From nobody Mon Nov 25 02:50:31 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1717515243; cv=none; d=zohomail.com; s=zohoarc; b=foG0jU4Z1tUD01tVscO/7PtAw30iBrVJJUznqHG53muFt6HGDsMxawo2pbmqBPBEl++X5Gj+W4eAdHILZL4K0IEW07NQ12tKJJwtQZS7OZkWiog8/lQxiNG9nx8eeNERNVo+0e28x2lHoLGWOC3/2KNkq4evdFMrGX0XqNM3TkE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1717515243; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=nshYwZLSBkZ8aydLKTO7Ez7S8eYc459g0Uetg05gxRA=; b=lwvS67kbQjpYiRUuYM1Jnnvf0fXu0NMqFPeXdhKefLZiCvRx/Cq2ArJCufyU6aKtQ4X33DOyXzxqE78wE28qZz+WuP8qekcuJf/yL1x10Kl41Gro71b07JfzZtXYt+PkCfwhpaeSy8ryBNAjgKuCj85bTT4e6CIvLyq1Imx4DG4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1717515243179635.6840641644444; Tue, 4 Jun 2024 08:34:03 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sEW9a-0006ZE-E1; Tue, 04 Jun 2024 11:32:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEW9Z-0006Yl-HK for qemu-devel@nongnu.org; Tue, 04 Jun 2024 11:32:49 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEW9Y-0001Gt-0l for qemu-devel@nongnu.org; Tue, 04 Jun 2024 11:32:49 -0400 Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-630-DhOaNTAPPeCrFkdC-V9kHw-1; Tue, 04 Jun 2024 11:32:46 -0400 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id F28628007A1; Tue, 4 Jun 2024 15:32:45 +0000 (UTC) Received: from toolbox.redhat.com (unknown [10.39.194.137]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2AC58492BCF; Tue, 4 Jun 2024 15:32:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1717515167; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=nshYwZLSBkZ8aydLKTO7Ez7S8eYc459g0Uetg05gxRA=; b=CHRzx1/BNekNgg3GV4OSNrbw1dSaM+lfhmJWd4woubuf5+8zFKUuhhXVbiZzHQhsKtTqGk Lsv7m4mNXv5bQ0FsmJNqrVn/5yS9R4hYoHDAYGVfbWhalZrDcILOtBw3Xwi6CC1LYrX8i9 Mx/NGwNVucjhxdiA4l59OtHwlSSF5wA= X-MC-Unique: DhOaNTAPPeCrFkdC-V9kHw-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: Markus Armbruster , Michael Roth , Konstantin Kostiuk , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Subject: [PATCH 01/14] qapi: use "QAPI_FEATURE" as namespace for special features Date: Tue, 4 Jun 2024 16:32:29 +0100 Message-ID: <20240604153242.251334-2-berrange@redhat.com> In-Reply-To: <20240604153242.251334-1-berrange@redhat.com> References: <20240604153242.251334-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.9 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1717515243781100003 This more clearly distinguishes the feature constants from other QAPI constants. Signed-off-by: Daniel P. Berrang=C3=A9 --- include/qapi/util.h | 4 ++-- qapi/qapi-util.c | 4 ++-- qapi/qobject-output-visitor.c | 4 ++-- scripts/qapi/gen.py | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/include/qapi/util.h b/include/qapi/util.h index 20dfea8a54..7698e789a9 100644 --- a/include/qapi/util.h +++ b/include/qapi/util.h @@ -12,8 +12,8 @@ #define QAPI_UTIL_H =20 typedef enum { - QAPI_DEPRECATED, - QAPI_UNSTABLE, + QAPI_FEATURE_DEPRECATED, + QAPI_FEATURE_UNSTABLE, } QapiSpecialFeature; =20 typedef struct QEnumLookup { diff --git a/qapi/qapi-util.c b/qapi/qapi-util.c index 65a7d18437..6bcab11117 100644 --- a/qapi/qapi-util.c +++ b/qapi/qapi-util.c @@ -43,13 +43,13 @@ bool compat_policy_input_ok(unsigned special_features, const char *kind, const char *name, Error **errp) { - if ((special_features & 1u << QAPI_DEPRECATED) + if ((special_features & 1u << QAPI_FEATURE_DEPRECATED) && !compat_policy_input_ok1("Deprecated", policy->deprecated_input, error_class, kind, name, errp)) { return false; } - if ((special_features & (1u << QAPI_UNSTABLE)) + if ((special_features & (1u << QAPI_FEATURE_UNSTABLE)) && !compat_policy_input_ok1("Unstable", policy->unstable_input, error_class, kind, name, errp)) { diff --git a/qapi/qobject-output-visitor.c b/qapi/qobject-output-visitor.c index 74770edd73..ca8be3fe06 100644 --- a/qapi/qobject-output-visitor.c +++ b/qapi/qobject-output-visitor.c @@ -214,9 +214,9 @@ static bool qobject_output_policy_skip(Visitor *v, cons= t char *name, { CompatPolicy *pol =3D &v->compat_policy; =20 - return ((special_features & 1u << QAPI_DEPRECATED) + return ((special_features & 1u << QAPI_FEATURE_DEPRECATED) && pol->deprecated_output =3D=3D COMPAT_POLICY_OUTPUT_HIDE) - || ((special_features & 1u << QAPI_UNSTABLE) + || ((special_features & 1u << QAPI_FEATURE_UNSTABLE) && pol->unstable_output =3D=3D COMPAT_POLICY_OUTPUT_HIDE); } =20 diff --git a/scripts/qapi/gen.py b/scripts/qapi/gen.py index 6a8abe0041..9c590a1c2e 100644 --- a/scripts/qapi/gen.py +++ b/scripts/qapi/gen.py @@ -41,7 +41,7 @@ =20 =20 def gen_special_features(features: Sequence[QAPISchemaFeature]) -> str: - special_features =3D [f"1u << QAPI_{feat.name.upper()}" + special_features =3D [f"1u << QAPI_FEATURE_{feat.name.upper()}" for feat in features if feat.is_special()] return ' | '.join(special_features) or '0' =20 --=20 2.45.1 From nobody Mon Nov 25 02:50:31 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1717515229; cv=none; d=zohomail.com; s=zohoarc; b=N+8k4+N4kIQzsraZ1+lyv84fPdq6UC8jHs1TfywSSqG+LBxNPqdxMzLjLv8dj6f6OY3ClQ7FSBJt5cdKFysX0t4EdECjhk7jucww0rLV6I7qJdeCcZLpQe/5KGVC5Izt+qIY7AiBl1t1mjo3fKs3CNceF+zDO6Imy35r3A1wZGU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1717515229; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=AIaB3FlYOdNycMQI4y5Czf/Cychjn1r+a6n6QQ5ZqR4=; b=jNFBTlq9kjaDE8g1clAhqxi81/qgQsuAPAe2ccJklHgg4PzUmplpZgvawjB4RvTI5TBiCdm+j1Ev9ZnNcrUJ7/zpmNP+3C8Ubbv1uKjeTktsZRPtUd+FpMHrg8ntxkzz23rjy6VYA7Z1OizTvvt0hyCvRm/HtuWtLkIvv5/Fo3A= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1717515229695571.0207032062451; Tue, 4 Jun 2024 08:33:49 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sEW9f-0006bl-9V; Tue, 04 Jun 2024 11:32:55 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEW9c-0006aY-Tv for qemu-devel@nongnu.org; Tue, 04 Jun 2024 11:32:52 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEW9b-0001HS-AO for qemu-devel@nongnu.org; Tue, 04 Jun 2024 11:32:52 -0400 Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-346-74DsxByFOi2tuh1sCzb9aA-1; Tue, 04 Jun 2024 11:32:47 -0400 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 0056F1C0512B; Tue, 4 Jun 2024 15:32:47 +0000 (UTC) Received: from toolbox.redhat.com (unknown [10.39.194.137]) by smtp.corp.redhat.com (Postfix) with ESMTP id 30581492BCE; Tue, 4 Jun 2024 15:32:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1717515170; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=AIaB3FlYOdNycMQI4y5Czf/Cychjn1r+a6n6QQ5ZqR4=; b=gSuGGebd/0cEGmW04RDSrh522ceM2jeJ2C8Ncxq0Og7DS6VnKFAXSGYK74Yn66fgOhkxSQ wbLp7IiwbC6iK+RcIbRzPEj6L8olXog7NwQRHgGtNHw6htBgCp+8IK7tYDY2lphJT+QO+w SCvWSoGf/L3wfxtybx2dihgnb9ihYbc= X-MC-Unique: 74DsxByFOi2tuh1sCzb9aA-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: Markus Armbruster , Michael Roth , Konstantin Kostiuk , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Subject: [PATCH 02/14] qapi: add helper for checking if a command feature is set Date: Tue, 4 Jun 2024 16:32:30 +0100 Message-ID: <20240604153242.251334-3-berrange@redhat.com> In-Reply-To: <20240604153242.251334-1-berrange@redhat.com> References: <20240604153242.251334-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.9 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1717515231703100002 The 'qmp_command_has_feature' method returns true if the requested feature has been set. Signed-off-by: Daniel P. Berrang=C3=A9 --- include/qapi/qmp/dispatch.h | 1 + qapi/qmp-registry.c | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/include/qapi/qmp/dispatch.h b/include/qapi/qmp/dispatch.h index f2e956813a..0dfcb549b6 100644 --- a/include/qapi/qmp/dispatch.h +++ b/include/qapi/qmp/dispatch.h @@ -51,6 +51,7 @@ void qmp_disable_command(QmpCommandList *cmds, const char= *name, void qmp_enable_command(QmpCommandList *cmds, const char *name); =20 bool qmp_command_is_enabled(const QmpCommand *cmd); +bool qmp_command_has_feature(const QmpCommand *cmd, unsigned feature); bool qmp_command_available(const QmpCommand *cmd, Error **errp); const char *qmp_command_name(const QmpCommand *cmd); bool qmp_has_success_response(const QmpCommand *cmd); diff --git a/qapi/qmp-registry.c b/qapi/qmp-registry.c index 485bc5e6fc..392f0e5c5a 100644 --- a/qapi/qmp-registry.c +++ b/qapi/qmp-registry.c @@ -74,6 +74,11 @@ bool qmp_command_is_enabled(const QmpCommand *cmd) return cmd->enabled; } =20 +bool qmp_command_has_feature(const QmpCommand *cmd, unsigned feature) +{ + return cmd->special_features & feature; +} + const char *qmp_command_name(const QmpCommand *cmd) { return cmd->name; --=20 2.45.1 From nobody Mon Nov 25 02:50:31 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1717515215; cv=none; d=zohomail.com; s=zohoarc; b=nAoHhSbcgtZKdkX4BxPHeA1VRMFEv2Qxy6BDfkW49lzeVcM80Mkk8JIPK79TVDI9k0BDhWLEbaXclnzLdCYqYPHUsElz5K32Ze8p/8S8nxmgYy7Wk5c+bK05EBI2XBuOeByCADj2rvenllj+hLZpw+aYOetdvw9sMNISPjsjmJ0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1717515215; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=gteA63eoWPVp9NrJaZ7KLSuF00Gzpd2/hhrYyYjOdJQ=; b=USaoRgWWMKLD3Q+NBqa0QQM16THEswYxhaZx6c6fVzUpR2LbwmwmTD8CvNwE26gPvxhl3zwm6XUgdZunGgJZDRRfRjqnM3tRAav32DJWm4Vo4NmOJQJ8/WsUwMTTBF8s7vWianqJXrofKCQLYSbW5rx1YmcyH7dDpY/c86PgORs= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1717515215075323.3106036764; Tue, 