Add flags to ObjectClass for objects which are deprecated or not secure.
Add 'deprecated' and 'not-secure' bools to ObjectTypeInfo, report in
'qom-list-types'. Print the flags when listing devices via '-device
help'.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
include/qom/object.h | 3 +++
qom/qom-qmp-cmds.c | 8 ++++++++
system/qdev-monitor.c | 8 ++++++++
qapi/qom.json | 8 +++++++-
4 files changed, 26 insertions(+), 1 deletion(-)
diff --git a/include/qom/object.h b/include/qom/object.h
index 13d3a655ddf9..419bd9a4b219 100644
--- a/include/qom/object.h
+++ b/include/qom/object.h
@@ -136,6 +136,9 @@ struct ObjectClass
ObjectUnparent *unparent;
GHashTable *properties;
+
+ bool deprecated;
+ bool not_secure;
};
/**
diff --git a/qom/qom-qmp-cmds.c b/qom/qom-qmp-cmds.c
index e91a2353472a..325ff0ba2a25 100644
--- a/qom/qom-qmp-cmds.c
+++ b/qom/qom-qmp-cmds.c
@@ -101,6 +101,14 @@ static void qom_list_types_tramp(ObjectClass *klass, void *data)
if (parent) {
info->parent = g_strdup(object_class_get_name(parent));
}
+ if (klass->deprecated) {
+ info->has_deprecated = true;
+ info->deprecated = true;
+ }
+ if (klass->not_secure) {
+ info->has_not_secure = true;
+ info->not_secure = true;
+ }
QAPI_LIST_PREPEND(*pret, info);
}
diff --git a/system/qdev-monitor.c b/system/qdev-monitor.c
index 6af6ef7d667f..effdc95d21d3 100644
--- a/system/qdev-monitor.c
+++ b/system/qdev-monitor.c
@@ -144,6 +144,8 @@ static bool qdev_class_has_alias(DeviceClass *dc)
static void qdev_print_devinfo(DeviceClass *dc)
{
+ ObjectClass *klass = OBJECT_CLASS(dc);
+
qemu_printf("name \"%s\"", object_class_get_name(OBJECT_CLASS(dc)));
if (dc->bus_type) {
qemu_printf(", bus %s", dc->bus_type);
@@ -157,6 +159,12 @@ static void qdev_print_devinfo(DeviceClass *dc)
if (!dc->user_creatable) {
qemu_printf(", no-user");
}
+ if (klass->deprecated) {
+ qemu_printf(", deprecated");
+ }
+ if (klass->not_secure) {
+ qemu_printf(", not-secure");
+ }
qemu_printf("\n");
}
diff --git a/qapi/qom.json b/qapi/qom.json
index 8bd299265e39..3f20d4c6413b 100644
--- a/qapi/qom.json
+++ b/qapi/qom.json
@@ -163,10 +163,16 @@
#
# @parent: Name of parent type, if any (since 2.10)
#
+# @deprecated: the type is deprecated (since 9.1)
+#
+# @not-secure: the type (typically a device) is not considered
+# a security boundary (since 9.1)
+#
# Since: 1.1
##
{ 'struct': 'ObjectTypeInfo',
- 'data': { 'name': 'str', '*abstract': 'bool', '*parent': 'str' } }
+ 'data': { 'name': 'str', '*abstract': 'bool', '*parent': 'str',
+ '*deprecated': 'bool', '*not-secure': 'bool' } }
##
# @qom-list-types:
--
2.45.2Gerd Hoffmann <kraxel@redhat.com> writes:
> Add flags to ObjectClass for objects which are deprecated or not secure.
> Add 'deprecated' and 'not-secure' bools to ObjectTypeInfo, report in
> 'qom-list-types'. Print the flags when listing devices via '-device
> help'.
>
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> ---
> include/qom/object.h | 3 +++
> qom/qom-qmp-cmds.c | 8 ++++++++
> system/qdev-monitor.c | 8 ++++++++
> qapi/qom.json | 8 +++++++-
> 4 files changed, 26 insertions(+), 1 deletion(-)
>
> diff --git a/include/qom/object.h b/include/qom/object.h
> index 13d3a655ddf9..419bd9a4b219 100644
> --- a/include/qom/object.h
> +++ b/include/qom/object.h
> @@ -136,6 +136,9 @@ struct ObjectClass
> ObjectUnparent *unparent;
>
> GHashTable *properties;
> +
> + bool deprecated;
> + bool not_secure;
> };
Ignorant question: should this be in struct TypeImpl instead?
