[PATCH] RFC: net: document "-netdev user" explicitly as unsafe

Mon, 07 Jun 2021 04:49:11 -0700 

From: Marc-AndrĂ© Lureau <[email protected]>

libslirp is known to have several security flaws, we should make it
explicit by warning the users and in the documentation.

Signed-off-by: Marc-AndrĂ© Lureau <[email protected]>
---
 docs/system/net.rst | 9 +++++++++
 net/slirp.c         | 2 ++
 qemu-options.hx     | 4 +++-
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/docs/system/net.rst b/docs/system/net.rst
index 4b2640c448..1caac062a4 100644
--- a/docs/system/net.rst
+++ b/docs/system/net.rst
@@ -41,6 +41,13 @@ download OpenVPN from : https://openvpn.net/.
 Using the user mode network stack
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
+.. warning::
+   The user mode network stack (`slirp`_) is notoriously unsafe. We strongly
+   discourage its usage in a production environment. It is mostly useful for
+   developers or informed end-users. It is recommended to use other networking
+   solutions, or a dedicated standalone slirp process with the minimum
+   privileges.
+
 By using the option ``-net user`` (default configuration if no ``-net``
 option is specified), QEMU uses a completely user mode network stack
 (you don't need root privilege to use the virtual network). The virtual
@@ -98,3 +105,5 @@ option, it is possible to create emulated networks that span 
several
 QEMU instances. See the description of the ``-netdev socket`` option in
 :ref:`sec_005finvocation` to have a basic
 example.
+
+.. _slirp: https://gitlab.freedesktop.org/slirp/libslirp
diff --git a/net/slirp.c b/net/slirp.c
index ad3a838e0b..80891eefbb 100644
--- a/net/slirp.c
+++ b/net/slirp.c
@@ -388,6 +388,8 @@ static int net_slirp_init(NetClientState *peer, const char 
*model,
     char *end;
     struct slirp_config_str *config;
 
+    warn_report("User mode network stack is unsafe!");
+
     if (!ipv4 && (vnetwork || vhost || vnameserver)) {
         error_setg(errp, "IPv4 disabled but netmask/host/dns provided");
         return -1;
diff --git a/qemu-options.hx b/qemu-options.hx
index 14258784b3..b46a231ba6 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -2652,7 +2652,9 @@ SRST
 
 ``-netdev user,id=id[,option][,option][,...]``
     Configure user mode host network backend which requires no
-    administrator privilege to run. Valid options are:
+    administrator privilege to run, but is notoriously **unsafe**!
+
+    Valid options are:
 
     ``id=id``
         Assign symbolic name for use in monitor commands.
-- 
2.29.0

Reply via email to