4 Jun 2024 08:33:35 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sEW9f-0006cw-Ui; Tue, 04 Jun 2024 11:32:56 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEW9e-0006b8-59 for qemu-devel@nongnu.org; Tue, 04 Jun 2024 11:32:54 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEW9c-0001HY-BU for qemu-devel@nongnu.org; Tue, 04 Jun 2024 11:32:53 -0400 Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-670-Jlhy6BRIMFeDbi_8SnqIOA-1; Tue, 04 Jun 2024 11:32:48 -0400 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 060FE800074; Tue, 4 Jun 2024 15:32:48 +0000 (UTC) Received: from toolbox.redhat.com (unknown [10.39.194.137]) by smtp.corp.redhat.com (Postfix) with ESMTP id 33D24492BD5; Tue, 4 Jun 2024 15:32:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1717515171; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gteA63eoWPVp9NrJaZ7KLSuF00Gzpd2/hhrYyYjOdJQ=; b=eYbd7SuI4iyPqbkHIt5x/uFQ/k4Zdp5VafSNBkkwljPdW6y7ShNr7qyDyfJF2/IRHJXeer CTfmHBt5MLVcByBhoiP/VYZvXxuI94omUW3I88Xm8JpP9B1x0dZ6IMNNufjq/LPa7Gd8QJ eF7NSivOOCsdgl0P+FppF6vnZx1M3yA= X-MC-Unique: Jlhy6BRIMFeDbi_8SnqIOA-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: Markus Armbruster , Michael Roth , Konstantin Kostiuk , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Subject: [PATCH 03/14] qapi: cope with special feature names containing a '-' Date: Tue, 4 Jun 2024 16:32:31 +0100 Message-ID: <20240604153242.251334-4-berrange@redhat.com> In-Reply-To: <20240604153242.251334-1-berrange@redhat.com> References: <20240604153242.251334-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.9 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1717515216062100011 When we shortly allow custom special feature names to be defined, it will be valid to include a '-', which must be translated to a '_' when generating code. Signed-off-by: Daniel P. Berrang=C3=A9 --- scripts/qapi/gen.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/qapi/gen.py b/scripts/qapi/gen.py index 9c590a1c2e..650efc59ed 100644 --- a/scripts/qapi/gen.py +++ b/scripts/qapi/gen.py @@ -41,7 +41,7 @@ =20 =20 def gen_special_features(features: Sequence[QAPISchemaFeature]) -> str: - special_features =3D [f"1u << QAPI_FEATURE_{feat.name.upper()}" + special_features =3D [f"1u << QAPI_FEATURE_{feat.name.upper().replace(= '-','_')}" for feat in features if feat.is_special()] return ' | '.join(special_features) or '0' =20 --=20 2.45.1 From nobody Mon Nov 25 02:50:31 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1717515215; cv=none; d=zohomail.com; s=zohoarc; b=LsKKTz1mP3tDgacaocWV+tzP7MoosKQPw/Y9x6KARpDXQBaQkFTBQz/hVKj35t88zUqZC/0JrQejDrIpWG3UnJtzmRpjYywoYwHhP0BCC0Ji7I4e/bV5coH8cexe/e6oGG+KJL3Mzp9lu8EamHOvGrEhuG8O9grDmq7wdQK7m6E= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1717515215; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=o7tJ3bO80lxZEewEVW7HLEMavqplS8Nmt28huutAp+I=; b=VMD+T6KTTrb+6vZQMpIH/OmISguBz0ZRNzoQVTpxDqcbmovTuc13hfGwRnS6cOvpdnaTUnu+LZsGQYPhFZEkd3DBE4yxTrVSvTCvS5CltpaD5dikFyZWldqXsilOG9Lk6qlWlJsU2LPkrjulehIpXV8Plv7O6zQscMwX2K+jNug= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1717515215043880.0972956292901; Tue, 4 Jun 2024 08:33:35 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sEW9j-0006g4-PH; Tue, 04 Jun 2024 11:32:59 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEW9i-0006f7-1P for qemu-devel@nongnu.org; Tue, 04 Jun 2024 11:32:58 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEW9g-0001IO-Gy for qemu-devel@nongnu.org; Tue, 04 Jun 2024 11:32:57 -0400 Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-385-zmBY7pfqOZ2cBayljcoVew-1; Tue, 04 Jun 2024 11:32:49 -0400 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 09104185A78E; Tue, 4 Jun 2024 15:32:49 +0000 (UTC) Received: from toolbox.redhat.com (unknown [10.39.194.137]) by smtp.corp.redhat.com (Postfix) with ESMTP id 380BE492BCE; Tue, 4 Jun 2024 15:32:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1717515175; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=o7tJ3bO80lxZEewEVW7HLEMavqplS8Nmt28huutAp+I=; b=XuCudweGB4WE30ePzAXCMJrAbNjAQCGRE8Vi/wEniuRnXT+f/wahuNuCB2BWPC/tl/uvbn EFjgSmi//abmljfJlcZ/YnbOjUEpv2lyG+/fA12opaxuOGl8aZq5EMAT7PHS4Bg6KZm5cr pgg2DLG0VlGQYlXhWIX46QyefX7ZvkI= X-MC-Unique: zmBY7pfqOZ2cBayljcoVew-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: Markus Armbruster , Michael Roth , Konstantin Kostiuk , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Subject: [PATCH 04/14] qapi: add a 'command-features' pragma Date: Tue, 4 Jun 2024 16:32:32 +0100 Message-ID: <20240604153242.251334-5-berrange@redhat.com> In-Reply-To: <20240604153242.251334-1-berrange@redhat.com> References: <20240604153242.251334-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.9 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1717515215998100007 The 'command-features' pragma allows for defining additional special features that are unique to a particular QAPI schema instance and its implementation. Signed-off-by: Daniel P. Berrang=C3=A9 --- scripts/qapi/parser.py | 2 ++ scripts/qapi/source.py | 2 ++ 2 files changed, 4 insertions(+) diff --git a/scripts/qapi/parser.py b/scripts/qapi/parser.py index 7b13a583ac..36a9046243 100644 --- a/scripts/qapi/parser.py +++ b/scripts/qapi/parser.py @@ -243,6 +243,8 @@ def check_list_str(name: str, value: object) -> List[st= r]: pragma.documentation_exceptions =3D check_list_str(name, value) elif name =3D=3D 'member-name-exceptions': pragma.member_name_exceptions =3D check_list_str(name, value) + elif name =3D=3D 'command-features': + pragma.command_features =3D check_list_str(name, value) else: raise QAPISemError(info, "unknown pragma '%s'" % name) =20 diff --git a/scripts/qapi/source.py b/scripts/qapi/source.py index 7b379fdc92..07c2958ac4 100644 --- a/scripts/qapi/source.py +++ b/scripts/qapi/source.py @@ -28,6 +28,8 @@ def __init__(self) -> None: self.documentation_exceptions: List[str] =3D [] # Types whose member names may violate case conventions self.member_name_exceptions: List[str] =3D [] + # Arbitrary extra features recorded against commands + self.command_features: List[str] =3D [] =20 =20 class QAPISourceInfo: --=20 2.45.1 From nobody Mon Nov 25 02:50:31 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1717515257; cv=none; d=zohomail.com; s=zohoarc; b=PVGiW2bM0u+ZZqfLVO1D+g25zk8qBTCSOOdly9vzV02x9l50Yta5nWQ0jkno0UZrPT9P6MQGwb0xPo0F6s4E/T8Am0Pm2arlDAhs2KKyVcMYlT1543VE44PQdtVaqk8GI8i7lci0iX1n8Y2YYmtmIsi8XJsCO1Pb8+P/2bdLxcU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1717515257; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=4adVHmCbzeBezujTwCZuobD70x9l5Rn6nXDmdzXRVJg=; b=d9Z9HVPgf6ijX8A6yY6dlrTqGlzfgaL/veED88/Dqig+H5DYd0Hq43rg8aAoC0HqhBkb5HZREiv+xCqWUjeupMoKZR27dI54wI7//Wydg/UunZyotv7b4fvcgmL5jPqz5UvGJH4jLGk9mExdN+ec/fkoS5Muyft9q8qVQ1UM0IU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1717515257884692.6534967390885; Tue, 4 Jun 2024 08:34:17 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sEW9h-0006eH-2m; Tue, 04 Jun 2024 11:32:57 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEW9e-0006bI-SD for qemu-devel@nongnu.org; Tue, 04 Jun 2024 11:32:54 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEW9d-0001Hb-6B for qemu-devel@nongnu.org; Tue, 04 Jun 2024 11:32:54 -0400 Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-142-GCiby5NiPgqCeFAws9BTJA-1; Tue, 04 Jun 2024 11:32:50 -0400 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 0BFA829ABA01; Tue, 4 Jun 2024 15:32:50 +0000 (UTC) Received: from toolbox.redhat.com (unknown [10.39.194.137]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3B142492BD3; Tue, 4 Jun 2024 15:32:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1717515172; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=4adVHmCbzeBezujTwCZuobD70x9l5Rn6nXDmdzXRVJg=; b=DIdSeb87OZKmox+H3KZi3eoextxl5QELTgiR9ayICS6DMWHn91CZjEwyIhmJkExyTFex0e iP8XhBFJzom5bKgAlibyYurhPtDqsENLL+8fuYcqen07NFV6eMOZe8OFimnbCl3Wr1FJOr bW1AjujSsYAHWagsfZVQhg7RYyHT2Ww= X-MC-Unique: GCiby5NiPgqCeFAws9BTJA-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: Markus Armbruster , Michael Roth , Konstantin Kostiuk , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Subject: [PATCH 05/14] qapi: stop hardcoding list of special features Date: Tue, 4 Jun 2024 16:32:33 +0100 Message-ID: <20240604153242.251334-6-berrange@redhat.com> In-Reply-To: <20240604153242.251334-1-berrange@redhat.com> References: <20240604153242.251334-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.9 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1717515259910100003 Use the additional list of special features for commands, previously defined by a pragma, to augment the standard 'unstable' and 'deprecated' ones. Signed-off-by: Daniel P. Berrang=C3=A9 --- scripts/qapi/schema.py | 33 ++++++++++++++++++++++++++++----- 1 file changed, 28 insertions(+), 5 deletions(-) diff --git a/scripts/qapi/schema.py b/scripts/qapi/schema.py index 721c470d2b..b83a9bdcb7 100644 --- a/scripts/qapi/schema.py +++ b/scripts/qapi/schema.py @@ -932,8 +932,18 @@ def connect_doc(self, doc: Optional[QAPIDoc]) -> None: class QAPISchemaFeature(QAPISchemaMember): role =3D 'feature' =20 + def __init__( + self, + name: str, + info: Optional[QAPISourceInfo], + ifcond: Optional[QAPISchemaIfCond] =3D None, + special: bool =3D False, + ): + super().