>
> /**
> diff --git a/qom/qom-qmp-cmds.c b/qom/qom-qmp-cmds.c
> index e91a2353472a..325ff0ba2a25 100644
> --- a/qom/qom-qmp-cmds.c
> +++ b/qom/qom-qmp-cmds.c
> @@ -101,6 +101,14 @@ static void qom_list_types_tramp(ObjectClass *klass, void *data)
> if (parent) {
> info->parent = g_strdup(object_class_get_name(parent));
> }
> + if (klass->deprecated) {
> + info->has_deprecated = true;
> + info->deprecated = true;
> + }
> + if (klass->not_secure) {
> + info->has_not_secure = true;
> + info->not_secure = true;
> + }
>
> QAPI_LIST_PREPEND(*pret, info);
> }
> diff --git a/system/qdev-monitor.c b/system/qdev-monitor.c
> index 6af6ef7d667f..effdc95d21d3 100644
> --- a/system/qdev-monitor.c
> +++ b/system/qdev-monitor.c
> @@ -144,6 +144,8 @@ static bool qdev_class_has_alias(DeviceClass *dc)
>
> static void qdev_print_devinfo(DeviceClass *dc)
> {
> + ObjectClass *klass = OBJECT_CLASS(dc);
> +
> qemu_printf("name \"%s\"", object_class_get_name(OBJECT_CLASS(dc)));
> if (dc->bus_type) {
> qemu_printf(", bus %s", dc->bus_type);
> @@ -157,6 +159,12 @@ static void qdev_print_devinfo(DeviceClass *dc)
> if (!dc->user_creatable) {
> qemu_printf(", no-user");
> }
> + if (klass->deprecated) {
> + qemu_printf(", deprecated");
> + }
> + if (klass->not_secure) {
> + qemu_printf(", not-secure");
> + }
> qemu_printf("\n");
> }
>
> diff --git a/qapi/qom.json b/qapi/qom.json
> index 8bd299265e39..3f20d4c6413b 100644
> --- a/qapi/qom.json
> +++ b/qapi/qom.json
> @@ -163,10 +163,16 @@
> #
> # @parent: Name of parent type, if any (since 2.10)
> #
> +# @deprecated: the type is deprecated (since 9.1)
> +#
> +# @not-secure: the type (typically a device) is not considered
> +# a security boundary (since 9.1)
What does this mean? Does it mean "do not add an instance of this
device the guest unless you trust the guest"?
> +#
> # Since: 1.1
> ##
> { 'struct': 'ObjectTypeInfo',
> - 'data': { 'name': 'str', '*abstract': 'bool', '*parent': 'str' } }
> + 'data': { 'name': 'str', '*abstract': 'bool', '*parent': 'str',
> + '*deprecated': 'bool', '*not-secure': 'bool' } }
>
> ##
> # @qom-list-types:
I dislike booleans named "no-FOO" or "not-FOO", because they lead to
double-negation.
On Wed, Jun 12, 2024 at 01:07:44PM +0200, Markus Armbruster wrote:
> Gerd Hoffmann <kraxel@redhat.com> writes:
>
> > Add flags to ObjectClass for objects which are deprecated or not secure.
> > Add 'deprecated' and 'not-secure' bools to ObjectTypeInfo, report in
> > 'qom-list-types'. Print the flags when listing devices via '-device
> > help'.
> >
> > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> > ---
> > include/qom/object.h | 3 +++
> > qom/qom-qmp-cmds.c | 8 ++++++++
> > system/qdev-monitor.c | 8 ++++++++
> > qapi/qom.json | 8 +++++++-
> > 4 files changed, 26 insertions(+), 1 deletion(-)
> >
> > diff --git a/include/qom/object.h b/include/qom/object.h
> > index 13d3a655ddf9..419bd9a4b219 100644
> > --- a/include/qom/object.h
> > +++ b/include/qom/object.h
> > @@ -136,6 +136,9 @@ struct ObjectClass
> > ObjectUnparent *unparent;
> >
> > GHashTable *properties;
> > +
> > + bool deprecated;
> > + bool not_secure;
> > };
>
> Ignorant question: should this be in struct TypeImpl instead?
