- 13 2月, 2014 3 次提交
-
-
由 Eric Blake 提交于
Following the patterns established by lifecycle events, this creates all the new RPC calls needed to pass callback IDs for every domain event, and changes the limits in client and server codes to use modern style when possible. I've tested all combinations: both 'old client and new server' and 'new client and old server' continue to work with the old RPCs, and 'new client and new server' benefit from server-side filtering with the new RPCs. * src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_EVENT_*): Add REMOTE_PROC_DOMAIN_EVENT_CALLBACK_* counterparts. * daemon/remote.c (remoteRelayDomainEvent*): Send callbackID via newer RPC when used with new-style registration. (remoteDispatchConnectDomainEventCallbackRegisterAny): Extend to cover all domain events. * src/remote/remote_driver.c (remoteDomainBuildEvent*): Add new Callback and Helper functions. (remoteEvents): Match order of RPC numbers, register new handlers. (remoteConnectDomainEventRegisterAny) (remoteConnectDomainEventDeregisterAny): Extend to cover all domain events. * src/remote_protocol-structs: Regenerate. Signed-off-by: NEric Blake <eblake@redhat.com>
-
由 Eric Blake 提交于
This patch adds some new RPC call numbers, but for ease of review, they sit idle until a later patch adds the client counterpart to drive the new RPCs. Also for ease of review, I limited this patch to just the lifecycle event; although converting the remaining 15 domain events will be quite mechanical. On the server side, we have to have a function per RPC call, largely with duplicated bodies (the key difference being that we store in our callback opaque pointer whether events should be fired with old or new style); meanwhile, a single function can drive multiple RPC messages. With a strategic choice of XDR struct layout, we can make the event generation code for both styles fairly compact. I debated about adding a tri-state witness variable per connection (values 'unknown', 'legacy', 'modern'). It would start as 'unknown', move to 'legacy' if any RPC call is made to a legacy event call, and move to 'modern' if the feature probe is made; then the event code could issue an error if the witness state is incorrect (a legacy RPC call while in 'modern', a modern RPC call while in 'unknown' or 'legacy', and a feature probe while in 'legacy' or 'modern'). But while it might prevent odd behavior caused by protocol fuzzing, I don't see that it would prevent any security holes, so I considered it bloat. Note that sticking @acl markers on the new RPCs generates unused functions in access/viraccessapicheck.c, because there is no new API call that needs to use the new checks; however, having a consistent .x file is worth the dead code. * src/libvirt_internal.h (VIR_DRV_FEATURE_REMOTE_EVENT_CALLBACK): New feature. * src/remote/remote_protocol.x (REMOTE_PROC_CONNECT_DOMAIN_EVENT_CALLBACK_REGISTER_ANY) (REMOTE_PROC_CONNECT_DOMAIN_EVENT_CALLBACK_DEREGISTER_ANY) (REMOTE_PROC_DOMAIN_EVENT_CALLBACK_LIFECYCLE): New RPCs. * daemon/remote.c (daemonClientCallback): Add field. (remoteDispatchConnectDomainEventCallbackRegisterAny) (remoteDispatchConnectDomainEventCallbackDeregisterAny): New functions. (remoteDispatchConnectDomainEventRegisterAny) (remoteDispatchConnectDomainEventDeregisterAny): Mark legacy use. (remoteRelayDomainEventLifecycle): Change message based on legacy or new use. (remoteDispatchConnectSupportsFeature): Advertise new feature. * src/remote_protocol-structs: Regenerate. Signed-off-by: NEric Blake <eblake@redhat.com>
-
由 Eric Blake 提交于
This patch continues the earlier conversion made for network events, with a goal of introducing server-side event filtering in a later patch. Actual behavior is unchanged without further RPC changes. * daemon/libvirtd.h (daemonClientPrivate): Alter the tracking of domain events. * daemon/remote.c (remoteClientInitHook, remoteClientFreeFunc) (remoteRelayDomainEvent*) (remoteDispatchConnectDomainEventRegister) (remoteDispatchConnectDomainEventRegisterAny): Track domain callbacks dynamically.