__init__(name, info, ifcond) + self.special =3D special + def is_special(self) -> bool: - return self.name in ('deprecated', 'unstable') + return self.special =20 =20 class QAPISchemaObjectTypeMember(QAPISchemaMember): @@ -1143,6 +1153,9 @@ def __init__(self, fname: str): self._predefining =3D True self._def_predefineds() self._predefining =3D False + self._custom_special_features: Dict[str, List[str]] =3D { + 'command': parser.info.pragma.command_features + } self._def_exprs(exprs) self.check() =20 @@ -1254,12 +1267,21 @@ def _make_features( self, features: Optional[List[Dict[str, Any]]], info: Optional[QAPISourceInfo], + custom_special_features: Optional[List[str]] =3D [], ) -> List[QAPISchemaFeature]: if features is None: return [] - return [QAPISchemaFeature(f['name'], info, - QAPISchemaIfCond(f.get('if'))) - for f in features] + ret =3D [] + for f in features: + name =3D f['name'] + special =3D name in ["unstable", "deprecated"] + if custom_special_features is not None: + if name in custom_special_features: + special =3D True + ret.append(QAPISchemaFeature(name, info, + QAPISchemaIfCond(f.get('if')), + special)) + return ret =20 def _make_enum_member( self, @@ -1430,7 +1452,8 @@ def _def_command(self, expr: QAPIExpression) -> None: coroutine =3D expr.get('coroutine', False) ifcond =3D QAPISchemaIfCond(expr.get('if')) info =3D expr.info - features =3D self._make_features(expr.get('features'), info) + features =3D self._make_features(expr.get('features'), info, + self._custom_special_features['comm= and']) if isinstance(data, OrderedDict): data =3D self._make_implicit_object_type( name, info, ifcond, --=20 2.45.1 From nobody Mon Nov 25 02:50:31 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1717515280; cv=none; d=zohomail.com; s=zohoarc; b=EZ7hvjbyQdo5GLan1mDOE+EQE1U3dDOncvACsMgLb42AR2uF2WNKgaQOsjHBTZi5PhwlLnDWcDaFmMoRJbSJV4TqPGoDwxc7j1oEM2BMMIA+L95oKVdb00pAw7zAc2Osyo0zDkqHfvhl1Zr5+lug/K3WNC8gdIxF3yVqgYmmL6o= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1717515280; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=LhJGSDZ4EPSyDcTb/UIgC5oAmgl4HhjH70MRGxKNRxY=; b=kuU1I/QolDp2QE2XLcU1Vnxh7bKK/aN/0vt341zkQEa8aM72cksX+o9PF2WhGE5PjX0wNHH2ZE6515Q4MpGbeyE34F6nn5pv14dTIc0dPz4SjrzCqIpI9ZZCI80nZF44hlBpJJeot/YJShUsYvc/MSyYnKfwHbluwFjDyXRzpMU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1717515280066503.56308282061536; Tue, 4 Jun 2024 08:34:40 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sEW9i-0006ex-0l; Tue, 04 Jun 2024 11:32:58 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEW9f-0006bz-Db for qemu-devel@nongnu.org; Tue, 04 Jun 2024 11:32:55 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEW9d-0001Hs-Qt for qemu-devel@nongnu.org; Tue, 04 Jun 2024 11:32:55 -0400 Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-445-sWAXfsigPTayNG6KmBO86Q-1; Tue, 04 Jun 2024 11:32:51 -0400 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 1186A3801F4A; Tue, 4 Jun 2024 15:32:51 +0000 (UTC) Received: from toolbox.redhat.com (unknown [10.39.194.137]) by smtp.corp.redhat.com (Postfix) with ESMTP id 40A00492BD6; Tue, 4 Jun 2024 15:32:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1717515172; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LhJGSDZ4EPSyDcTb/UIgC5oAmgl4HhjH70MRGxKNRxY=; b=M8uRtmoBPhspYrNVuSCsbwmekBibtWC3h49nzkPy76D44zsfoebvI7gqtfsD+hlDR7cXX6 aDbyAMYvolnllKBX9ofKjQKfMP93vqll5BBgdlmRIs7aVyHhiZ8jzwT8+tw0GW6QMkSi0Q GXggpx1SuQECYe72URlpi2ye+lgafkU= X-MC-Unique: sWAXfsigPTayNG6KmBO86Q-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: Markus Armbruster , Michael Roth , Konstantin Kostiuk , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Subject: [PATCH 06/14] qapi: define enum for custom special features on commands Date: Tue, 4 Jun 2024 16:32:34 +0100 Message-ID: <20240604153242.251334-7-berrange@redhat.com> In-Reply-To: <20240604153242.251334-1-berrange@redhat.com> References: <20240604153242.251334-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.9 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1717515282071100015 In order to register custom special features against a command, they have to have enum constants defined. The defined constant values start where the last built-in special feature stops. Signed-off-by: Daniel P. Berrang=C3=A9 --- include/qapi/util.h | 2 ++ scripts/qapi/commands.py | 20 ++++++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/include/qapi/util.h b/include/qapi/util.h index 7698e789a9..3c3c9e401c 100644 --- a/include/qapi/util.h +++ b/include/qapi/util.h @@ -14,6 +14,8 @@ typedef enum { QAPI_FEATURE_DEPRECATED, QAPI_FEATURE_UNSTABLE, + + QAPI_FEATURE_BUILT_IN_LAST, } QapiSpecialFeature; =20 typedef struct QEnumLookup { diff --git a/scripts/qapi/commands.py b/scripts/qapi/commands.py index 79951a841f..50a60968d4 100644 --- a/scripts/qapi/commands.py +++ b/scripts/qapi/commands.py @@ -347,7 +347,27 @@ def visit_begin(self, schema: QAPISchema) -> None: self._add_module('./init', ' * QAPI Commands initialization') self._genh.add(mcgen(''' #include "qapi/qmp/dispatch.h" +''')) + + features =3D schema._custom_special_features['command'] + if len(features) > 0: + self._genh.add(mcgen(''' + +typedef enum { +''')) + suffix =3D " =3D QAPI_FEATURE_BUILT_IN_LAST" + for f in features: + self._genh.add(mcgen(''' + QAPI_FEATURE_%(name)s%(suffix)s, +''', suffix=3Dsuffix, name=3Df.upper().replace('-', '_'))) + suffix =3D "" =20 + self._genh.add(mcgen(''' +} QapiSpecialFeatureCustom; + +''')) + + self._genh.add(mcgen(''' void %(c_prefix)sqmp_init_marshal(QmpCommandList *cmds); ''', c_prefix=3Dc_name(self._prefix, protect=3DFal= se))) --=20 2.45.1 From nobody Mon Nov 25 02:50:31 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1717515232; cv=none; d=zohomail.com; s=zohoarc; b=BP799OWnj4PDS7NYTs2tDW4XFkTOXe49zV81/Bht0mcHuGU1mAel9xLRIwYqvdKqpIlNIw95H6hOhXb7WG6HkaZg9kvPC15reQJNpBKo4SIWx27seo5WLmBY7kGQyW4dTUV67w0RRSd3HWtflxvSMgRGEWdWdZwmJR/GC5pad30= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1717515232; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=LZ7XhB389gErPmQqZrRj2jtKor6/J0PzR8obW4Gr+Tc=; b=F3nBK069ZaRdZ7IiLkS0aImE77Hu+d2lIwgHOjGAzJP8KGj3ZksXLm3m3ioO68biTtE/S+/nVbaLl5gdhiWKYO6qTccGnL7aVMBhSCUZpE0QAkuGOgUIAjzAnHDhGS7zOkaDiZbmVjMWYP4x6mIhevmq3x230IJm6dwb5MPO+Jc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1717515232596196.82071140892845; Tue, 4 Jun 2024 08:33:52 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sEW9l-0006hD-Il; Tue, 04 Jun 2024 11:33:01 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEW9j-0006fw-Jo for qemu-devel@nongnu.org; Tue, 04 Jun 2024 11:32:59 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEW9h-0001Ie-6w for qemu-devel@nongnu.org; Tue, 04 Jun 2024 11:32:59 -0400 Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-365-DmXzJVklM1206VFxXgpsnQ-1; Tue, 04 Jun 2024 11:32:53 -0400 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 29A541C05130; Tue, 4 Jun 2024 15:32:52 +0000 (UTC) Received: from toolbox.redhat.com (unknown [10.39.194.137]) by smtp.corp.redhat.com (Postfix) with ESMTP id 452BF492BD5; Tue, 4 Jun 2024 15:32:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1717515176; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LZ7XhB389gErPmQqZrRj2jtKor6/J0PzR8obW4Gr+Tc=; b=VhTQttFME+i7FaLMiXqskUBmLJwXR9iQhcaOrD2RuE7LlY0naPHtqu/5c1lqRfQ3wch29C q03nsT8Rg5qOkKiWTNnn7+hJWg7HIO9+iHFnkWt7bd0jjjdxqUuPT4mKXXKkW8ESee6Kil VQEyVl8iNRWwmm37dTrt1hDVeMw61Fw= X-MC-Unique: DmXzJVklM1206VFxXgpsnQ-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: Markus Armbruster , Michael Roth , Konstantin Kostiuk , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Subject: [PATCH 07/14] qga: use special feature to mark those that can run when FS are frozen Date: Tue, 4 Jun 2024 16:32:35 +0100 Message-ID: <20240604153242.251334-8-berrange@redhat.com> In-Reply-To: <20240604153242.251334-1-berrange@redhat.com> References: <20240604153242.251334-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.9 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1717515233723100007 Currently a list of commands which are safe to run when FS are frozen is hardcoded in the source. Now that the QAPI schema allows custom special features, a 'fs-frozen' feature can be added to track this metadata. This has the benefit that the restrictions on commands permitted when frozen are now recorded in the QGA generated documentation. Signed-off-by: Daniel P. Berrang=C3=A9 --- qga/main.c | 22 ++-------------------- qga/qapi-schema.json | 44 +++++++++++++++++++++++++++++++++++++++----- 2 files changed, 41 insertions(+), 25 deletions(-) diff --git a/qga/main.c b/qga/main.c index c7b7b0a9bc..7bf5ec49ba 100644 --- a/qga/main.c +++ b/qga/main.c @@ -128,17 +128,6 @@ struct GAState { struct GAState *ga_state; QmpCommandList ga_commands; =20 -/* commands that are safe to issue while filesystems are frozen */ -static const char *ga_freeze_allowlist[] =3D { - "guest-ping", - "guest-info", - "guest-sync", - "guest-sync-delimited", - "guest-fsfreeze-status", - "guest-fsfreeze-thaw", - NULL -}; - #ifdef _WIN32 DWORD WINAPI service_ctrl_handler(DWORD ctrl, DWORD type, LPVOID data, LPVOID ctx); @@ -421,7 +410,6 @@ static gint ga_strcmp(gconstpointer str1, gconstpointer= str2) =20 static bool ga_command_is_allowed(const QmpCommand *cmd, GAState *state) { - int i =3D 0; GAConfig *config =3D state->config; const char *name =3D qmp_command_name(cmd); /* Fallback policy is allow everything */ @@ -453,15 +441,9 @@ static bool ga_command_is_allowed(const QmpCommand *cm= d, GAState *state) * If frozen, this filtering must take priority over * absolutely everything */ - if (state->frozen) { + if (state->frozen && + !qmp_command_has_feature(cmd, QAPI_FEATURE_FS_FROZEN)) { allowed =3D false; - - while (ga_freeze_allowlist[i] !