architecture of

+guest isolation and the principle of least privilege. With the exception of

+Linux seccomp, these mechanisms are all deployed by management tools that

+launch QEMU, such as libvirt. They are also platform-specific so they are only

+described briefly for Linux here.

+

+The fundamental isolation mechanism is that QEMU processes must run as

+unprivileged users. Sometimes it seems more convenient to launch QEMU as

+root to give it access to host devices (e.g. @code{/dev/net/tun}) but this poses a

+huge security risk. File descriptor passing can be used to give an otherwise

+unprivileged QEMU process access to host devices without running QEMU as root.

+It is also possible to launch QEMU as a non-root user and configure UNIX groups

+for access to @code{/dev/kvm}, @code{/dev/net/tun}, and other device nodes.

+Some Linux distros already ship with UNIX groups for these devices by default.

+

+@itemize

+@item SELinux and AppArmor make it possible to confine processes beyond the

+traditional UNIX process and file permissions model. They restrict the QEMU

+process from accessing processes and files on the host system that are not

+needed by QEMU.

+

+@item Resource limits and cgroup controllers provide throughput and utilization

+limits on key resources such as CPU time, memory, and I/O bandwidth.

+

+@item Linux namespaces can be used to make process, file system, and other system

+resources unavailable to QEMU. A namespaced QEMU process is restricted to only

+those resources that were granted to it.

+

+@item Linux seccomp is available via the QEMU @option{--sandbox} option. It disables

+system calls that are not needed by QEMU, thereby reducing the host kernel

+attack surface.

+@end itemize

diff --git a/qemu-doc.texi b/qemu-doc.texi

--- a/qemu-doc.texi

+++ b/qemu-doc.texi

@@ -XXX,XX +XXX,XX @@

* QEMU Guest Agent::

* QEMU User space emulator::

* System requirements::

+* Security::

* Implementation notes::

* Deprecated features::

* Supported build platforms::

@@ -XXX,XX +XXX,XX @@ added with Linux 4.5 which is supported by the major distros. And even

if RHEL7 has kernel 3.10, KVM there has the required functionality there

to make it close to a 4.5 or newer kernel.

+@include docs/security.texi

+

@include qemu-tech.texi

@include qemu-deprecated.texi

2.21.0

From: Jules Irenge <jbi.octave@gmail.com>

Replace tab indent by four spaces to fix errors issued by checkpatch.pl tool

"ERROR: code indent should never use tabs" within "util/readline.c" file.

Signed-off-by: Jules Irenge <jbi.octave@gmail.com>

Reviewed-by: Thomas Huth <thuth@redhat.com>

Message-id: 20190401024406.10819-3-jbi.octave@gmail.com

Message-Id: <20190401024406.10819-3-jbi.octave@gmail.com>

util/readline.c | 98 ++++++++++++++++++++++++-------------------------

1 file changed, 49 insertions(+), 49 deletions(-)

diff --git a/util/readline.c b/util/readline.c

index XXXXXXX..XXXXXXX 100644

--- a/util/readline.c

+++ b/util/readline.c

@@ -XXX,XX +XXX,XX @@ static void readline_up_char(ReadLineState *rs)

int idx;

if (rs->hist_entry == 0)

-    return;

+ return;

if (rs->hist_entry == -1) {

-    /* Find latest entry */

-    for (idx = 0; idx < READLINE_MAX_CMDS; idx++) {

-     if (rs->history[idx] == NULL)

-        break;

-    }

-    rs->hist_entry = idx;

+ /* Find latest entry */

+ for (idx = 0; idx < READLINE_MAX_CMDS; idx++) {

+ if (rs->history[idx] == NULL)

+ break;

+ }

+ rs->hist_entry = idx;

}

rs->hist_entry--;

if (rs->hist_entry >= 0) {

-    pstrcpy(rs->cmd_buf, sizeof(rs->cmd_buf),

+ pstrcpy(rs->cmd_buf, sizeof(rs->cmd_buf),

rs->history[rs->hist_entry]);

-    rs->cmd_buf_index = rs->cmd_buf_size = strlen(rs->cmd_buf);

+ rs->cmd_buf_index = rs->cmd_buf_size = strlen(rs->cmd_buf);

