From nobody Sun Nov 24 20:02:41 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1720790861; cv=none; d=zohomail.com; s=zohoarc; b=HrhjcOelKB77BbgZoj1xx6Hhezmidg9I6xkzUD4c3QgkXVgMj3pkHYSeIjwXnbjRHtcI5EHR8bZ4xjNYNuV8C+zLyrWHoRglEgFdLvXjzKVZh/K7dVmRDYPwFQGUGVpQU263crhmzRoDrZn9zRFPIaEbp+sdDZ+1oVj8l61rwaU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1720790861; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=IxwMPr18DwYtTlNkl5hng7w3xTEyRUqI/jLVnfYZ18c=; b=Q6PdYANv4laf7pTLUlubvFTbtFU4OMafkypY0za71LPrnT62bSBdwgU8ige8//5FsP3xe/9KCIlYNAnFToqp5qSW47Vyb+Gkc8bK8vh5vZJCEX3vKL2EZOtefyVbNVbyHzaDHM0n4JRdiOkE8VDFvb0f7kuycNScTqCB9kZuIvY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1720790861448529.940619103623; Fri, 12 Jul 2024 06:27:41 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sSGIQ-0000Wx-DP; Fri, 12 Jul 2024 09:26:46 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sSGIC-0007Qa-O5 for qemu-devel@nongnu.org; Fri, 12 Jul 2024 09:26:32 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sSGIA-0004BF-Ce for qemu-devel@nongnu.org; Fri, 12 Jul 2024 09:26:32 -0400 Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-146-obPOXoqsNEiaY81ff3d3jQ-1; Fri, 12 Jul 2024 09:26:25 -0400 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 994721955F2B; Fri, 12 Jul 2024 13:26:24 +0000 (UTC) Received: from toolbox.redhat.com (unknown [10.42.28.56]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id BBE2F1955F40; Fri, 12 Jul 2024 13:26:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1720790788; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=IxwMPr18DwYtTlNkl5hng7w3xTEyRUqI/jLVnfYZ18c=; b=X+sLy4nFP3FW3bfxPT4bDub38dj7Y3xvPL5EEFhdepjr2EHnVdkbHv5dL3MthWCAKzw7o1 Y6PU5Ez8dh7oCXC7PHz8El/O6WAXBeXwCDcmL1z0bHpe+NqYAWycY/5HN1wOHCtLeWwfLp wefrVz3AXtUdDq15uoG+eNgjaHYjNHE= X-MC-Unique: obPOXoqsNEiaY81ff3d3jQ-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Cc: Thomas Huth , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Michael Roth , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Paolo Bonzini , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , Konstantin Kostiuk Subject: [PATCH v3 22/22] qga: centralize logic for disabling/enabling commands Date: Fri, 12 Jul 2024 14:24:59 +0100 Message-ID: <20240712132459.3974109-23-berrange@redhat.com> In-Reply-To: <20240712132459.3974109-1-berrange@redhat.com> References: <20240712132459.3974109-1-berrange@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=berrange@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -21 X-Spam_score: -2.2 X-Spam_bar: -- X-Spam_report: (-2.2 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.138, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1720790862223116600 It is confusing having many different pieces of code enabling and disabling commands, and it is not clear that they all have the same semantics, especially wrt prioritization of the block/allow lists. The code attempted to prevent the user from setting both the block and allow lists concurrently, however, the logic was flawed as it checked settings in the configuration file separately from the command line arguments. Thus it was possible to set a block list in the config file and an allow list via a command line argument. The --dump-conf option also creates a configuration file with both keys present, even if unset, which means it is creating a config that cannot actually be loaded again. Centralizing the code in a single method "ga_apply_command_filters" will provide a strong guarantee of consistency and clarify the intended behaviour. With this there is no compelling technical reason to prevent concurrent setting of both the allow and block lists, so this flawed restriction is removed. Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Konstantin Kostiuk --- docs/interop/qemu-ga.rst | 14 +++++ qga/commands-posix.c | 6 -- qga/commands-win32.c | 6 -- qga/main.c | 128 +++++++++++++++++---------------------- 4 files changed, 70 insertions(+), 84 deletions(-) diff --git a/docs/interop/qemu-ga.rst b/docs/interop/qemu-ga.rst index e42b370319..fb75cfd8d4 100644 --- a/docs/interop/qemu-ga.rst +++ b/docs/interop/qemu-ga.rst @@ -28,6 +28,20 @@ configuration options on the command line. For the same = key, the last option wins, but the lists accumulate (see below for configuration file format). =20 +If an allowed RPCs list is defined in the