Philippe Mathieu-Daudé <phi...@redhat.com> writes: > On 7/5/19 3:19 PM, Markus Armbruster wrote: >> Philippe Mathieu-Daudé <phi...@redhat.com> writes: >>> On 7/5/19 10:07 AM, Stefan Hajnoczi wrote: >>>> On Thu, Jul 04, 2019 at 11:28:37AM +0100, Daniel P. Berrangé wrote: >>>>> On Thu, Jul 04, 2019 at 11:24:57AM +0100, Stefan Hajnoczi wrote: [...] >>>>>> What is the concern about adding these environment variables to QEMU? >>>>>> >>>>>> It is convenient to be able to use tracing even if QEMU is invoked by >>>>>> something you cannot modify/control. >>>>>> >>>>>> The main issues I see with environment variables are: >>>>>> >>>>>> 1. Security. Is there a scenario where an attacker can use environment >>>>>> variables to influence the behavior of a QEMU process running at a >>>>>> different trust level? >> >> The common (and sad) solution for this is to require whatever runs $PROG >> at a different trust level to scrub the environment. > > I hope people concerned by security build QEMU with the NOP trace backend.
I sure hope at least one of our tracing backends (other than nop) can be used safely in production. >>>>>> 2. Name collision. What is the chance that existing users already >>>>>> define environment variables with these names and that unexpected >>>>>> behavior could result? [...]