=3D NULL) { - if (strcmp(name, ga_freeze_allowlist[i]) =3D=3D 0) { - allowed =3D true; - } - i++; - } } =20 return allowed; diff --git a/qga/qapi-schema.json b/qga/qapi-schema.json index 571be3a914..8b1eff3abc 100644 --- a/qga/qapi-schema.json +++ b/qga/qapi-schema.json @@ -36,7 +36,11 @@ 'guest-sync-delimited' ], # Types and commands with undocumented members: 'documentation-exceptions': [ - 'GuestNVMeSmart' ] } } + 'GuestNVMeSmart' ], + 'command-features': [ + # Commands permitted while FS are frozen + 'fs-frozen' + ] } } =20 ## # @guest-sync-delimited: @@ -67,11 +71,16 @@ # # Returns: The unique integer id passed in by the client # +# Features: +# +# @fs-frozen: permitted to execute when filesystems are frozen +# # Since: 1.1 ## { 'command': 'guest-sync-delimited', 'data': { 'id': 'int' }, - 'returns': 'int' } + 'returns': 'int', + 'features': [ 'fs-frozen'] } =20 ## # @guest-sync: @@ -104,20 +113,30 @@ # # Returns: The unique integer id passed in by the client # +# Features: +# +# @fs-frozen: permitted to execute when filesystems are frozen +# # Since: 0.15.0 ## { 'command': 'guest-sync', 'data': { 'id': 'int' }, - 'returns': 'int' } + 'returns': 'int', + 'features': [ 'fs-frozen'] } =20 ## # @guest-ping: # # Ping the guest agent, a non-error return implies success # +# Features: +# +# @fs-frozen: permitted to execute when filesystems are frozen +# # Since: 0.15.0 ## -{ 'command': 'guest-ping' } +{ 'command': 'guest-ping', + 'features': [ 'fs-frozen'] } =20 ## # @guest-get-time: @@ -196,10 +215,15 @@ # # Returns: @GuestAgentInfo # +# Features: +# +# @fs-frozen: permitted when filesystems are frozen +# # Since: 0.15.0 ## { 'command': 'guest-info', - 'returns': 'GuestAgentInfo' } + 'returns': 'GuestAgentInfo', + 'features': [ 'fs-frozen'] } =20 ## # @guest-shutdown: @@ -426,10 +450,15 @@ # Note: This may fail to properly report the current state as a result # of some other guest processes having issued an fs freeze/thaw. # +# Features: +# +# @fs-frozen: permitted when filesystems are frozen +# # Since: 0.15.0 ## { 'command': 'guest-fsfreeze-status', 'returns': 'GuestFsfreezeStatus', + 'features': [ 'fs-frozen'], 'if': { 'any': ['CONFIG_WIN32', 'CONFIG_FSFREEZE'] } } =20 ## @@ -488,10 +517,15 @@ # filesystems were unfrozen before this call, and that the # filesystem state may have changed before issuing this command. # +# Features: +# +# @fs-frozen: permitted when filesystems are frozen +# # Since: 0.15.0 ## { 'command': 'guest-fsfreeze-thaw', 'returns': 'int', + 'features': [ 'fs-frozen'], 'if': { 'any': ['CONFIG_WIN32', 'CONFIG_FSFREEZE'] } } =20 ## --=20 2.45.1 From nobody Mon Nov 25 02:50:31 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1717515278; cv=none; d=zohomail.com; s=zohoarc; b=aw5yefxHn9bWasbc8I7r1j4N5gnWpTUlgYcdxrHTLy4OqGczHaOGDTBJASTO/Oys2KqSrhV9RkecoG+FPjypxp/K/HFQy/6dwMYjabJcaGgVWNeEWOei6fDgGeNO4NEGrLwS8Aw43MUOCn2fufA2XBCO5Ulf1Yw7tdEaRxZe4Yk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1717515278; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=PC9b9zdl5x37neT0fm6L/j00JU90/UGjPDU7u57umto=; b=LHCYt5DirmQbPfhQgY2sRTza+qwr4B12AHAbsf1ejQJAlQv3N75KfXhX3UwdewqmnbfMeUXI8YoPYpSpWy/ljlwOWWF4WaE4uYfGsnmLMqXDqiZ7HASnWf6iuWuOVuSblkl77oALYG/MxuLselE2Qygl9qljRU6VoyY+2Kan0aE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1717515278112777.389490092514; Tue, 4 Jun 2024 08:34:38 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sEW9l-0006h4-3B; Tue, 04 Jun 2024 11:33:01 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEW9j-0006fh-Al for qemu-devel@nongnu.org; Tue, 04 Jun 2024 11:32:59 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEW9g-0001IZ-Ub for qemu-devel@nongnu.org; Tue, 04 Jun 2024 11:32:59 -0400 Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-481-UfIxTNOIO5KySLij-riYcw-1; Tue, 04 Jun 2024 11:32:53 -0400 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 33BE81C05131; Tue, 4 Jun 2024 15:32:53 +0000 (UTC) Received: from toolbox.redhat.com (unknown [10.39.194.137]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5EC4A492BD5; Tue, 4 Jun 2024 15:32:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1717515176; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PC9b9zdl5x37neT0fm6L/j00JU90/UGjPDU7u57umto=; b=iUWAGMqG8K2JQXO8/hpG28QxAoe0KqQ1s3jf9zO3fphr90tVbaRpBDv2Ed2AxC7U1vyqQk Ll5TKXLtqDdX7kSvWzjZdKZb2urjGu8JOhQsZ26ge6rbvVVZ9XKs8+JDLUCCobTS0xLohN PZ55dmy25qEMYt+TP3avdjFv3mcBY1c= X-MC-Unique: UfIxTNOIO5KySLij-riYcw-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: Markus Armbruster , Michael Roth , Konstantin Kostiuk , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Subject: [PATCH 08/14] qga: add command line to limit commands for confidential guests Date: Tue, 4 Jun 2024 16:32:36 +0100 Message-ID: <20240604153242.251334-9-berrange@redhat.com> In-Reply-To: <20240604153242.251334-1-berrange@redhat.com> References: <20240604153242.251334-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.9 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1717515280084100007 When running in a confidential guest, a very large number of QGA commands are unsafe to permit, since they can be used to violate the privacy of the guest. This introduces a new command line "--confidential" / "-i" which, if set, will run the guest in confidential mode, which should avoid leaking information to the host, while still allowing important VM mgmt tasks to be performed. Signed-off-by: Daniel P. Berrang=C3=A9 --- qga/main.c | 14 ++++++++++++++ qga/qapi-schema.json | 5 ++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/qga/main.c b/qga/main.c index 7bf5ec49ba..12b91eb713 100644 --- a/qga/main.c +++ b/qga/main.c @@ -86,6 +86,7 @@ struct GAConfig { gchar *aliststr; /* allowedrpcs may point to this string */ GList *blockedrpcs; GList *allowedrpcs; + bool only_confidential; int daemonize; GLogLevelFlags log_level; int dumpconf; @@ -415,6 +416,15 @@ static bool ga_command_is_allowed(const QmpCommand *cm= d, GAState *state) /* Fallback policy is allow everything */ bool allowed =3D true; =20 + /* + * If running in confidential mode, block commands that + * would violate guest data privacy + */ + if (config->only_confidential && + !qmp_command_has_feature(cmd, QAPI_FEATURE_CONFIDENTIAL)) { + allowed =3D false; + } + if (config->allowedrpcs) { /* * If an allow-list is given, this changes the fallback @@ -1197,6 +1207,7 @@ static void config_parse(GAConfig *config, int argc, = char **argv) #endif { "statedir", 1, NULL, 't' }, { "retry-path", 0, NULL, 'r' }, + { "confidential", 0, NULL, 'i' }, { NULL, 0, NULL, 0 } }; =20 @@ -1293,6 +1304,9 @@ static void config_parse(GAConfig *config, int argc, = char **argv) } break; #endif + case 'i': + config->only_confidential =3D true; + break; case 'h': usage(argv[0]); exit(EXIT_SUCCESS); diff --git a/qga/qapi-schema.json b/qga/qapi-schema.json index 8b1eff3abc..9a213dfc06 100644 --- a/qga/qapi-schema.json +++ b/qga/qapi-schema.json @@ -39,7 +39,10 @@ 'GuestNVMeSmart' ], 'command-features': [ # Commands permitted while FS are frozen - 'fs-frozen' + 'fs-frozen', + # Commands which do not violate privacy + # of a confidential guest + 'confidential' ] } } =20 ## --=20 2.45.1 From nobody Mon Nov 25 02:50:31 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1717515278; cv=none; d=zohomail.com; s=zohoarc; b=jdH439jkIV+dDU0ON6IG+qiLlVZOZgnXOO0CE9X7N37EXz5Y/blV1bF6xQ9M6hvcqJNhugRksq4pcI1gCC9NfxGqxDEcb2TSfAQhvklUh7csP0XZR4Pgs99X+yEbnpIVZC/SLvlBGkVNCRi6irljBkYDndbyu2XM0C4NiVWV2qQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1717515278; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=NhNOG2TNYSsOZ5fCIRNGn6C26A53X/WFY2Ybv9oatgc=; b=HUAt/R0rcJL02DJaRLLs2RgDQBsvBZJTibJSPLxuQpMzByjq6TC3lobAl5ySBel8RvVcFfZzjIHOoXuUlhfBzXlrX9o+cst2U13Fl954+MFuzUzXLLqbkXCtCyX7drD493Lu9Ch2ptqkvg9kIpFal9iOEsnmoUp+mYrTxcNgxqI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1717515278301920.9473195269848; Tue, 