-
- 05 2月, 2014 1 次提交
-
-
由 Eric Blake 提交于
https://bugzilla.redhat.com/show_bug.cgi?id=1058839 Commit f9f56340 for CVE-2014-0028 almost had the right idea - we need to check the ACL rules to filter which events to send. But it overlooked one thing: the event dispatch queue is running in the main loop thread, and therefore does not normally have a current virIdentityPtr. But filter checks can be based on current identity, so when libvirtd.conf contains access_drivers=["polkit"], we ended up rejecting access for EVERY event due to failure to look up the current identity, even if it should have been allowed. Furthermore, even for events that are triggered by API calls, it is important to remember that the point of events is that they can be copied across multiple connections, which may have separate identities and permissions. So even if events were dispatched from a context where we have an identity, we must change to the correct identity of the connection that will be receiving the event, rather than basing a decision on the context that triggered the event, when deciding whether to filter an event to a particular connection. If there were an easy way to get from virConnectPtr to the appropriate virIdentityPtr, then object_event.c could adjust the identity prior to checking whether to dispatch an event. But setting up that back-reference is a bit invasive. Instead, it is easier to delay the filtering check until lower down the stack, at the point where we have direct access to the RPC client object that owns an identity. As such, this patch ends up reverting a large portion of the framework of commit f9f56340. We also have to teach 'make check' to special-case the fact that the event registration filtering is done at the point of dispatch, rather than the point of registration. Note that even though we don't actually use virConnectDomainEventRegisterCheckACL (because the RegisterAny variant is sufficient), we still generate the function for the purposes of documenting that the filtering takes place. Also note that I did not entirely delete the notion of a filter from object_event.c; I still plan on using that for my upcoming patch series for qemu monitor events in libvirt-qemu.so. In other words, while this patch changes ACL filtering to live in remote.c and therefore we have no current client of the filtering in object_event.c, the notion of filtering in object_event.c is still useful down the road. * src/check-aclrules.pl: Exempt event registration from having to pass checkACL filter down call stack. * daemon/remote.c (remoteRelayDomainEventCheckACL) (remoteRelayNetworkEventCheckACL): New functions. (remoteRelay*Event*): Use new functions. * src/conf/domain_event.h (virDomainEventStateRegister) (virDomainEventStateRegisterID): Drop unused parameter. * src/conf/network_event.h (virNetworkEventStateRegisterID): Likewise. * src/conf/domain_event.c (virDomainEventFilter): Delete unused function. * src/conf/network_event.c (virNetworkEventFilter): Likewise. * src/libxl/libxl_driver.c: Adjust caller. * src/lxc/lxc_driver.c: Likewise. * src/network/bridge_driver.c: Likewise. * src/qemu/qemu_driver.c: Likewise. * src/remote/remote_driver.c: Likewise. * src/test/test_driver.c: Likewise. * src/uml/uml_driver.c: Likewise. * src/vbox/vbox_tmpl.c: Likewise. * src/xen/xen_driver.c: Likewise. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 16 1月, 2014 2 次提交
-
-
由 Eric Blake 提交于
We haven't had a release with network events yet, so we are free to fix the RPC so that it actually does what we want. Doing client-side filtering of per-network events is inefficient if a connection is only interested in events on a single network out of hundreds available on the server. But to do server-side per-network filtering, the server needs to know which network to filter on - so we need to pass an optional network over on registration. Furthermore, it is possible to have a client with both a global and per-network filter; in the existing code, the server sends only one event and the client replicates to both callbacks. But with server-side filtering, the server will send the event twice, so we need a way for the client to know which callbackID is sending an event, to ensure that the client can filter out events from a registration that does not match the callbackID from the server. Likewise, the existing style of deregistering by eventID alone is fine; but