>
> >
> > /**
> > diff --git a/qom/qom-qmp-cmds.c b/qom/qom-qmp-cmds.c
> > index e91a2353472a..325ff0ba2a25 100644
> > --- a/qom/qom-qmp-cmds.c
> > +++ b/qom/qom-qmp-cmds.c
> > @@ -101,6 +101,14 @@ static void qom_list_types_tramp(ObjectClass *klass, void *data)
> > if (parent) {
> > info->parent = g_strdup(object_class_get_name(parent));
> > }
> > + if (klass->deprecated) {
> > + info->has_deprecated = true;
> > + info->deprecated = true;
> > + }
> > + if (klass->not_secure) {
> > + info->has_not_secure = true;
> > + info->not_secure = true;
> > + }
> >
> > QAPI_LIST_PREPEND(*pret, info);
> > }
> > diff --git a/system/qdev-monitor.c b/system/qdev-monitor.c
> > index 6af6ef7d667f..effdc95d21d3 100644
> > --- a/system/qdev-monitor.c
> > +++ b/system/qdev-monitor.c
> > @@ -144,6 +144,8 @@ static bool qdev_class_has_alias(DeviceClass *dc)
> >
> > static void qdev_print_devinfo(DeviceClass *dc)
> > {
> > + ObjectClass *klass = OBJECT_CLASS(dc);
> > +
> > qemu_printf("name \"%s\"", object_class_get_name(OBJECT_CLASS(dc)));
> > if (dc->bus_type) {
> > qemu_printf(", bus %s", dc->bus_type);
> > @@ -157,6 +159,12 @@ static void qdev_print_devinfo(DeviceClass *dc)
> > if (!dc->user_creatable) {
> > qemu_printf(", no-user");
> > }
> > + if (klass->deprecated) {
> > + qemu_printf(", deprecated");
> > + }
> > + if (klass->not_secure) {
> > + qemu_printf(", not-secure");
> > + }
> > qemu_printf("\n");
> > }
> >
> > diff --git a/qapi/qom.json b/qapi/qom.json
> > index 8bd299265e39..3f20d4c6413b 100644
> > --- a/qapi/qom.json
> > +++ b/qapi/qom.json
> > @@ -163,10 +163,16 @@
> > #
> > # @parent: Name of parent type, if any (since 2.10)
> > #
> > +# @deprecated: the type is deprecated (since 9.1)
> > +#
> > +# @not-secure: the type (typically a device) is not considered
> > +# a security boundary (since 9.1)
>
> What does this mean? Does it mean "do not add an instance of this
> device the guest unless you trust the guest"?
Essentially yes. This ties to our security doc where we declare
we won't consider non-virtualization use cases as being security
bugs (CVEs) as large parts of QEMU haven't been designed to
provide a guest security boundary
https://www.qemu.org/docs/master/system/security.html
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
Daniel P. Berrangé <berrange@redhat.com> writes: > On Wed, Jun 12, 2024 at 01:07:44PM +0200, Markus Armbruster wrote: >> Gerd Hoffmann <kraxel@redhat.com> writes: >> >> > Add flags to ObjectClass for objects which are deprecated or not secure. >> > Add 'deprecated' and 'not-secure' bools to ObjectTypeInfo, report in >> > 'qom-list-types'. Print the flags when listing devices via '-device >> > help'. >> > >> > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> [...] >> > diff --git a/qapi/qom.json b/qapi/qom.json >> > index 8bd299265e39..3f20d4c6413b 100644 >> > --- a/qapi/qom.json >> > +++ b/qapi/qom.json >> > @@ -163,10 +163,16 @@ >> > # >> > # @parent: Name of parent type, if any (since 2.10) >> > # >> > +# @deprecated: the type is deprecated (since 9.1) >> > +# >> > +# @not-secure: the type (typically a device) is not considered >> > +# a security boundary (since 9.1) >> >> What does this mean? Does it mean "do not add an instance of this >> device the guest unless you trust the guest"? > > Essentially yes. This ties to our security doc where we declare > we won't consider non-virtualization use cases as being security > bugs (CVEs) as large parts of QEMU haven't been designed to > provide a guest security boundary > > https://www.qemu.org/docs/master/system/security.html Would it make sense to add a suitable pointer to the doc comment?
On 6/6/24 16:30, Gerd Hoffmann wrote:
> Add flags to ObjectClass for objects which are deprecated or not secure.
> Add 'deprecated' and 'not-secure' bools to ObjectTypeInfo, report in
> 'qom-list-types'. Print the flags when listing devices via '-device
> help'.