4 Jun 2024 08:34:38 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sEW9l-0006hE-IW; Tue, 04 Jun 2024 11:33:01 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEW9j-0006gB-Ul for qemu-devel@nongnu.org; Tue, 04 Jun 2024 11:32:59 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEW9h-0001Ic-45 for qemu-devel@nongnu.org; Tue, 04 Jun 2024 11:32:59 -0400 Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-319-l8vD4VqlP3aDUFh1B_7GcA-1; Tue, 04 Jun 2024 11:32:54 -0400 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 8096385A588; Tue, 4 Jun 2024 15:32:54 +0000 (UTC) Received: from toolbox.redhat.com (unknown [10.39.194.137]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6A88D492BD5; Tue, 4 Jun 2024 15:32:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1717515176; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=NhNOG2TNYSsOZ5fCIRNGn6C26A53X/WFY2Ybv9oatgc=; b=dUR57LnYaZeNLgtshUbUomN1s1nMUzvAGTp8eDmaFvdAreye+Lz9rlM7sq71W3qiEc2K5X fbnNMkwQkMWfQ7F7RWQSmIiez5HI73XNtwg/NVpzsfQx1kovarCsAHvmT8tjT7e+5yQPjs 425Bdor2UcNAkAm88DEOLy3BFuV5D1c= X-MC-Unique: l8vD4VqlP3aDUFh1B_7GcA-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: Markus Armbruster , Michael Roth , Konstantin Kostiuk , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Subject: [PATCH 09/14] qga: define commands which can be run in confidential mode Date: Tue, 4 Jun 2024 16:32:37 +0100 Message-ID: <20240604153242.251334-10-berrange@redhat.com> In-Reply-To: <20240604153242.251334-1-berrange@redhat.com> References: <20240604153242.251334-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.9 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1717515280166100010 This adds the 'confidential' feature tag to the commands which are safe to permit in confidential VMs. In a confidential virt scenario, the host must not be permitted to modify guest data, nor request information that could compromise guest data. This effectively limits the QGA to commands which either are part of the QGA operation, or are related to modifying virtual hardware to assist in a host mgmt tasks. This results in the following being permitted * guest-sync * guest-sync-delimited * guest-ping * guest-get-time * guest-set-time * guest-info * guest-shutdown * guest-fsfreeze-status * guest-fsfreeze-freeze * guest-fsfreeze-freeze-list * guest-fsfreeze-thaw * guest-fstrim * guest-suspend-disk * guest-suspend-ram * guest-suspend-hybrid * guest-get-vcpus * guest-set-vcpus * guest-get-memory-blocks * guest-set-memory-blocks * guest-get-memory-block-info * guest-get-host-name * guest-get-cpustats Signed-off-by: Daniel P. Berrang=C3=A9 --- qga/qapi-schema.json | 117 +++++++++++++++++++++++++++++++++++++++---- 1 file changed, 107 insertions(+), 10 deletions(-) diff --git a/qga/qapi-schema.json b/qga/qapi-schema.json index 9a213dfc06..48ea95cdba 100644 --- a/qga/qapi-schema.json +++ b/qga/qapi-schema.json @@ -78,12 +78,14 @@ # # @fs-frozen: permitted to execute when filesystems are frozen # +# @confidential: permitted when running inside a confidential VM +# # Since: 1.1 ## { 'command': 'guest-sync-delimited', 'data': { 'id': 'int' }, 'returns': 'int', - 'features': [ 'fs-frozen'] } + 'features': [ 'fs-frozen', 'confidential' ] } =20 ## # @guest-sync: @@ -120,12 +122,14 @@ # # @fs-frozen: permitted to execute when filesystems are frozen # +# @confidential: permitted when running inside a confidential VM +# # Since: 0.15.0 ## { 'command': 'guest-sync', 'data': { 'id': 'int' }, 'returns': 'int', - 'features': [ 'fs-frozen'] } + 'features': [ 'fs-frozen', 'confidential' ] } =20 ## # @guest-ping: @@ -136,10 +140,12 @@ # # @fs-frozen: permitted to execute when filesystems are frozen # +# @confidential: permitted when running inside a confidential VM +# # Since: 0.15.0 ## { 'command': 'guest-ping', - 'features': [ 'fs-frozen'] } + 'features': [ 'fs-frozen', 'confidential' ] } =20 ## # @guest-get-time: @@ -149,10 +155,15 @@ # # Returns: Time in nanoseconds. # +# Features: +# +# @confidential: permitted when running inside a confidential VM +# # Since: 1.5 ## { 'command': 'guest-get-time', - 'returns': 'int' } + 'returns': 'int', + 'features': [ 'confidential' ] } =20 ## # @guest-set-time: @@ -175,10 +186,15 @@ # @time: time of nanoseconds, relative to the Epoch of 1970-01-01 in # UTC. # +# Features: +# +# @confidential: permitted when running inside a confidential VM +# # Since: 1.5 ## { 'command': 'guest-set-time', - 'data': { '*time': 'int' } } + 'data': { '*time': 'int' }, + 'features': [ 'confidential' ] } =20 ## # @GuestAgentCommandInfo: @@ -222,11 +238,13 @@ # # @fs-frozen: permitted when filesystems are frozen # +# @confidential: permitted when running inside a confidential VM +# # Since: 0.15.0 ## { 'command': 'guest-info', 'returns': 'GuestAgentInfo', - 'features': [ 'fs-frozen'] } + 'features': [ 'fs-frozen', 'confidential' ] } =20 ## # @guest-shutdown: @@ -241,10 +259,15 @@ # when running with --no-shutdown, by issuing the query-status QMP # command to confirm the VM status is "shutdown". # +# Features: +# +# @confidential: permitted when running inside a confidential VM +# # Since: 0.15.0 ## { 'command': 'guest-shutdown', 'data': { '*mode': 'str' }, - 'success-response': false } + 'success-response': false, + 'features': [ 'confidential' ] } =20 ## # @guest-file-open: @@ -457,11 +480,13 @@ # # @fs-frozen: permitted when filesystems are frozen # +# @confidential: permitted when running inside a confidential VM +# # Since: 0.15.0 ## { 'command': 'guest-fsfreeze-status', 'returns': 'GuestFsfreezeStatus', - 'features': [ 'fs-frozen'], + 'features': [ 'fs-frozen', 'confidential' ], 'if': { 'any': ['CONFIG_WIN32', 'CONFIG_FSFREEZE'] } } =20 ## @@ -481,10 +506,15 @@ # Volume Shadow-copy Service DLL helper. The frozen state is # limited for up to 10 seconds by VSS. # +# Features: +# +# @confidential: permitted when running inside a confidential VM +# # Since: 0.15.0 ## { 'command': 'guest-fsfreeze-freeze', 'returns': 'int', + 'features': [ 'confidential' ], 'if': { 'any': ['CONFIG_WIN32', 'CONFIG_FSFREEZE'] } } =20 ## @@ -501,11 +531,16 @@ # # Returns: Number of file systems currently frozen. # +# Features: +# +# @confidential: permitted when running inside a confidential VM +# # Since: 2.2 ## { 'command': 'guest-fsfreeze-freeze-list', 'data': { '*mountpoints': ['str'] }, 'returns': 'int', + 'features': [ 'confidential' ], 'if': { 'any': ['CONFIG_WIN32', 'CONFIG_FSFREEZE'] } } =20 ## @@ -524,11 +559,13 @@ # # @fs-frozen: permitted when filesystems are frozen # +# @confidential: permitted when running inside a confidential VM +# # Since: 0.15.0 ## { 'command': 'guest-fsfreeze-thaw', 'returns': 'int', - 'features': [ 'fs-frozen'], + 'features': [ 'fs-frozen', 'confidential' ], 'if': { 'any': ['CONFIG_WIN32', 'CONFIG_FSFREEZE'] } } =20 ## @@ -576,11 +613,16 @@ # Returns: A @GuestFilesystemTrimResponse which contains the status of # all trimmed paths. (since 2.4) # +# Features: +# +# @confidential: permitted when running inside a confidential VM +# # Since: 1.2 ## { 'command': 'guest-fstrim', 'data': { '*minimum': 'int' }, 'returns': 'GuestFilesystemTrimResponse', + 'features': [ 'confidential' ], 'if': { 'any': ['CONFIG_WIN32', 'CONFIG_FSTRIM'] } } =20 ## @@ -608,9 +650,14 @@ # Notes: It's strongly recommended to issue the guest-sync command # before sending commands when the guest resumes # +# Features: +# +# @confidential: permitted when running inside a confidential VM +# # Since: 1.1 ## { 'command': 'guest-suspend-disk', 'success-response': false, + 'features': [ 'confidential' ], 'if': { 'any': ['CONFIG_LINUX', 'CONFIG_WIN32'] } } =20 ## @@ -645,9 +692,14 @@ # Notes: It's strongly recommended to issue the guest-sync command # before sending commands when the guest resumes # +# Features: +# +# @confidential: permitted when running inside a confidential VM +# # Since: 1.1 ## { 'command': 'guest-suspend-ram', 'success-response': false, + 'features': [ 'confidential' ], 'if': { 'any': ['CONFIG_LINUX', 'CONFIG_WIN32'] } } =20 ## @@ -681,9 +733,14 @@ # Notes: It's strongly recommended to issue the guest-sync command # before sending commands when the guest resumes # +# Features: +# +# @confidential: permitted when running inside a confidential VM +# # Since: 1.1 ## { 'command': 'guest-suspend-hybrid', 'success-response': false, + 'features': [ 'confidential' ], 'if': 'CONFIG_LINUX' } =20 ## @@ -815,10 +872,15 @@ # Returns: The list of all VCPUs the guest knows about. Each VCPU is # put on the list exactly once, but their order is unspecified. # +# Features: +# +# @confidential: permitted when running inside a confidential VM +# # Since: 1.5 ## { 'command': 'guest-get-vcpus', 'returns': ['GuestLogicalProcessor'], + 'features': [ 'confidential' ], 'if': { 'any': ['CONFIG_LINUX', 