@@ -XXX,XX +XXX,XX @@ static void readline_down_char(ReadLineState *rs)

return;

if (rs->hist_entry < READLINE_MAX_CMDS - 1 &&

rs->history[++rs->hist_entry] != NULL) {

-    pstrcpy(rs->cmd_buf, sizeof(rs->cmd_buf),

+ pstrcpy(rs->cmd_buf, sizeof(rs->cmd_buf),

rs->history[rs->hist_entry]);

} else {

rs->cmd_buf[0] = 0;

-    rs->hist_entry = -1;

+ rs->hist_entry = -1;

}

rs->cmd_buf_index = rs->cmd_buf_size = strlen(rs->cmd_buf);

@@ -XXX,XX +XXX,XX @@ static void readline_hist_add(ReadLineState *rs, const char *cmdline)

int idx;

if (cmdline[0] == '\0')

-    return;

new_entry = NULL;

if (rs->hist_entry != -1) {

-    /* We were editing an existing history entry: replace it */

-    hist_entry = rs->history[rs->hist_entry];

-    idx = rs->hist_entry;

-    if (strcmp(hist_entry, cmdline) == 0) {

-     goto same_entry;

-    }

+ /* We were editing an existing history entry: replace it */

+ hist_entry = rs->history[rs->hist_entry];

+ idx = rs->hist_entry;

+ if (strcmp(hist_entry, cmdline) == 0) {

+ goto same_entry;

+ }

}

/* Search cmdline in history buffers */

for (idx = 0; idx < READLINE_MAX_CMDS; idx++) {

-    hist_entry = rs->history[idx];

-    if (hist_entry == NULL)

-     break;

-    if (strcmp(hist_entry, cmdline) == 0) {

-    same_entry:

-     new_entry = hist_entry;

-     /* Put this entry at the end of history */

-     memmove(&rs->history[idx], &rs->history[idx + 1],

-         (READLINE_MAX_CMDS - (idx + 1)) * sizeof(char *));

-     rs->history[READLINE_MAX_CMDS - 1] = NULL;

-     for (; idx < READLINE_MAX_CMDS; idx++) {

-        if (rs->history[idx] == NULL)

-         break;

-     }

-     break;

-    }

+ hist_entry = rs->history[idx];

+ if (hist_entry == NULL)

+ break;

+ if (strcmp(hist_entry, cmdline) == 0) {

+ same_entry:

+ new_entry = hist_entry;

+ /* Put this entry at the end of history */

+ memmove(&rs->history[idx], &rs->history[idx + 1],

+ (READLINE_MAX_CMDS - (idx + 1)) * sizeof(char *));

+ rs->history[READLINE_MAX_CMDS - 1] = NULL;

+ for (; idx < READLINE_MAX_CMDS; idx++) {

+ if (rs->history[idx] == NULL)

+ break;

+ }

+ break;

+ }

}

if (idx == READLINE_MAX_CMDS) {

-    /* Need to get one free slot */

+ /* Need to get one free slot */

g_free(rs->history[0]);

-    memmove(rs->history, &rs->history[1],

-     (READLINE_MAX_CMDS - 1) * sizeof(char *));

-    rs->history[READLINE_MAX_CMDS - 1] = NULL;

-    idx = READLINE_MAX_CMDS - 1;

+ memmove(rs->history, &rs->history[1],

+ (READLINE_MAX_CMDS - 1) * sizeof(char *));

+ rs->history[READLINE_MAX_CMDS - 1] = NULL;

+ idx = READLINE_MAX_CMDS - 1;

}

if (new_entry == NULL)

new_entry = g_strdup(cmdline);

@@ -XXX,XX +XXX,XX @@ void readline_handle_byte(ReadLineState *rs, int ch)

case 8:

readline_backspace(rs);

break;

-    case 155:

+ case 155:

rs->esc_state = IS_CSI;

-     break;

+ break;

default:

if (ch >= 32) {

readline_insert_char(rs, ch);

@@ -XXX,XX +XXX,XX @@ void readline_handle_byte(ReadLineState *rs, int ch)

break;

case IS_CSI:

switch (ch) {

-    case 'A':

-    case 'F':

-     readline_up_char(rs);

-     break;

-    case 'B':

-    case 'E':

-     readline_down_char(rs);

-     break;

+ case 'A':

+ case 'F':

+ readline_up_char(rs);

+ break;

+ case 'B':

+ case 'E':

+ readline_down_char(rs);

+ break;

case 'D':

readline_backward_char(rs);

break;

2.21.0