guest agent: add --allow-rpcs / whitelist mode
Goal
Currently qemu-ga offers the --blacklist
or --block-rpcs
option to block some RPCs coming from the host to the guest. I would perfer to configure it the other way round, by just allowing certain given RPCs.
Consider a "appliance" type VM that is fairly customized and could malfunction upon executing some RPC. There you want to carefully check each RPC and only allow it if it doesn't interfere with the operation. Updating to a newer version of qemu-ga could bring support for new RPCs that weren't included in such a check. Only having the option to block certain RPCs makes updating qemu-ga harder, as you would have to individually test each new version for added RPCs.
Also from a security perspective it would be better to just allow certain RPCs.
Technical details
I suggest adding a --allow-rpcs=LIST
option. Using --block-rpcs
and --allow-rpcs
together should be prohibited.