On 23/03/2015 11:04, Markus Armbruster wrote: > Probing is convenient, but probing untrusted raw images is insecure > (CVE-2008-2004). To avoid it, users should always specify raw format > explicitly. This isn't trivial, and even sophisticated users have > gotten it wrong (libvirt CVE-2010-2237, CVE-2010-2238, CVE-2010-2239, > plus more recent variations of the theme that didn't get CVEs because > they were caught before they could hurt users). > > Disabling probing entirely is a (hamfisted) way to ensure you always > specify the format. > > Instead of creating yet another simple option that doesn't work with > -readconfig, create a "misc" option group and --misc command line > option. We're out of space in vm_config_groups[], so double it. > > This will let us make existing miscellaneous non-QemeOpts options > sugar for --misc, so they become available with -readconfig. Left for > another day.
Which exactly? Could they fit into another scheme? (See how -mem-prealloc was replaced and generalized by memory-backend-* objects). For example, -win2k-install-hack should really be an IDE disk property that can be set with -global, and many other options could be machine or display options. I don't think it's the right solution. Libvirt knows where to add a format=raw option, and it can do it without waiting for QEMU to implement this. Direct command-line users are not going to use the option anyway. So for today we're 1-1 on NACKs. :D Paolo
