While of course not as fast as a block device mapping, the reduction of copies (virtfs provides zero-copy data passthrough) makes virtfs considerably faster than NFS or CIFS from the guest. This means that even if you're pointing the virtfs at a network mount, you'll still see a speed improvement from the reduction in copies needed to get data on/off the wire.
Of course, the security model is dependent on getting the programming right, this is why the most common qemu execution paths use selinux/apparmor to implement access control on top of just the virtualization.
If you want a real fun mind bender, try making qemu-KVM work from inside docker, without running a full privileged container. It's doable, but something of a challenge. FWIW, QEMU itself doesn't need root, only /dev/kvm access. (Which has also needed security attention in the past).
In terms of speed sensitive HPC workloads though, I bet v9fs is definitely used in production. Hopefully those people are also careful enough to use mandatory access control to sandbox QEMU, since thats definitely not a default libvirt-style setup.
I've never heard of anyone using this kind of thing outside of personal VMs or development.
Really, it's not competing with NFS/SMB, it's just aimed at fast passthrough for local filesystems.
However, having read a decent amount of the code myself, it is pretty crappy/sketchy.
However, it's not a lot of code and the basic idea is sound and the protocol is simple and well designed, it really wouldn't take someone with the right skills long to rototill it and make some drastic improvements (there's performance gains to be had in there, too).
(It mostly has support for the CPUs we support and for the OSes but not always in all combinations, eg no ARM FreeBSD support. It also sometimes doesn't support the range of OS versions we do, eg no OSX 10.6 support, no support for Windows before Windows 7. And some things are only in Rust's tier 3, like OpenBSD support. We'd also need to dump some of the "probably nobody's using this really" older platform support code, like ia64 or Solaris.)
Oh, and Rust would need to be in the stable/LTS releases of distros before we could use it. That's going to take time to percolate through.
For things like ARM FreeBSD support, given that Rust already supports ARM non-FreeBSD and FreeBSD non-ARM, I think the blockers are likely to be random #defines for system calls (unless the FreeBSD folks are using a different userspace ABI on ARM than, e.g., Linux on ARM). Those are interesting if your goal is to reimplement QEMU in Rust, but they're not interesting if your goal is to reimplement the 9P protocol in Rust.
It looks like Windows XP is pretty well supported, and the primary reason it doesn't have official support is that the OS itself is out of support? (You can also take sitkack's suggestion of just not enabling the security-focused code on a no-longer-security-supported OS.) Rust's standard library doesn't work on OS X 10.6 because of a change in TLS / threading models in 10.7, but again, if Rust isn't opening threads or allocating memory and is leaving that all to C, you don't care.
Does the QEMU project treat OpenBSD, ia64, and Solaris as effectively more supported than what Rust calls tier 3? Do you do automatic builds on those platforms? If I report a bug that shows up only on those platforms, are developers likely to have access to such systems to reproduce them? If not, having a tier 3 build of QEMU depend on a tier 3 build of Rust seems totally fine.
Yes, this is accurate. It's a "best effort" kind of thing; the OS doesn't have certain primitives that would be needed for a full implementation of libstd; IIRC concurrency primitives are the main culprit?
I see this pattern where an Open Source project supports so many platforms and old versions of operating systems that security bugs become pervasive for a variety of reasons, 1) no knowledge of old platform, 2) hard for new devs to test 3) piles of ifdefs make code complex, filled with magic. There are probably at most handfuls of users on those niche platforms.
Maybe it would be nice to freeze a build environment in a container, snapshot the repo and make a legacy source archive should someone want to support Beos or OpenVMS in the future.
> The sheer range supported by a standard GCC C toolchain is very hard for a new language to catch up to.
Agreed. We're working on it, but it'll take time. If you have any thoughts on prioritization here, we're always trying to figure that out.
> no support for Windows before Windows 7.
To be clear, this is "before Vista", and we support compiling _to_ XP, but not XP hosts.
Have a look at vvfat.
What you're saying, I think, is that the SELinux could have been used to encapsulate the host process from the rest of the system. Which is true, but sort of specious. Traditional unix security paradigms (e.g. run every guest instance in its own UID, whatever) would have worked fine to mitigate the damage too.
SELinux/Apparmor defeat most of the latest vulnerabilities in QEMU.
Outside the guest, sure, you could use SELinux to firewall VMs from access to anything more than a minimal filesystem. But you could use any of a zillion other techniques too. It's a specious point not relevant to this exploit, which certainly cannot have been prevented by SELinux.
 Which has to be developed, after all. Simply saying you're "using SELinux" does nothing to prove to me you have no vulnerabilities or mistakes in your rule set.
"Entire host filesystem" is "/" and anything below, right? If your QEMU process is running in a SELinux context, there is no way it could access the "entire host filesystem".
And as your footnote, a mistake in SELinux configuration is highly unlikely. Once your process is running in a context, you have to have an explicit transition to the unconfined context or you have to relabel the "entire host filesystem" with the context of the QEMU process.
With this vulnerability, the app might have escaped the sandbox and added evil stuff to my .bashrc. The SELinux would be totally useless there.
In other circumstances, the damage would be much more localized -- I mean, if you run qemu as daemon, you are likely doing it as non-privileged user anyway, so even regular unix permissions would be effective.
On the other hand, there are people who need QEMU features: we have a QEMU-based test script for boot images which actually uses a few more exotic features to simulate the target environment.
Well, that’d not necessarily be bad for the dev community.
I probably would have chosen gentler phrasing.
If you're just playing old games, you are probably fine. (Likely wouldn't need to worry about other security exploits either for that case.)