[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH] RFC: net: document "-netdev user" explicitly as unsafe
From: |
marcandre . lureau |
Subject: |
[PATCH] RFC: net: document "-netdev user" explicitly as unsafe |
Date: |
Mon, 7 Jun 2021 15:48:44 +0400 |
From: Marc-André Lureau <marcandre.lureau@redhat.com>
libslirp is known to have several security flaws, we should make it
explicit by warning the users and in the documentation.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
---
docs/system/net.rst | 9 +++++++++
net/slirp.c | 2 ++
qemu-options.hx | 4 +++-
3 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/docs/system/net.rst b/docs/system/net.rst
index 4b2640c448..1caac062a4 100644
--- a/docs/system/net.rst
+++ b/docs/system/net.rst
@@ -41,6 +41,13 @@ download OpenVPN from : https://openvpn.net/.
Using the user mode network stack
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.. warning::
+ The user mode network stack (`slirp`_) is notoriously unsafe. We strongly
+ discourage its usage in a production environment. It is mostly useful for
+ developers or informed end-users. It is recommended to use other networking
+ solutions, or a dedicated standalone slirp process with the minimum
+ privileges.
+
By using the option ``-net user`` (default configuration if no ``-net``
option is specified), QEMU uses a completely user mode network stack
(you don't need root privilege to use the virtual network). The virtual
@@ -98,3 +105,5 @@ option, it is possible to create emulated networks that span
several
QEMU instances. See the description of the ``-netdev socket`` option in
:ref:`sec_005finvocation` to have a basic
example.
+
+.. _slirp: https://gitlab.freedesktop.org/slirp/libslirp
diff --git a/net/slirp.c b/net/slirp.c
index ad3a838e0b..80891eefbb 100644
--- a/net/slirp.c
+++ b/net/slirp.c
@@ -388,6 +388,8 @@ static int net_slirp_init(NetClientState *peer, const char
*model,
char *end;
struct slirp_config_str *config;
+ warn_report("User mode network stack is unsafe!");
+
if (!ipv4 && (vnetwork || vhost || vnameserver)) {
error_setg(errp, "IPv4 disabled but netmask/host/dns provided");
return -1;
diff --git a/qemu-options.hx b/qemu-options.hx
index 14258784b3..b46a231ba6 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -2652,7 +2652,9 @@ SRST
``-netdev user,id=id[,option][,option][,...]``
Configure user mode host network backend which requires no
- administrator privilege to run. Valid options are:
+ administrator privilege to run, but is notoriously **unsafe**!
+
+ Valid options are:
``id=id``
Assign symbolic name for use in monitor commands.
--
2.29.0
- [PATCH] RFC: net: document "-netdev user" explicitly as unsafe,
marcandre . lureau <=