'CONFIG_WIN32'] } } =20 ## @@ -857,11 +919,16 @@ # - If the reconfiguration of the first node in @vcpus failed. # Guest state has not been changed. # +# Features: +# +# @confidential: permitted when running inside a confidential VM +# # Since: 1.5 ## { 'command': 'guest-set-vcpus', 'data': {'vcpus': ['GuestLogicalProcessor'] }, 'returns': 'int', + 'features': [ 'confidential' ], 'if': 'CONFIG_LINUX' } =20 ## @@ -1180,10 +1247,15 @@ # memory block is put on the list exactly once, but their order is # unspecified. # +# Features: +# +# @confidential: permitted when running inside a confidential VM +# # Since: 2.3 ## { 'command': 'guest-get-memory-blocks', 'returns': ['GuestMemoryBlock'], + 'features': [ 'confidential' ], 'if': 'CONFIG_LINUX' } =20 ## @@ -1254,11 +1326,16 @@ # empty on input, or there is an error, and in this case, guest # state will not be changed. # +# Features: +# +# @confidential: permitted when running inside a confidential VM +# # Since: 2.3 ## { 'command': 'guest-set-memory-blocks', 'data': {'mem-blks': ['GuestMemoryBlock'] }, 'returns': ['GuestMemoryBlockResponse'], + 'features': [ 'confidential' ], 'if': 'CONFIG_LINUX' } =20 ## @@ -1268,10 +1345,15 @@ # minimal units of memory block online/offline operations (also # called Logical Memory Hotplug). # +# Features: +# +# @confidential: permitted when running inside a confidential VM +# # Since: 2.3 ## { 'struct': 'GuestMemoryBlockInfo', 'data': {'size': 'uint64'}, + 'features': [ 'confidential' ], 'if': 'CONFIG_LINUX' } =20 ## @@ -1281,10 +1363,15 @@ # # Returns: @GuestMemoryBlockInfo # +# Features: +# +# @confidential: permitted when running inside a confidential VM +# # Since: 2.3 ## { 'command': 'guest-get-memory-block-info', 'returns': 'GuestMemoryBlockInfo', + 'features': [ 'confidential' ], 'if': 'CONFIG_LINUX' } =20 ## @@ -1430,10 +1517,15 @@ # # Returns: the host name of the machine # +# Features: +# +# @confidential: permitted when running inside a confidential VM +# # Since: 2.10 ## { 'command': 'guest-get-host-name', - 'returns': 'GuestHostName' } + 'returns': 'GuestHostName', + 'features': [ 'confidential' ] } =20 =20 ## @@ -1882,9 +1974,14 @@ # # Returns: List of CPU stats of guest. # +# Features: +# +# @confidential: permitted when running inside a confidential VM +# # Since: 7.1 ## { 'command': 'guest-get-cpustats', 'returns': ['GuestCpuStats'], + 'features': [ 'confidential' ], 'if': 'CONFIG_LINUX' } --=20 2.45.1 From nobody Mon Nov 25 02:50:31 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1717515294; cv=none; d=zohomail.com; s=zohoarc; b=VibngOXFwjJjcYMt3BhWSJEZgjz5dYgXaYWW3X+MB1MDnGroSIQ+yJfs5k/2RttlBywpEKJsGdxE20/aJTptBOga7I7v1HGPq0iNP5FMs79TKAbISrF/8Sk5w8G8k2WBM8b/GfUOQ5EiavyVqgwaaQPXa2A/SKQh7CLEN12nFww= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1717515294; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=9zUc1+i0TloZjdrrmpIgHGps0532WQ7fdKFCuLWdL1I=; b=DpxH1I3kuFZCCFihU6/cjjOukvwIc7IfopG8PawUleNF30v171RyJEdSQQQV0dOzcRdI+skOhlwnI8WhUGzRM2iGWXiqNKsmQ1gMbNtRvNQM1nMDL+1JFD+R5yUzI/ToOowpM+HOBkG1rpnglA1TrrdDY9/eOUYwTqWeiLNGMps= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1717515294468865.9443277946385; Tue, 4 Jun 2024 08:34:54 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sEW9m-0006hl-7Y; Tue, 04 Jun 2024 11:33:02 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEW9j-0006gC-UT for qemu-devel@nongnu.org; Tue, 04 Jun 2024 11:32:59 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEW9h-0001Im-Qt for qemu-devel@nongnu.org; Tue, 04 Jun 2024 11:32:59 -0400 Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-221-yVh-L1_yO92AEeOifqAilw-1; Tue, 04 Jun 2024 11:32:55 -0400 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 8A704811E81; Tue, 4 Jun 2024 15:32:55 +0000 (UTC) Received: from toolbox.redhat.com (unknown [10.39.194.137]) by smtp.corp.redhat.com (Postfix) with ESMTP id B3BE8492BD3; Tue, 4 Jun 2024 15:32:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1717515177; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9zUc1+i0TloZjdrrmpIgHGps0532WQ7fdKFCuLWdL1I=; b=DM6WGQBxq/Oxo/HSwR5MgoQL0H1NICMvEYrFBl0rmxJTyu4ywX6YoQlsu8lSf+f/WUGrM8 7az+/LEC5WU2vtWN8jyCYMcOusnoYPT6krKybWSMXY90ZQNc+3jE79kdv7SdXezwd3MIY9 wMtZAmgMShwKzDY5QPfWBlK/U8ypvH8= X-MC-Unique: yVh-L1_yO92AEeOifqAilw-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: Markus Armbruster , Michael Roth , Konstantin Kostiuk , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Subject: [PATCH 10/14] qga: add command line to block unrestricted command/file access Date: Tue, 4 Jun 2024 16:32:38 +0100 Message-ID: <20240604153242.251334-11-berrange@redhat.com> In-Reply-To: <20240604153242.251334-1-berrange@redhat.com> References: <20240604153242.251334-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.9 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1717515296318100007 Historically there has been no default policy on command usage in the QEMU guest agent. A wide variety of commands have been added for various purposes * Co-ordinating host mgmt tasks (FS freezing, CPU hotplug, memory block hotplug) * Guest information querying (CPU stats, mount info, etc) * Arbitrary file read/write and command execution * User account auth setup (passwords, SSH keys) All of these have valid use cases, but they come with very different levels of risk to the guest OS. The commands supporting arbitrary file access / command exec though are giving the guest agent client effectively unrestricted access to do anything at all in the guest OS. The guest agent client is the host OS, so in effect running the QEMU guest agent gives the host admin a trivial direct backdoor into the guest OS, with no authentication, authorization or auditing of what they do. In the absense of confidential computing, the host admin already has to be considered largely trustworthy, as they will typically have direct access to any guest RAM regardless. None the less, to limit their exposure, guest OS admins may choose to limit these commands by passing '--no-unrestricted' / '-u' to QGA The --allowedrpcs / --blockedrpcs arguments take precedence over the --unrestricted arg (whether present or not), thus allowing fine tuning the defaults further. Signed-off-by: Daniel P. Berrang=C3=A9 --- qga/main.c | 15 +++++++++++++++ qga/qapi-schema.json | 5 ++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/qga/main.c b/qga/main.c index 12b91eb713..66068ad535 100644 --- a/qga/main.c +++ b/qga/main.c @@ -87,6 +87,7 @@ struct GAConfig { GList *blockedrpcs; GList *allowedrpcs; bool only_confidential; + bool no_unrestricted; int daemonize; GLogLevelFlags log_level; int dumpconf; @@ -425,6 +426,16 @@ static bool ga_command_is_allowed(const QmpCommand *cm= d, GAState *state) allowed =3D false; } =20 + /* + * If unrestricted commands are not allowed that sets + * a new default, but an explicit allow/block list can + * override + */ + if (config->no_unrestricted && + qmp_command_has_feature(cmd, QAPI_FEATURE_UNRESTRICTED)) { + allowed =3D false; + } + if (config->allowedrpcs) { /* * If an allow-list is given, this changes the fallback @@ -1208,6 +1219,7 @@ static void config_parse(GAConfig *config, int argc, = char **argv) { "statedir", 1, NULL, 't' }, { "retry-path", 0, NULL, 'r' }, { "confidential", 0, NULL, 'i' }, + { "no-unrestricted", 0, NULL, 'u' }, { NULL, 0, NULL, 0 } }; =20 @@ -1307,6 +1319,9 @@ static void config_parse(GAConfig *config, int argc, = char **argv) case 'i': config->only_confidential =3D true; break; + case 'u': + config->no_unrestricted =3D true; + break; case 'h': usage(argv[0]); exit(EXIT_SUCCESS); diff --git a/qga/qapi-schema.json b/qga/qapi-schema.json index 48ea95cdba..de7c1de0b7 100644 --- a/qga/qapi-schema.json +++ b/qga/qapi-schema.json @@ -42,7 +42,10 @@ 'fs-frozen', # Commands which do not violate privacy # of a confidential guest - 'confidential' + 'confidential', + # Commands which allow unrestricted access to or + # modification of guest files or execute arbitrary commands + 'unrestricted' ] } } =20 ## --=20 2.45.1 From nobody Mon Nov 25 02:50:31 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1717515292; cv=none; d=zohomail.com; s=zohoarc; b=W0uXDRdHpZAfJENGQWLoODljTaHCxz3h/YVffOetuTBTjIyHuQu//UfJV2IQLNVEAFyeayq/F7Eyha2TmEfx3CTVJ1bHXkRmA3kRmy6PPpjRKg8j4M7PBbj4dHC48QwBIURAfMF5si+3znR8NNyYgOFXZ1jk5KDkOTQfB04Ysoc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1717515292; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=XoKurEtuVM1m6D7a7OV1LnPY9CvW0j2OIm2Cocy4AOk=; b=Hmf80t7l90k58VgwurrkeDbVO+PnmahV0vvcReTC/fFQ0vBoRr8LHjj7wmHBJwrIYpLUERaPkY59PfeCKneLCU3ACg70cviT/cibwCn0k1Bpk807YFxN/syhvg6F1Ok/ovYvP4uSpxttKOAsGqDQbirR1Z+mVz5NE8Qe6ZP3TH8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1717515292837766.3440623839465; Tue, 4 Jun 2024 08:34:52 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sEW9q-0006mW-PR; Tue, 04 Jun 2024 11:33:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEW9p-0006jn-4T for qemu-devel@nongnu.org; Tue, 04 Jun 2024 11:33:05 