qemu: conf: Remove 'allow_disk_format_probing' config option

The option is insecure and it has been long enough for users to migrate their disk files to use explicit format. Drop the option and related code. The config parser still parses it and rejects statup if it's still present in the config in enabled state. The augeas lens is also kept so that users can disable it. Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2025-01-11 15:27:47 +00:00 · 2018-06-04 09:00:27 +02:00 · 2018-06-04 09:00:27 +02:00 · c95f50cb02
commit c95f50cb02
parent 18d94e17f8
6 changed files with 28 additions and 68 deletions
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@ -650,18 +650,6 @@
 #relaxed_acs_check = 1
 # If allow_disk_format_probing is enabled, libvirt will probe disk
 # images to attempt to identify their format, when not otherwise
 # specified in the XML. This is disabled by default.
 #
 # WARNING: Enabling probing is a security hole in almost all
 # deployments. It is strongly recommended that users update their
 # guest XML <disk> elements to include  <driver type='XXXX'/>
 # elements instead of enabling this option.
 #
 #allow_disk_format_probing = 1
 # In order to prevent accidentally starting two domains that
 # share one writable disk, libvirt offers two approaches for
 # locking files. The first one is sanlock, the other one,
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@ -511,6 +511,7 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
    char **nvram = NULL;
    char *corestr = NULL;
    char **namespaces = NULL;
    bool tmp;
    /* Just check the file is readable before opening it, otherwise
     * libvirt emits an error.
@ -803,8 +804,13 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
        goto cleanup;
    if (virConfGetValueBool(conf, "clear_emulator_capabilities", &cfg->clearEmulatorCapabilities) < 0)
        goto cleanup;
-    if (virConfGetValueBool(conf, "allow_disk_format_probing", &cfg->allowDiskFormatProbing) < 0)
+    if (virConfGetValueBool(conf, "allow_disk_format_probing", &tmp) < 0)
        goto cleanup;
    if (tmp) {
        virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
                       _("allow_disk_format_probing is no longer supported"));
        goto cleanup;
    }
    if (virConfGetValueBool(conf, "set_process_name", &cfg->setProcessName) < 0)
        goto cleanup;
    if (virConfGetValueUInt(conf, "max_processes", &cfg->maxProcesses) < 0)
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@ -164,7 +164,6 @@ struct _virQEMUDriverConfig {
    bool vncAllowHostAudio;
    bool nogfxAllowHostAudio;
    bool clearEmulatorCapabilities;
    bool allowDiskFormatProbing;
    bool setProcessName;
    unsigned int maxProcesses;
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@ -5973,39 +5973,23 @@ qemuDomainDeviceDiskDefPostParseRestoreSecAlias(virDomainDiskDefPtr disk,
 static int
 qemuDomainDeviceDiskDefPostParse(virDomainDiskDefPtr disk,
                                 virQEMUCapsPtr qemuCaps,
-                                 unsigned int parseFlags,
+                                 unsigned int parseFlags)
                                 virQEMUDriverConfigPtr cfg)
 {
    /* set default disk types and drivers */
-    /* assign default storage format and driver according to config */
+    if (!virDomainDiskGetDriver(disk) &&
-    if (cfg->allowDiskFormatProbing) {
+        virDomainDiskSetDriver(disk, "qemu") < 0)
-        /* default disk format for drives */
+        return -1;
        if (virDomainDiskGetFormat(disk) == VIR_STORAGE_FILE_NONE &&
            (virDomainDiskGetType(disk) == VIR_STORAGE_TYPE_FILE ||
             virDomainDiskGetType(disk) == VIR_STORAGE_TYPE_BLOCK))
            virDomainDiskSetFormat(disk, VIR_STORAGE_FILE_AUTO);
-        /* default disk format for mirrored drive */
+    /* default disk format for drives */
-        if (disk->mirror &&
+    if (virDomainDiskGetFormat(disk) == VIR_STORAGE_FILE_NONE &&
-            disk->mirror->format == VIR_STORAGE_FILE_NONE)
+        (virDomainDiskGetType(disk) == VIR_STORAGE_TYPE_FILE ||
-            disk->mirror->format = VIR_STORAGE_FILE_AUTO;
+         virDomainDiskGetType(disk) == VIR_STORAGE_TYPE_BLOCK))
-    } else {
+        virDomainDiskSetFormat(disk, VIR_STORAGE_FILE_RAW);
        /* default driver if probing is forbidden */
        if (!virDomainDiskGetDriver(disk) &&
            virDomainDiskSetDriver(disk, "qemu") < 0)
            return -1;
-        /* default disk format for drives */
+    /* default disk format for mirrored drive */
-        if (virDomainDiskGetFormat(disk) == VIR_STORAGE_FILE_NONE &&
+    if (disk->mirror &&
-            (virDomainDiskGetType(disk) == VIR_STORAGE_TYPE_FILE ||