>
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> ---
> include/qom/object.h | 3 +++
> qom/qom-qmp-cmds.c | 8 ++++++++
> system/qdev-monitor.c | 8 ++++++++
> qapi/qom.json | 8 +++++++-
> 4 files changed, 26 insertions(+), 1 deletion(-)
>
> diff --git a/include/qom/object.h b/include/qom/object.h
> index 13d3a655ddf9..419bd9a4b219 100644
> --- a/include/qom/object.h
> +++ b/include/qom/object.h
> @@ -136,6 +136,9 @@ struct ObjectClass
> ObjectUnparent *unparent;
>
> GHashTable *properties;
> +
> + bool deprecated;
> + bool not_secure;
LGTM but I'd rather use a reason string instead of a boolean,
so we are forced to justify.
That would be in line with MachineClass::deprecation_reason:
* MachineClass:
* @deprecation_reason: If set, the machine is marked as deprecated.
* The string should provide some clear information about what to
* use instead.
> };
>
> /**
> diff --git a/qom/qom-qmp-cmds.c b/qom/qom-qmp-cmds.c
> index e91a2353472a..325ff0ba2a25 100644
> --- a/qom/qom-qmp-cmds.c
> +++ b/qom/qom-qmp-cmds.c
> @@ -101,6 +101,14 @@ static void qom_list_types_tramp(ObjectClass *klass, void *data)
> if (parent) {
> info->parent = g_strdup(object_class_get_name(parent));
> }
> + if (klass->deprecated) {
> + info->has_deprecated = true;
> + info->deprecated = true;
> + }
> + if (klass->not_secure) {
> + info->has_not_secure = true;
> + info->not_secure = true;
> + }
>
> QAPI_LIST_PREPEND(*pret, info);
> }
> diff --git a/system/qdev-monitor.c b/system/qdev-monitor.c
> index 6af6ef7d667f..effdc95d21d3 100644
> --- a/system/qdev-monitor.c
> +++ b/system/qdev-monitor.c
> @@ -144,6 +144,8 @@ static bool qdev_class_has_alias(DeviceClass *dc)
>
> static void qdev_print_devinfo(DeviceClass *dc)
> {
> + ObjectClass *klass = OBJECT_CLASS(dc);
> +
> qemu_printf("name \"%s\"", object_class_get_name(OBJECT_CLASS(dc)));
> if (dc->bus_type) {
> qemu_printf(", bus %s", dc->bus_type);
> @@ -157,6 +159,12 @@ static void qdev_print_devinfo(DeviceClass *dc)
> if (!dc->user_creatable) {
> qemu_printf(", no-user");
> }
> + if (klass->deprecated) {
> + qemu_printf(", deprecated");
> + }
> + if (klass->not_secure) {
> + qemu_printf(", not-secure");
> + }
> qemu_printf("\n");
> }
>
> diff --git a/qapi/qom.json b/qapi/qom.json
> index 8bd299265e39..3f20d4c6413b 100644
> --- a/qapi/qom.json
> +++ b/qapi/qom.json
> @@ -163,10 +163,16 @@
> #
> # @parent: Name of parent type, if any (since 2.10)
> #
> +# @deprecated: the type is deprecated (since 9.1)
> +#
> +# @not-secure: the type (typically a device) is not considered
> +# a security boundary (since 9.1)
> +#
> # Since: 1.1
> ##
> { 'struct': 'ObjectTypeInfo',
> - 'data': { 'name': 'str', '*abstract': 'bool', '*parent': 'str' } }
> + 'data': { 'name': 'str', '*abstract': 'bool', '*parent': 'str',
> + '*deprecated': 'bool', '*not-secure': 'bool' } }
>
> ##
> # @qom-list-types:
On Thu, Jun 06, 2024 at 04:30:07PM +0200, Gerd Hoffmann wrote: > Add flags to ObjectClass for objects which are deprecated or not secure. > Add 'deprecated' and 'not-secure' bools to ObjectTypeInfo, report in > 'qom-list-types'. Print the flags when listing devices via '-device > help'. > > Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> > --- > include/qom/object.h | 3 +++ > qom/qom-qmp-cmds.c | 8 ++++++++ > system/qdev-monitor.c | 8 ++++++++ > qapi/qom.json | 8 +++++++- > 4 files changed, 26 insertions(+), 1 deletion(-) Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
© 2016 - 2024 Red Hat, Inc.