diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/devel/kconfig.rst | 2 | ||||
| -rw-r--r-- | docs/system/arm/aspeed.rst | 1 | ||||
| -rw-r--r-- | docs/system/arm/nuvoton.rst | 5 | ||||
| -rw-r--r-- | docs/system/deprecated.rst | 12 | ||||
| -rw-r--r-- | docs/tools/virtiofsd.rst | 58 |
5 files changed, 70 insertions, 8 deletions
diff --git a/docs/devel/kconfig.rst b/docs/devel/kconfig.rst index cb2d7ffac0..a1cdbec751 100644 --- a/docs/devel/kconfig.rst +++ b/docs/devel/kconfig.rst @@ -303,5 +303,5 @@ variable:: host_kconfig = \ ('CONFIG_TPM' in config_host ? ['CONFIG_TPM=y'] : []) + \ ('CONFIG_SPICE' in config_host ? ['CONFIG_SPICE=y'] : []) + \ - ('CONFIG_IVSHMEM' in config_host ? ['CONFIG_IVSHMEM=y'] : []) + \ + (have_ivshmem ? ['CONFIG_IVSHMEM=y'] : []) + \ ... diff --git a/docs/system/arm/aspeed.rst b/docs/system/arm/aspeed.rst index 57ee2bd94f..cec87e3743 100644 --- a/docs/system/arm/aspeed.rst +++ b/docs/system/arm/aspeed.rst @@ -13,6 +13,7 @@ etc. AST2400 SoC based machines : - ``palmetto-bmc`` OpenPOWER Palmetto POWER8 BMC +- ``quanta-q71l-bmc`` OpenBMC Quanta BMC AST2500 SoC based machines : diff --git a/docs/system/arm/nuvoton.rst b/docs/system/arm/nuvoton.rst index ca011bd479..3cd2b2b18d 100644 --- a/docs/system/arm/nuvoton.rst +++ b/docs/system/arm/nuvoton.rst @@ -1,5 +1,5 @@ -Nuvoton iBMC boards (``npcm750-evb``, ``quanta-gsj``) -===================================================== +Nuvoton iBMC boards (``*-bmc``, ``npcm750-evb``, ``quanta-gsj``) +================================================================ The `Nuvoton iBMC`_ chips (NPCM7xx) are a family of ARM-based SoCs that are designed to be used as Baseboard Management Controllers (BMCs) in various @@ -18,6 +18,7 @@ segment. The following machines are based on this chip : The NPCM730 SoC has two Cortex-A9 cores and is targeted for Data Center and Hyperscale applications. The following machines are based on this chip : +- ``quanta-gbs-bmc`` Quanta GBS server BMC - ``quanta-gsj`` Quanta GSJ server BMC There are also two more SoCs, NPCM710 and NPCM705, which are single-core diff --git a/docs/system/deprecated.rst b/docs/system/deprecated.rst index e2e0090878..70e08baff6 100644 --- a/docs/system/deprecated.rst +++ b/docs/system/deprecated.rst @@ -126,6 +126,18 @@ other options have been processed. This will either have no effect (if if they were not given. The property is therefore useless and should not be specified. +``-display sdl,window_close=...`` (since 6.1) +''''''''''''''''''''''''''''''''''''''''''''' + +Use ``-display sdl,window-close=...`` instead (i.e. with a minus instead of +an underscore between "window" and "close"). + +``-no-quit`` (since 6.1) +'''''''''''''''''''''''' + +The ``-no-quit`` is a synonym for ``-display ...,window-close=off`` which +should be used instead. + QEMU Machine Protocol (QMP) commands ------------------------------------ diff --git a/docs/tools/virtiofsd.rst b/docs/tools/virtiofsd.rst index 4911e797cb..c4ac7fdf38 100644 --- a/docs/tools/virtiofsd.rst +++ b/docs/tools/virtiofsd.rst @@ -101,6 +101,9 @@ Options Enable/disable extended attributes (xattr) on files and directories. The default is ``no_xattr``. + * posix_acl|no_posix_acl - + Enable/disable posix acl support. Posix ACLs are disabled by default`. + .. option:: --socket-path=PATH Listen on vhost-user UNIX domain socket at PATH. @@ -127,8 +130,8 @@ Options timeout. ``always`` sets a long cache lifetime at the expense of coherency. The default is ``auto``. -xattr-mapping -------------- +Extended attribute (xattr) mapping +---------------------------------- By default the name of xattr's used by the client are passed through to the server file system. This can be a problem where either those xattr names are used @@ -136,6 +139,9 @@ by something on the server (e.g. selinux client/server confusion) or if the virtiofsd is running in a container with restricted privileges where it cannot access some attributes. +Mapping syntax +~~~~~~~~~~~~~~ + A mapping of xattr names can be made using -o xattrmap=mapping where the ``mapping`` string consists of a series of rules. @@ -232,8 +238,48 @@ Note: When the 'security.capability' xattr is remapped, the daemon has to do extra work to remove it during many operations, which the host kernel normally does itself. -xattr-mapping Examples ----------------------- +Security considerations +~~~~~~~~~~~~~~~~~~~~~~~ + +Operating systems typically partition the xattr namespace using +well defined name prefixes. Each partition may have different +access controls applied. For example, on Linux there are multiple +partitions + + * ``system.*`` - access varies depending on attribute & filesystem + * ``security.*`` - only processes with CAP_SYS_ADMIN + * ``trusted.*`` - only processes with CAP_SYS_ADMIN + * ``user.*`` - any process granted by file permissions / ownership + +While other OS such as FreeBSD have different name prefixes +and access control rules. + +When remapping attributes on the host, it is important to +ensure that the remapping does not allow a guest user to +evade the guest access control rules. + +Consider if ``trusted.*`` from the guest was remapped to +``user.virtiofs.trusted*`` in the host. An unprivileged +user in a Linux guest has the ability to write to xattrs +under ``user.*``. Thus the user can evade the access +control restriction on ``trusted.*`` by instead writing +to ``user.virtiofs.trusted.*``. + +As noted above, the partitions used and access controls +applied, will vary across guest OS, so it is not wise to +try to predict what the guest OS will use. + +The simplest way to avoid an insecure configuration is +to remap all xattrs at once, to a given fixed prefix. +This is shown in example (1) below. + +If selectively mapping only a subset of xattr prefixes, +then rules must be added to explicitly block direct +access to the target of the remapping. This is shown +in example (2) below. + +Mapping examples +~~~~~~~~~~~~~~~~ 1) Prefix all attributes with 'user.virtiofs.' @@ -271,7 +317,9 @@ stripping of 'user.virtiofs.'. The second rule hides unprefixed 'trusted.' attributes on the host. The third rule stops a guest from explicitly setting -the 'user.virtiofs.' path directly. +the 'user.virtiofs.' path directly to prevent access +control bypass on the target of the earlier prefix +remapping. Finally, the fourth rule lets all remaining attributes through. |