+        disk->mirror->format == VIR_STORAGE_FILE_NONE)
-             virDomainDiskGetType(disk) == VIR_STORAGE_TYPE_BLOCK))
+        disk->mirror->format = VIR_STORAGE_FILE_RAW;
            virDomainDiskSetFormat(disk, VIR_STORAGE_FILE_RAW);
        /* default disk format for mirrored drive */
        if (disk->mirror &&
            disk->mirror->format == VIR_STORAGE_FILE_NONE)
            disk->mirror->format = VIR_STORAGE_FILE_RAW;
    }
    if (qemuDomainDeviceDiskDefPostParseRestoreSecAlias(disk, qemuCaps,
                                                        parseFlags) < 0)
@ -6100,7 +6084,6 @@ qemuDomainDeviceDefPostParse(virDomainDeviceDefPtr dev,
     * function shall not fail in that case. It will be re-run on VM startup
     * with the capabilities populated. */
    virQEMUCapsPtr qemuCaps = parseOpaque;
    virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
    int ret = -1;
    switch ((virDomainDeviceType) dev->type) {
@ -6110,7 +6093,7 @@ qemuDomainDeviceDefPostParse(virDomainDeviceDefPtr dev,
    case VIR_DOMAIN_DEVICE_DISK:
        ret = qemuDomainDeviceDiskDefPostParse(dev->data.disk, qemuCaps,
-                                               parseFlags, cfg);
+                                               parseFlags);
        break;
    case VIR_DOMAIN_DEVICE_VIDEO:
@ -6168,7 +6151,6 @@ qemuDomainDeviceDefPostParse(virDomainDeviceDefPtr dev,
        break;
    }
    virObjectUnref(cfg);
    return ret;
 }
@ -7182,11 +7164,6 @@ void qemuDomainObjCheckDiskTaint(virQEMUDriverPtr driver,
                                 qemuDomainLogContextPtr logCtxt)
 {
    virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
    int format = virDomainDiskGetFormat(disk);
    if ((!format || format == VIR_STORAGE_FILE_AUTO) &&
        cfg->allowDiskFormatProbing)
        qemuDomainObjTaint(driver, obj, VIR_DOMAIN_TAINT_DISK_PROBING, logCtxt);
    if (disk->rawio == VIR_TRISTATE_BOOL_YES)
        qemuDomainObjTaint(driver, obj, VIR_DOMAIN_TAINT_HIGH_PRIVILEGES,
@ -8142,8 +8119,7 @@ qemuDomainDetermineDiskChain(virQEMUDriverPtr driver,
    qemuDomainGetImageIds(cfg, vm, src, disk->src, &uid, &gid);
    if (virStorageFileGetMetadata(src,
-                                  uid, gid,
+                                  uid, gid, false,
                                  cfg->allowDiskFormatProbing,
                                  report_broken) < 0)
        goto cleanup;
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@ -365,8 +365,6 @@ qemuSecurityInit(virQEMUDriverPtr driver)
    virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
    unsigned int flags = 0;
    if (cfg->allowDiskFormatProbing)
        flags |= VIR_SECURITY_MANAGER_ALLOW_DISK_PROBE;
    if (cfg->securityDefaultConfined)
        flags |= VIR_SECURITY_MANAGER_DEFAULT_CONFINED;
    if (cfg->securityRequireConfined)
@ -11966,8 +11964,7 @@ qemuStorageLimitsRefresh(virQEMUDriverPtr driver,
    if (virStorageSourceUpdateBackingSizes(src, fd, &sb) < 0)
        goto cleanup;
-    if (virStorageSourceUpdateCapacity(src, buf, len,
+    if (virStorageSourceUpdateCapacity(src, buf, len, false) < 0)
                                       cfg->allowDiskFormatProbing) < 0)
        goto cleanup;
    /* If guest is not using raw disk format and is on a host block
@ -14196,16 +14193,11 @@ qemuDomainSnapshotCreateInactiveExternal(virQEMUDriverPtr driver,
                                   defdisk->src->path,
                                   virStorageFileFormatTypeToString(defdisk->src->format));
        } else {
-            if (!cfg->allowDiskFormatProbing) {
+            virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
-                virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+                           _("unknown image format of '%s' and "
-                               _("unknown image format of '%s' and "
+                             "format probing is disabled"),
-                                 "format probing is disabled"),
+                           defdisk->src->path);
-                               defdisk->src->path);
+            goto cleanup;
                goto cleanup;
            }
            /* adds cmd line arg: backing_file=/path/to/backing/file */
            virCommandAddArgFormat(cmd, "backing_file=%s", defdisk->src->path);
        }
        /* adds cmd line args: /path/to/target/file */
--- a/src/qemu/test_libvirtd_qemu.aug.in
+++ b/src/qemu/test_libvirtd_qemu.aug.in
@ -79,7 +79,6 @@ module Test_libvirtd_qemu =
 { "dump_guest_core" = "1" }
 { "mac_filter" = "1" }
 { "relaxed_acs_check" = "1" }
 { "allow_disk_format_probing" = "1" }
 { "lock_manager" = "lockd" }
 { "max_queued" = "0" }
 { "keepalive_interval" = "5" }