Skip to content

guest agent: add --allow-rpcs / whitelist mode

Goal

Currently qemu-ga offers the --blacklist or --block-rpcs option to block some RPCs coming from the host to the guest. I would perfer to configure it the other way round, by just allowing certain given RPCs.

Consider a "appliance" type VM that is fairly customized and could malfunction upon executing some RPC. There you want to carefully check each RPC and only allow it if it doesn't interfere with the operation. Updating to a newer version of qemu-ga could bring support for new RPCs that weren't included in such a check. Only having the option to block certain RPCs makes updating qemu-ga harder, as you would have to individually test each new version for added RPCs.

Also from a security perspective it would be better to just allow certain RPCs.

Technical details

I suggest adding a --allow-rpcs=LIST option. Using --block-rpcs and --allow-rpcs together should be prohibited.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information