diff options
author | 2022-11-14 17:50:38 +0200 | |
---|---|---|
committer | 2022-11-20 08:20:27 +0000 | |
commit | c6b1e3d50bf2feea80b70a42c6fad868fa9e6042 (patch) | |
tree | d1e85d50832c83d25bce2c42eb28355f9e2560c3 /scripts/runqemu | |
parent | bdbd52082eb26f418000eb4e424baae9babc272c (diff) | |
download | openembedded-core-contrib-c6b1e3d50bf2feea80b70a42c6fad868fa9e6042.tar.gz |
runqemu: limit slirp host port forwarding to localhost 127.0.0.1
With default slirp port forwarding config qemu listens on TCP ports
2222 and 2323 on all IP addresses available on the build host. Most
use cases with runqemu only need it for localhost and it is not
safe to run qemu images with root login without password enabled
and listening on all available, possibly Internet reachable network
interfaces. Limit qemu port forwarding to localhost 127.0.0.1 IP
address. Now qemu machine SSH and telnet ports are only
reachable from the build host machine, not full Internet.
If qemu machine needs to be reachable from network, then it can
be enabled via local.conf or machine config variable QB_SLIRP_OPT:
QB_SLIRP_OPT = "-netdev user,id=net0,hostfwd=tcp::2222-:22"
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Diffstat (limited to 'scripts/runqemu')
-rwxr-xr-x | scripts/runqemu | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/scripts/runqemu b/scripts/runqemu index a6ea578564..7bd9465593 100755 --- a/scripts/runqemu +++ b/scripts/runqemu @@ -1071,7 +1071,7 @@ class BaseConfig(object): logger.info("Network configuration:%s", netconf) self.kernel_cmdline_script += netconf # Port mapping - hostfwd = ",hostfwd=tcp::2222-:22,hostfwd=tcp::2323-:23" + hostfwd = ",hostfwd=tcp:127.0.0.1:2222-:22,hostfwd=tcp:127.0.0.1:2323-:23" qb_slirp_opt_default = "-netdev user,id=net0%s,tftp=%s" % (hostfwd, self.get('DEPLOY_DIR_IMAGE')) qb_slirp_opt = self.get('QB_SLIRP_OPT') or qb_slirp_opt_default # Figure out the port |