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEW9n-0001Jq-Ic for qemu-devel@nongnu.org; Tue, 04 Jun 2024 11:33:04 -0400 Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-145-gVG-jyPONnO3l5eOCdZZlg-1; Tue, 04 Jun 2024 11:32:57 -0400 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id B28813801F4A; Tue, 4 Jun 2024 15:32:56 +0000 (UTC) Received: from toolbox.redhat.com (unknown [10.39.194.137]) by smtp.corp.redhat.com (Postfix) with ESMTP id BE261492BD8; Tue, 4 Jun 2024 15:32:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1717515182; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XoKurEtuVM1m6D7a7OV1LnPY9CvW0j2OIm2Cocy4AOk=; b=hvOJZOSxqWNuSRcwVcHzBywNDZPM2RxePSIs2Gfw5wFyy234Hioxzs20YGNKIjKfh8DfVz z2ncSQxfRdMC3HcCJ2wFXsjNJIfzhJt2KTYF4lLuQQkFsQOMsfvZOqs+DIzNJnyFk9WDaV DdAVpegD6xiZ5bzECAk3y5PBs6DMugk= X-MC-Unique: gVG-jyPONnO3l5eOCdZZlg-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: Markus Armbruster , Michael Roth , Konstantin Kostiuk , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Subject: [PATCH 11/14] qga: mark guest-file-* commands with 'unrestricted' flag Date: Tue, 4 Jun 2024 16:32:39 +0100 Message-ID: <20240604153242.251334-12-berrange@redhat.com> In-Reply-To: <20240604153242.251334-1-berrange@redhat.com> References: <20240604153242.251334-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.9 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1717515294169100002 This blocks use of all the 'guest-file-*' commands unless the QGA is run with the --unrestricted command line argument. These commands allow the host admin to read and write arbitrary guest files and so directly compromise the guest OS. Signed-off-by: Daniel P. Berrang=C3=A9 --- qga/qapi-schema.json | 48 ++++++++++++++++++++++++++++++++++++++------ 1 file changed, 42 insertions(+), 6 deletions(-) diff --git a/qga/qapi-schema.json b/qga/qapi-schema.json index de7c1de0b7..2f80d89536 100644 --- a/qga/qapi-schema.json +++ b/qga/qapi-schema.json @@ -283,11 +283,17 @@ # # Returns: Guest file handle # +# Features: +# +# @unrestricted: not permitted if agent disables unrestricted +# resource access mode +# # Since: 0.15.0 ## { 'command': 'guest-file-open', 'data': { 'path': 'str', '*mode': 'str' }, - 'returns': 'int' } + 'returns': 'int', + 'features': [ 'unrestricted' ] } =20 ## # @guest-file-close: @@ -296,10 +302,16 @@ # # @handle: filehandle returned by guest-file-open # +# Features: +# +# @unrestricted: not permitted if agent disables unrestricted +# resource access mode +# # Since: 0.15.0 ## { 'command': 'guest-file-close', - 'data': { 'handle': 'int' } } + 'data': { 'handle': 'int' }, + 'features': [ 'unrestricted' ] } =20 ## # @GuestFileRead: @@ -332,11 +344,17 @@ # # Returns: @GuestFileRead # +# Features: +# +# @unrestricted: not permitted if agent disables unrestricted +# resource access mode +# # Since: 0.15.0 ## { 'command': 'guest-file-read', 'data': { 'handle': 'int', '*count': 'int' }, - 'returns': 'GuestFileRead' } + 'returns': 'GuestFileRead', + 'features': [ 'unrestricted' ] } =20 ## # @GuestFileWrite: @@ -367,11 +385,17 @@ # # Returns: @GuestFileWrite # +# Features: +# +# @unrestricted: not permitted if agent disables unrestricted +# resource access mode +# # Since: 0.15.0 ## { 'command': 'guest-file-write', 'data': { 'handle': 'int', 'buf-b64': 'str', '*count': 'int' }, - 'returns': 'GuestFileWrite' } + 'returns': 'GuestFileWrite', + 'features': [ 'unrestricted' ] } =20 =20 ## @@ -434,12 +458,18 @@ # # Returns: @GuestFileSeek # +# Features: +# +# @unrestricted: not permitted if agent disables unrestricted +# resource access mode +# # Since: 0.15.0 ## { 'command': 'guest-file-seek', 'data': { 'handle': 'int', 'offset': 'int', 'whence': 'GuestFileWhence' }, - 'returns': 'GuestFileSeek' } + 'returns': 'GuestFileSeek', + 'features': [ 'unrestricted' ] } =20 ## # @guest-file-flush: @@ -448,10 +478,16 @@ # # @handle: filehandle returned by guest-file-open # +# Features: +# +# @unrestricted: not permitted if agent disables unrestricted +# resource access mode +# # Since: 0.15.0 ## { 'command': 'guest-file-flush', - 'data': { 'handle': 'int' } } + 'data': { 'handle': 'int' }, + 'features': [ 'unrestricted' ] } =20 ## # @GuestFsfreezeStatus: --=20 2.45.1 From nobody Mon Nov 25 02:50:31 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1717515297; cv=none; d=zohomail.com; s=zohoarc; b=j8stsVBU7cEG9BXh7Epe5mE9R19XWcfgo4Sc3gP4jtBZBYgrnXq1FYDPLc+H83XASu6qx6CKDdp7/YtNt/t7MCPatKm/3W/PC2BCaBJ7VACwuyVCWA8ZC3+9pfxmxT8QuBp0QWMiotY9/HLGYzSIfxhHng+vPYSfy0CHh9QvP/g= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1717515297; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=j4oAbYct1l9t6g9PwqcePOZrHlz9FGf3N1fChZQN2iQ=; b=kUc8+lafV0BLBgcRAHZAc2390vZfJLWyuOoWWgAZGRaV52fS8ifzmzuLU/qNDTICHqgbIQjA2NOBAvzreDSy3xxloyeS6r2VGXwbCtDAJ9v9ipbMS9xUbfxhWkQ92MmJ/OZ/E4hZ7I8TX5wu+rjX9VLlI4yHLuOvnNWplmIE958= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1717515297346691.3268923338653; Tue, 4 Jun 2024 08:34:57 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sEW9n-0006iL-E5; Tue, 04 Jun 2024 11:33:03 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEW9l-0006hO-Ue for qemu-devel@nongnu.org; Tue, 04 Jun 2024 11:33:01 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEW9k-0001JW-DZ for qemu-devel@nongnu.org; Tue, 04 Jun 2024 11:33:01 -0400 Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-207-7F5JR5IGN_Oa_D31ylMIGQ-1; Tue, 04 Jun 2024 11:32:58 -0400 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id E8F671C05130; Tue, 4 Jun 2024 15:32:57 +0000 (UTC) Received: from toolbox.redhat.com (unknown [10.39.194.137]) by smtp.corp.redhat.com (Postfix) with ESMTP id E9DD7492BD5; Tue, 4 Jun 2024 15:32:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1717515179; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=j4oAbYct1l9t6g9PwqcePOZrHlz9FGf3N1fChZQN2iQ=; b=YfVS7kR4jMTqjNVO7VONXongMHjTxto1CeSrMPso2pXIiUlSQORkiDXwbXceUgjCcWEuel Easl9WhQ5bF+Nn+TTkYKGmINUsW7LYsa7Tp9I2kPyrFesHAh4xwUe+9VjkvLfE6O16Q0SY yC6vXMbtF2wA9QpxS8qySHmt8RY7DtE= X-MC-Unique: 7F5JR5IGN_Oa_D31ylMIGQ-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: Markus Armbruster , Michael Roth , Konstantin Kostiuk , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Subject: [PATCH 12/14] qga: mark guest-exec-* commands with 'unrestricted' flag Date: Tue, 4 Jun 2024 16:32:40 +0100 Message-ID: <20240604153242.251334-13-berrange@redhat.com> In-Reply-To: <20240604153242.251334-1-berrange@redhat.com> References: <20240604153242.251334-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.9 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1717515298733100011 This blocks use of all the 'guest-exec-*' commands unless the QGA is run with the --unrestricted command line argument. These commands allow the host admin to execute arbitrary programs and so directly compromise the guest OS. Signed-off-by: Daniel P. Berrang=C3=A9 --- qga/qapi-schema.json | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/qga/qapi-schema.json b/qga/qapi-schema.json index 2f80d89536..a4f8653446 100644 --- a/qga/qapi-schema.json +++ b/qga/qapi-schema.json @@ -1454,11 +1454,17 @@ # # Returns: GuestExecStatus # +# Features: +# +# @unrestricted: not permitted if agent disables unrestricted +# resource access mode +# # Since: 2.5 ## { 'command': 'guest-exec-status', 'data': { 'pid': 'int' }, - 'returns': 'GuestExecStatus' } + 'returns': 'GuestExecStatus', + 'features': [ 'unrestricted' ] } =20 ## # @GuestExec: @@ -1527,12 +1533,18 @@ # # Returns: PID # +# Features: +# +# @unrestricted: not permitted if agent disables unrestricted +# resource access mode +# # Since: 2.5 ## { 'command': 'guest-exec', 'data': { 'path': 'str', '*arg': ['str'], '*env': ['str'], '*input-data': 'str', '*capture-output': 'GuestExecCaptureO= utput' }, - 'returns': 'GuestExec' } + 'returns': 'GuestExec', + 'features': [ 'unrestricted' ] } =20 =20 ## --=20 2.45.1 From nobody Mon Nov 25 02:50:31 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1717515215; cv=none; d=zohomail.com; s=zohoarc; b=iLhfy6XIMv9x51JFN7DznLpA+C/XQkPkDYsfr+A0AWnb6yHsiWTdLg1MfMGYEZHl1pgs91arNdXbzQC4Zk/93xtDGNvKp8p9cocwn54Zo4mjIB0yxsFJmgeazVcnoFGXxRa0f5h+zgsCP2wkvDG1L5Ffhlf5JjhqMOCX+3L8LEw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1717515215; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=YJjYoiTj3WSsEa5+kzx49B/Y4qCMzV1a+UUijYo12BQ=; b=NwfPhN+GHonjF6Nff3epdfnDdyArIz2+uIbrS9446zGzGHmunPtzaDy8LUjKw/iEQSC6hGoD7wrMFWXb36VGW9Ykg1/HFChRxpw2weorq6EYoTbg9nVgSQdiSvx0rl+Y9qWVCAdfSJsGdEgIEEOoUayrjLhdTSkFa2o5NeYWLFM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1717515215051592.8359746437112; Tue, 4 Jun 2024 08:33:35 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sEW9s-0006oH-Gn; Tue, 04 Jun 2024 11:33:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEW9n-0006iH-7F for qemu-devel@nongnu.org; Tue, 04 Jun 2024 11:33:03 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEW9l-0001Je-MD for qemu-devel@nongnu.org; Tue, 04 Jun 2024 11:33:02 -0400 Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-147-5lfOiD3mN1imtGEcTBYA5A-1; Tue, 04 Jun 2024 11:32:59 -0400 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id F0584101A520; Tue, 4 Jun 2024 15:32:58 +0000 (UTC) Received: from toolbox.redhat.com (unknown [10.39.194.137]) by smtp.corp.redhat.com (Postfix) with ESMTP id 29F91492BCF; Tue, 4 Jun 2024 15:32:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1717515181; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YJjYoiTj3WSsEa5+kzx49B/Y4qCMzV1a+UUijYo12BQ=; b=CF9WajvGcxT5rr8esgeijt2bGio37iTrU4G8M+Jtuk3uPlNsJGc1VdcscgnCngCTV9EZoa n7JcbBj9fiCOiUS3z5C0jbbB8Bznl541gTxbXfpBRwpcen/rfgKiUQ5KAAuNF4wiKLXOpc zcfaGrt7ObN0O6jFaAYWABySSmKgVww= X-MC-Unique: 5lfOiD3mN1imtGEcTBYA5A-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: Markus Armbruster , Michael Roth , Konstantin Kostiuk , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Subject: [PATCH 13/14] qga: add command line to block user authentication commands Date: Tue, 4 Jun 2024 16:32:41 +0100 Message-ID: <20240604153242.251334-14-berrange@redhat.com> In-Reply-To: <20240604153242.251334-1-berrange@redhat.com> References: <20240604153242.251334-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.9 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1717515216021100008 Historically there has been no default policy on command usage in the QEMU guest agent. A wide variety of commands have been added for various purposes * Co-ordinating host mgmt tasks (FS freezing, CPU hotplug, memory block hotplug) * Guest information querying (CPU stats, mount info, etc) * Arbitrary file read/write and command execution * User account auth setup (passwords, SSH keys) All of these have valid use cases, but they come with very different levels of risk to the guest OS. The commands supporting alteration of user authentication credentials are giving the guest agent client effectively unrestricted access to do anything at all in the guest OS by enabling them to subsequently access a user login shell. The guest agent client is the host OS, so in effect running the QEMU guest agent gives the host admin a trivial direct backdoor into the guest OS. In the absense of confidential computing, the host admin already has to be considered largely trustworthy, as they will typically have direct access to any guest RAM regardless. None the less, to limit their exposure, guest OS admins may choose to limit these commands by passing '--no-user-auth' / '-e' to QGA The --allowedrpcs / --blockedrpcs arguments take precedence over the --unrestricted arg (whether present or not), thus allowing fine tuning the defaults further. Signed-off-by: Daniel P. Berrang=C3=A9 --- qga/main.c | 15 +++++++++++++++ qga/qapi-schema.json | 5 ++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/qga/main.c b/qga/main.c index 66068ad535..0d792cd92e 100644 --- a/qga/main.c +++ b/qga/main.c @@ -88,6 +88,7 @@ struct GAConfig { GList *allowedrpcs; bool only_confidential; bool no_unrestricted; + bool no_user_auth; int daemonize; GLogLevelFlags log_level; int dumpconf; @@ -436,6 +437,16 @@ static bool ga_command_is_allowed(const QmpCommand *cm= d, GAState *state) allowed =3D false; } =20 + /* + * If user auth commands are not allowed that sets + * a new default, but an explicit allow/block list can + * override + */ + if (config->no_user_auth && + qmp_command_has_feature(cmd, QAPI_FEATURE_USER_AUTH)) { + allowed =3D false; + } + if (config->allowedrpcs) { /* * If an allow-list is given, this changes the fallback @@ -1220,6 +1231,7 @@ static void config_parse(GAConfig *config, int argc, = char **argv) { "retry-path", 0, NULL, 'r' }, { "confidential", 0, NULL, 'i' }, { "no-unrestricted", 0, NULL, 'u' }, + { "no-user-auth", 0, NULL, 'e' }, { NULL, 0, NULL, 0 } }; =20 @@ -1322,6 +1334,9 @@ static void config_parse(GAConfig *config, int argc, = char **argv) case 'u': config->no_unrestricted =3D true; break; + case 'e': + config->no_user_auth =3D true; + break; case 'h': usage(argv[0]); exit(EXIT_SUCCESS); diff --git a/qga/qapi-schema.json b/qga/qapi-schema.json index a4f8653446..25068b8110 100644 --- a/qga/qapi-schema.json +++ b/qga/qapi-schema.json @@ -45,7 +45,10 @@ 'confidential', # Commands which allow unrestricted access to or # modification of guest files or execute arbitrary commands - 'unrestricted' + 'unrestricted', + # Commands which allow changes to user account + # authentication credentials (keys, passwords) + 'user-auth' ] } } =20 ## --=20 2.45.1 From nobody Mon Nov 25 02:50:31 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1717515283; cv=none; d=zohomail.com; s=zohoarc; b=buiZiuY3H0oH/Yuod4nzIRXFs/AIipMbmXVjXyQiDiSlAw99bECNE4VAjl2xruL8xjRIxhNXSjOdEYLNNwkwQg7KskcN8zlodwuuUma2GHNWqlcrPAUrSegFQEF5kV66VAIJlrK16zmRQg9x83GuaZ6lCSC8iaAIE7nV3pnSWJo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1717515283; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=S2ZZ7ZPJISnpZt1cwBtV7RhIp0sWJo7jom/X++Viyag=; b=JqLV3JBJXsIJg27GcWLJ59oZA7K0VmY/MxdoLfyVTvGVMSSyjaQ4J+PIHI8ufF5x7pnbEbBuTGhXHg+C+S73m7IkAZs66aZnwQdrFdxnBp/tEoceCOvpbpIE1zpYgSZhxkZ27ojyYvpZLdPw+sFX5FS6dP7HuEigXTrWQYJSooo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1717515283104419.53797702427437; Tue, 4 Jun 2024 08:34:43 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sEW9u-0006pl-4e; Tue, 04 Jun 2024 11:33:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEW9q-0006mP-Lk for qemu-devel@nongnu.org; Tue, 04 Jun 2024 11:33:06 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sEW9p-0001KH-73 for qemu-devel@nongnu.org; Tue, 04 Jun 2024 11:33:06 -0400 Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-282-rBMWqbGVNFGQKktsmt72QQ-1; Tue, 04 Jun 2024 11:33:00 -0400 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 049AD185B920; Tue, 4 Jun 2024 15:33:00 +0000 (UTC) Received: from toolbox.redhat.com (unknown [10.39.194.137]) by smtp.corp.redhat.com (Postfix) with ESMTP id 30A18492BD6; Tue, 4 Jun 2024 15:32:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1717515184; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=S2ZZ7ZPJISnpZt1cwBtV7RhIp0sWJo7jom/X++Viyag=; b=DOvLRWOqX6wfneygX0pQDDLVqI4UxNUztbLNoOcxHin9eQoxAgdhx1xEGnizdkpR6oiL/9 dbENVG8PV2oA8RxVa/QKZQqTg0tHxafUYtUDWuyvKNTCtk3k1EUpgkucZDe0BslZFDKxq+ Hu3Gy3Q+wmojKn1EBYh4us1z9wxVCHU= X-MC-Unique: rBMWqbGVNFGQKktsmt72QQ-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: Markus Armbruster , Michael Roth , Konstantin Kostiuk , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Subject: [PATCH 14/14] qga: mark guest-ssh-* / guest-*-password commands with 'unrestricted' flag Date: Tue, 4 Jun 2024 16:32:42 +0100 Message-ID: <20240604153242.251334-15-berrange@redhat.com> In-Reply-To: <20240604153242.251334-1-berrange@redhat.com> References: <20240604153242.251334-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.9 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1717515284190100019 This blocks use of all the 'guest-ssh-*' / 'guest-password' commands unless the QGA is runwith the --unrestricted command line argument. These commands allow the host admin to takeover user accounts and so directly compromise the guest OS. Signed-off-by: Daniel P. Berrang=C3=A9 --- qga/qapi-schema.json | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/qga/qapi-schema.json b/qga/qapi-schema.json index 25068b8110..e7ce80a479 100644 --- a/qga/qapi-schema.json +++ b/qga/qapi-schema.json @@ -1251,10 +1251,15 @@ # transmission, even if already crypt()d, to ensure it is 8-bit safe # when passed as JSON. # +# Features: +# +# @user-auth: not permitted if agent is limiting user auth +# # Since: 2.3 ## { 'command': 'guest-set-user-password', 'data': { 'username': 'str', 'password': 'str', 'crypted': 'bool' }, + 'features': [ 'user-auth' ], 'if': { 'any': [ 'CONFIG_WIN32', 'CONFIG_LINUX', 'CONFIG_FREEBSD'] } } =20 ## @@ -1810,11 +1815,16 @@ # # Returns: @GuestAuthorizedKeys # +# Features: +# +# @user-auth: not permitted if agent is limiting user auth +# # Since: 5.2 ## { 'command': 'guest-ssh-get-authorized-keys', 'data': { 'username': 'str' }, - 'returns': 'GuestAuthorizedKeys' + 'returns': 'GuestAuthorizedKeys', + 'features': [ 'user-auth' ] } =20 ## @@ -1830,10 +1840,15 @@ # # @reset: ignore the existing content, set it with the given keys only # +# Features: +# +# @user-auth: not permitted if agent is limiting user auth +# # Since: 5.2 ## { 'command': 'guest-ssh-add-authorized-keys', - 'data': { 'username': 'str', 'keys': ['str'], '*reset': 'bool' } + 'data': { 'username': 'str', 'keys': ['str'], '*reset': 'bool' }, + 'features': [ 'user-auth' ] } =20 ## @@ -1848,10 +1863,15 @@ # @keys: the public keys to remove (in OpenSSH/sshd(8) authorized_keys # format) # +# Features: +# +# @user-auth: not permitted if agent is limiting user auth +# # Since: 5.2 ## { 'command': 'guest-ssh-remove-authorized-keys', - 'data': { 'username': 'str', 'keys': ['str'] } + 'data': { 'username': 'str', 'keys': ['str'] }, + 'features': [ 'user-auth' ] } =20 ## --=20 2.45.1