configuration, then all +RPCs will be blocked by default, except for the allowed list. + +If a blocked RPCs list is defined in the configuration, then all +RPCs will be allowed by default, except for the blocked list. + +If both allowed and blocked RPCs lists are defined in the configuration, +then all RPCs will be blocked by default, then the allowed list will +be applied, followed by the blocked list. + +While filesystems are frozen, all except for a designated safe set +of RPCs will blocked, regardless of what the general configuration +declares. + Options ------- =20 diff --git a/qga/commands-posix.c b/qga/commands-posix.c index f4104f2760..578d29f228 100644 --- a/qga/commands-posix.c +++ b/qga/commands-posix.c @@ -1136,12 +1136,6 @@ error: =20 #endif /* HAVE_GETIFADDRS */ =20 -/* add unsupported commands to the list of blocked RPCs */ -GList *ga_command_init_blockedrpcs(GList *blockedrpcs) -{ - return blockedrpcs; -} - /* register init/cleanup routines for stateful command groups */ void ga_command_state_init(GAState *s, GACommandState *cs) { diff --git a/qga/commands-win32.c b/qga/commands-win32.c index 5866cc2e3c..61b36da469 100644 --- a/qga/commands-win32.c +++ b/qga/commands-win32.c @@ -1958,12 +1958,6 @@ done: g_free(rawpasswddata); } =20 -/* add unsupported commands to the list of blocked RPCs */ -GList *ga_command_init_blockedrpcs(GList *blockedrpcs) -{ - return blockedrpcs; -} - /* register init/cleanup routines for stateful command groups */ void ga_command_state_init(GAState *s, GACommandState *cs) { diff --git a/qga/main.c b/qga/main.c index 6ae911eb15..b8f7b1e4a3 100644 --- a/qga/main.c +++ b/qga/main.c @@ -423,60 +423,79 @@ static gint ga_strcmp(gconstpointer str1, gconstpoint= er str2) return strcmp(str1, str2); } =20 -/* disable commands that aren't safe for fsfreeze */ -static void ga_disable_not_allowed_freeze(const QmpCommand *cmd, void *opa= que) +static bool ga_command_is_allowed(const QmpCommand *cmd, GAState *state) { - bool allowed =3D false; int i =3D 0; + GAConfig *config =3D state->config; const char *name =3D qmp_command_name(cmd); + /* Fallback policy is allow everything */ + bool allowed =3D true; =20 - while (ga_freeze_allowlist[i] !=3D NULL) { - if (strcmp(name, ga_freeze_allowlist[i]) =3D=3D 0) { + if (config->allowedrpcs) { + /* + * If an allow-list is given, this changes the fallback + * policy to deny everything + */ + allowed =3D false; + + if (g_list_find_custom(config->allowedrpcs, name, ga_strcmp) !=3D = NULL) { allowed =3D true; } - i++; } - if (!allowed) { - g_debug("disabling command: %s", name); - qmp_disable_command(&ga_commands, name, "the agent is in frozen st= ate"); - } -} =20 -/* [re-]enable all commands, except those explicitly blocked by user */ -static void ga_enable_non_blocked(const QmpCommand *cmd, void *opaque) -{ - GAState *s =3D opaque; - GList *blockedrpcs =3D s->blockedrpcs; - GList *allowedrpcs =3D s->allowedrpcs; - const char *name =3D qmp_command_name(cmd); - - if (g_list_find_custom(blockedrpcs, name, ga_strcmp) =3D=3D NULL) { - if (qmp_command_is_enabled(cmd)) { - return; + /* + * If both allowedrpcs and blockedrpcs are set, the blocked + * list will take priority + */ + if (config->blockedrpcs) { + if (g_list_find_custom(config->blockedrpcs, name, ga_strcmp) !=3D = NULL) { + allowed =3D false; } + } =20 - if (allowedrpcs && - g_list_find_custom(allowedrpcs, name, ga_strcmp) =3D=3D NULL) { - return; - } + /* + * If frozen, this filtering must take priority over + * absolutely everything + */ + if (state->frozen) { + allowed =3D false; =20 - g_debug("enabling command: %s", name); - qmp_enable_command(&ga_commands, name); + while (ga_freeze_allowlist[i] !=3D NULL) { + if (strcmp(name, ga_freeze_allowlist[i]) =3D=3D 0) { + allowed =3D true; + } + i++; + } } + + return allowed; } =20 -/* disable commands that aren't allowed */ -static void ga_disable_not_allowed(const QmpCommand *cmd, void *opaque) +static void ga_apply_command_filters_iter(const QmpCommand *cmd, void *opa= que) { - GList *allowedrpcs =3D opaque; + GAState *state =3D opaque; + bool want =3D ga_command_is_allowed(cmd, state); + bool have =3D qmp_command_is_enabled(cmd); const char *name =3D qmp_command_name(cmd); =20 - if (g_list_find_custom(allowedrpcs, name, ga_strcmp) =3D=3D NULL) { + if (want =3D=3D have) { + return; + } + + if (have) { g_debug("disabling command: %s", name); qmp_disable_command(&ga_commands, name, "the command is not allowe= d"); + } else { + g_debug("enabling command: %s", name); + qmp_enable_command(&ga_commands, name); } } =20 +static void ga_apply_command_filters(GAState *state) +{ + qmp_for_each_command(&ga_commands, ga_apply_command_filters_iter, stat= e); +} + static bool ga_create_file(const char *path) { int fd =3D open(path, O_CREAT | O_WRONLY, S_IWUSR | S_IRUSR); @@ -509,15 +528,14 @@ void ga_set_frozen(GAState *s) if (ga_is_frozen(s)) { return; } - /* disable all forbidden (for frozen state) commands */ - qmp_for_each_command(&ga_commands, ga_disable_not_allowed_freeze, NULL= ); g_warning("disabling logging due to filesystem freeze"); - ga_disable_logging(s); s->frozen =3D true; if (!ga_create_file(s->state_filepath_isfrozen)) { g_warning("unable to create %s, fsfreeze may not function properly= ", s->state_filepath_isfrozen); } + ga_apply_command_filters(s); + ga_disable_logging(s); } =20 void ga_unset_frozen(GAState *s) @@ -549,12 +567,12 @@ void ga_unset_frozen(GAState *s) } =20 /* enable all disabled, non-blocked and allowed commands */ - qmp_for_each_command(&ga_commands, ga_enable_non_blocked, s); s->frozen =3D false; if (!ga_delete_file(s->state_filepath_isfrozen)) { g_warning("unable to delete %s, fsfreeze may not function properly= ", s->state_filepath_isfrozen); } + ga_apply_command_filters(s); } =20 #ifdef CONFIG_FSFREEZE @@ -1086,13 +1104,6 @@ static void config_load(GAConfig *config, const char= *confpath, bool required) split_list(config->aliststr, ","= )); } =20 - if (g_key_file_has_key(keyfile, "general", "block-rpcs", NULL) && - g_key_file_has_key(keyfile, "general", "allow-rpcs", NULL)) { - g_critical("wrong config, using 'block-rpcs' and 'allow-rpcs' keys= at" - " the same time is not allowed"); - exit(EXIT_FAILURE); - } - end: g_key_file_free(keyfile); if (gerr && (required || @@ -1172,7 +1183,6 @@ static void config_parse(GAConfig *config, int argc, = char **argv) { const char *sopt =3D "hVvdc:m:p:l:f:F::b:a:s:t:Dr"; int opt_ind =3D 0, ch; - bool block_rpcs =3D false, allow_rpcs =3D false; const struct option lopt[] =3D { { "help", 0, NULL, 'h' }, { "version", 0, NULL, 'V' }, @@ -1268,7 +1278,6 @@ static void config_parse(GAConfig *config, int argc, = char **argv) } config->blockedrpcs =3D g_list_concat(config->blockedrpcs, split_list(optarg, ",")); - block_rpcs =3D true; break; } case 'a': { @@ -1278,7 +1287,6 @@ static void config_parse(GAConfig *config, int argc, = char **argv) } config->allowedrpcs =3D g_list_concat(config->allowedrpcs, split_list(optarg, ",")); - allow_rpcs =3D true; break; } #ifdef _WIN32 @@ -1319,12 +1327,6 @@ static void config_parse(GAConfig *config, int argc,= char **argv) exit(EXIT_FAILURE); } } - - if (block_rpcs && allow_rpcs) { - g_critical("wrong commandline, using --block-rpcs and --allow-rpcs= at the" - " same time is not allowed"); - exit(EXIT_FAILURE); - } } =20 static void config_free(GAConfig *config) @@ -1435,7 +1437,6 @@ static GAState *initialize_agent(GAConfig *config, in= t socket_activation) s->deferred_options.log_filepath =3D config->log_filepath; } ga_disable_logging(s); - qmp_for_each_command(&ga_commands, ga_disable_not_allowed_freeze, = NULL); } else { if (config->daemonize) { become_daemon(config->pid_filepath); @@ -1459,25 +1460,6 @@ static GAState *initialize_agent(GAConfig *config, i= nt socket_activation) return NULL; } =20 - if (config->allowedrpcs) { - qmp_for_each_command(&ga_commands, ga_disable_not_allowed, config-= >allowedrpcs); - s->allowedrpcs =3D config->allowedrpcs; - } - - /* - * Some commands can be blocked due to system limitation. - * Initialize blockedrpcs list even if allowedrpcs specified. - */ - config->blockedrpcs =3D ga_command_init_blockedrpcs(config->blockedrpc= s); - if (config->blockedrpcs) { - GList *l =3D config->blockedrpcs; - s->blockedrpcs =3D config->blockedrpcs; - do { - g_debug("disabling command: %s", (char *)l->data); - qmp_disable_command(&ga_commands, l->data, NULL); - l =3D g_list_next(l); - } while (l); - } s->command_state =3D ga_command_state_new(); ga_command_state_init(s, s->command_state); ga_command_state_init_all(s->command_state); @@ -1503,6 +1485,8 @@ static GAState *initialize_agent(GAConfig *config, in= t socket_activation) } #endif =20 + ga_apply_command_filters(s); + ga_state =3D s; return s; } --=20 2.45.1