Experimental fork of QEMU with video encoding patches https://git.openslx.org/bwlp/qemu.git/atom/docs/security.texi?h=spice_video_codecs 2020-03-06T10:04:57+00:00 2020-03-06T10:04:57+00:00 Paolo Bonzini 2020-02-28T15:35:57+00:00 urn:sha1:abcd92db6a7b725e16826ee2e3fcb13cfe3a96c2 Since qemu-doc.texi is mostly including files from docs/system, move the existing include files there for consistency. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Tested-by: Alex Bennée <alex.bennee@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 20200228153619.9906-12-peter.maydell@linaro.org Message-id: 20200226113034.6741-12-pbonzini@redhat.com [PMM: update MAINTAINERS line for qemu-option-trace.texi] Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> 2019-07-19T13:21:08+00:00 Daniel P. Berrangé 2019-07-03T13:41:35+00:00 urn:sha1:4f24430821c568936aeda417bbb00e989a9e1984 A supposed exploit of QEMU was recently announced as CVE-2019-12928 claiming that the monitor console was insecure because the "migrate" command enabled arbitrary command execution for a remote attacker. To be a security risk the user launching QEMU must have configured the monitor in a way that allows for other users to access it. The exploit report quoted use of the "tcp" character device backend for QMP. This would indeed allow any network user to connect to QEMU and execute arbitrary commands, however, this is not a flaw in QEMU. It is the normal expected behaviour of the monitor console and the commands it supports. Given a monitor connection, there are many ways to access host file system content besides the migrate command. The reality is that the monitor console (whether QMP or HMP) is considered a privileged interface to QEMU and as such must only be made available to trusted users. IOW, making it available with no authentication over TCP is simply a, very serious, user configuration error not a security flaw in QEMU itself. The one thing this bogus security report highlights though is that we have not clearly documented the security implications around the use of the monitor. Add a few paragraphs of text to the security docs explaining why the monitor is a privileged interface and making a recommendation to only use the UNIX socket character device backend. Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> 2019-05-10T09:53:52+00:00 Stefan Hajnoczi 2019-05-09T12:18:20+00:00 urn:sha1:e84125761f78919fe63616d9888ea45e72dc956f This new chapter in the QEMU documentation covers the security requirements that QEMU is designed to meet and principles for securely deploying QEMU. It is just a starting point that can be extended in the future with more information. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Acked-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Li Qiang <liq3ea@gmail.com> Message-id: 20190509121820.16294-3-stefanha@redhat.com Message-Id: <20190509121820.16294-3-stefanha@redhat.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>