From nobody Mon Nov 25 11:53:58 2024 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 171499451157811.609911860206353; Mon, 6 May 2024 04:21:51 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 3097F1C17; Mon, 6 May 2024 07:21:50 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 157131BD0; Mon, 6 May 2024 07:21:08 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id C1D811BB8; Mon, 6 May 2024 07:21:05 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id C2A0B1BB8 for ; Mon, 6 May 2024 07:21:04 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-257-nC-01PcsPWCClcaTbe54pA-1; Mon, 06 May 2024 07:21:01 -0400 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id D9D8729AA3AF; Mon, 6 May 2024 11:21:00 +0000 (UTC) Received: from thuth-p1g4.redhat.com (unknown [10.39.192.58]) by smtp.corp.redhat.com (Postfix) with ESMTP id 420501C060D1; Mon, 6 May 2024 11:20:59 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: nC-01PcsPWCClcaTbe54pA-1 From: Thomas Huth To: qemu-devel@nongnu.org, Paolo Bonzini Subject: [PATCH v2] qemu-options: Deprecate "-runas" and introduce "-run-with user=..." instead Date: Mon, 6 May 2024 13:20:58 +0200 Message-ID: <20240506112058.51446-1-thuth@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.7 Message-ID-Hash: 7PD6CWATFIWGHGA5DETGCUO3XEU5ARPZ X-Message-ID-Hash: 7PD6CWATFIWGHGA5DETGCUO3XEU5ARPZ X-MailFrom: thuth@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header CC: devel@lists.libvirt.org, =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Claudio Imbrenda X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1714994513428100001 The old "-runas" option has the disadvantage that it is not visible in the QAPI schema, so it is not available via the normal introspection mechanisms. We've recently introduced the "-run-with" option for exactly this purpose, which is meant to handle the options that affect the runtime behavior. Thus let's introduce a "user=3D..." parameter here now and deprecate the old "-runas" option. Signed-off-by: Thomas Huth Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- v2: Add missing part in qemu-options.hx as suggested by Philippe docs/about/deprecated.rst | 6 ++++++ system/vl.c | 15 +++++++++++++++ qemu-options.hx | 15 +++++++++++---- 3 files changed, 32 insertions(+), 4 deletions(-) diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst index 3310df3274..fe69e2d44c 100644 --- a/docs/about/deprecated.rst +++ b/docs/about/deprecated.rst @@ -61,6 +61,12 @@ configurations (e.g. -smp drawers=3D1,books=3D1,clusters= =3D1 for x86 PC machine) is marked deprecated since 9.0, users have to ensure that all the topology me= mbers described with -smp are supported by the target machine. =20 +``-runas`` (since 9.1) +---------------------- + +Use ``-run-with user=3D..`` instead. + + User-mode emulator command line arguments ----------------------------------------- =20 diff --git a/system/vl.c b/system/vl.c index 7756eac81e..b031427440 100644 --- a/system/vl.c +++ b/system/vl.c @@ -773,6 +773,10 @@ static QemuOptsList qemu_run_with_opts =3D { .name =3D "chroot", .type =3D QEMU_OPT_STRING, }, + { + .name =3D "user", + .type =3D QEMU_OPT_STRING, + }, { /* end of list */ } }, }; @@ -3586,6 +3590,7 @@ void qemu_init(int argc, char **argv) break; #if defined(CONFIG_POSIX) case QEMU_OPTION_runas: + warn_report("-runas is deprecated, use '-run-with user=3D.= ..' instead"); if (!os_set_runas(optarg)) { error_report("User \"%s\" doesn't exist" " (and is not :)", @@ -3612,6 +3617,16 @@ void qemu_init(int argc, char **argv) if (str) { os_set_chroot(str); } + str =3D qemu_opt_get(opts, "user"); + if (str) { + if (!os_set_runas(str)) { + error_report("User \"%s\" doesn't exist" + " (and is not :)", + optarg); + exit(1); + } + } + break; } #endif /* CONFIG_POSIX */ diff --git a/qemu-options.hx b/qemu-options.hx index cf61f6b863..3031479a15 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -4824,7 +4824,8 @@ DEF("runas", HAS_ARG, QEMU_OPTION_runas, \ SRST ``-runas user`` Immediately before starting guest execution, drop root privileges, - switching to the specified user. + switching to the specified user. This option is deprecated, use + ``-run-with user=3D...`` instead. ERST =20 DEF("prom-env", HAS_ARG, QEMU_OPTION_prom_env, @@ -4990,13 +4991,15 @@ DEF("qtest-log", HAS_ARG, QEMU_OPTION_qtest_log, ""= , QEMU_ARCH_ALL) =20 #ifdef CONFIG_POSIX DEF("run-with", HAS_ARG, QEMU_OPTION_run_with, - "-run-with [async-teardown=3Don|off][,chroot=3Ddir]\n" + "-run-with [async-teardown=3Don|off][,chroot=3Ddir][user=3Dusername|ui= d:gid]\n" " Set miscellaneous QEMU process lifecycle options:\n" " async-teardown=3Don enables asynchronous teardown (Li= nux only)\n" - " chroot=3Ddir chroot to dir just before starting the V= M\n", + " chroot=3Ddir chroot to dir just before starting the V= M\n" + " user=3Dusername switch to the specified user before s= tarting the VM\n" + " user=3Duid:gid dito, but use specified user-ID and gr= oup-ID instead\n", QEMU_ARCH_ALL) SRST -``-run-with [async-teardown=3Don|off][,chroot=3Ddir]`` +``-run-with [async-teardown=3Don|off][,chroot=3Ddir][user=3Dusername|uid:g= id]`` Set QEMU process lifecycle options. =20 ``async-teardown=3Don`` enables asynchronous teardown. A new process c= alled @@ -5013,6 +5016,10 @@ SRST ``chroot=3Ddir`` can be used for doing a chroot to the specified direc= tory immediately before starting the guest execution. This is especially us= eful in combination with -runas. + + ``user=3Dusername`` or ``user=3Duid:gid`` can be used to drop root pri= vileges + by switching to the specified user (via username) or user and group + (via uid:gid) immediately before starting guest execution. ERST #endif =20 --=20 2.45.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org