summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMikko Rapeli <mikko.rapeli@linaro.org>2022-11-14 17:50:38 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2022-11-20 08:29:07 +0000
commitaa3cb188b853c3ecec1a3c9a141da1e71f7604e5 (patch)
treefa9e7fe9f8879f09f072403e27c4f82b3d5b669b
parent248180ab2dea6af92c93f6c26e0da6d1a4445ae5 (diff)
downloadpoky-aa3cb188b853c3ecec1a3c9a141da1e71f7604e5.tar.gz
runqemu: limit slirp host port forwarding to localhost 127.0.0.1
With default slirp port forwarding config qemu listens on TCP ports 2222 and 2323 on all IP addresses available on the build host. Most use cases with runqemu only need it for localhost and it is not safe to run qemu images with root login without password enabled and listening on all available, possibly Internet reachable network interfaces. Limit qemu port forwarding to localhost 127.0.0.1 IP address. Now qemu machine SSH and telnet ports are only reachable from the build host machine, not full Internet. If qemu machine needs to be reachable from network, then it can be enabled via local.conf or machine config variable QB_SLIRP_OPT: QB_SLIRP_OPT = "-netdev user,id=net0,hostfwd=tcp::2222-:22" (From OE-Core rev: c6b1e3d50bf2feea80b70a42c6fad868fa9e6042) Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rwxr-xr-xscripts/runqemu2
1 files changed, 1 insertions, 1 deletions
diff --git a/scripts/runqemu b/scripts/runqemu
index a6ea578564..7bd9465593 100755
--- a/scripts/runqemu
+++ b/scripts/runqemu
@@ -1071,7 +1071,7 @@ class BaseConfig(object):
1071 logger.info("Network configuration:%s", netconf) 1071 logger.info("Network configuration:%s", netconf)
1072 self.kernel_cmdline_script += netconf 1072 self.kernel_cmdline_script += netconf
1073 # Port mapping 1073 # Port mapping
1074 hostfwd = ",hostfwd=tcp::2222-:22,hostfwd=tcp::2323-:23" 1074 hostfwd = ",hostfwd=tcp:127.0.0.1:2222-:22,hostfwd=tcp:127.0.0.1:2323-:23"
1075 qb_slirp_opt_default = "-netdev user,id=net0%s,tftp=%s" % (hostfwd, self.get('DEPLOY_DIR_IMAGE')) 1075 qb_slirp_opt_default = "-netdev user,id=net0%s,tftp=%s" % (hostfwd, self.get('DEPLOY_DIR_IMAGE'))
1076 qb_slirp_opt = self.get('QB_SLIRP_OPT') or qb_slirp_opt_default 1076 qb_slirp_opt = self.get('QB_SLIRP_OPT') or qb_slirp_opt_default
1077 # Figure out the port 1077 # Figure out the port