in the new style, we have to remember which callbackID to delete. This patch fixes the RPC wire definition to contain all the needed pieces of information, and hooks into the server and client side improvements of the previous patches, in order to switch over to full server-side filtering of network events. Also, since we fixed this in time, all released versions of libvirtd that support network events also support per-network filtering, so we can hard-code that assumption into network_event.c. Converting domain events to server-side filtering will require the introduction of new RPC numbers, as well as a server feature bit that the client can use to tell whether to use old-style (server only supports global events) or new-style (server supports filtered events), so that is deferred to a later set of patches. * src/conf/network_event.c (virNetworkEventStateRegisterClient): Assume server-side filtering. * src/remote/remote_protocol.x (remote_connect_network_event_register_any_args): Add network argument. (remote_connect_network_event_register_any_ret): Return callbackID instead of count. (remote_connect_network_event_deregister_any_args): Pass callbackID instead of eventID. (remote_connect_network_event_deregister_any_ret): Drop unused type. (remote_network_event_lifecycle_msg): Add callbackID. * daemon/remote.c (remoteDispatchConnectNetworkEventDeregisterAny): Drop unused arg, and deal with callbackID from client. (remoteRelayNetworkEventLifecycle): Pass callbackID. (remoteDispatchConnectNetworkEventRegisterAny): Likewise, and recognize non-NULL network. * src/remote/remote_driver.c (remoteConnectNetworkEventRegisterAny): Pass network, and track server side id. (remoteConnectNetworkEventDeregisterAny): Deregister by callback id. (remoteNetworkBuildEventLifecycle): Pass remote id to event queue. * src/remote_protocol-structs: Regenerate. Signed-off-by: NEric Blake <eblake@redhat.com>
-
由 Eric Blake 提交于
Right now, the daemon side of RPC events is hard-coded to at most one callback per eventID. But when there are hundreds of domains or networks coupled and multiple conections, then sending every event to every connection that wants an event, even for the connections that only care about events for a particular object, is inefficient. In order to track more than one callback in the server, we need to store callbacks by more than just their eventID. This patch rearranges the daemon side to store network callbacks in a dynamic array, which can eventually be used for multiple callbacks of the same eventID, although actual behavior is unchanged without further patches to the RPC protocol. For ease of review, domain events are saved for a later patch, as they touch more code. While at it, fix a bug where a malicious client could send a negative eventID to cause network event registration to access outside of array bounds (thankfully not a CVE, since domain events were already doing the bounds check, and since network events have not been released). * daemon/libvirtd.h (daemonClientPrivate): Alter the tracking of network events. * daemon/remote.c (daemonClientEventCallback): New struct. (remoteEventCallbackFree): New function. (remoteClientInitHook, remoteRelayNetworkEventLifecycle) (remoteClientFreeFunc) (remoteDispatchConnectNetworkEventRegisterAny): Track network callbacks differently. (remoteDispatchConnectNetworkEventDeregisterAny): Enforce bounds. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 11 12月, 2013 1 次提交
-
-
由 Cédric Bosdonnat 提交于
-
- 10 12月, 2013 1 次提交
-
-
由 Cédric Bosdonnat 提交于
into remoteDispatchObjectEventSend as it will later be used for both the domain and network events.
-
- 18 10月, 2013 1 次提交
-
-
由 Chen Hanxiao 提交于
If we fail to get domain, we had to judge whether it's null or not when doing 'cleanup'. Signed-off-by: NChen Hanxiao <chenhanxiao@cn.fujitsu.com>
-
- 27 9月, 2013 1 次提交
-
-
由 Daniel P. Berrange 提交于
When a client disconnects from libvirtd, all event callbacks must be removed. This involves running the public API virConnectDomainEventDeregisterAny This code does not run in normal API dispatch context, so no identity was set. The result was that the access control drivers denied the attempt to deregister callbacks. The callbacks thus continued to trigger after the client was free'd causing fairly predictable use of free memory & a crash. This can be triggered by any client with readonly access when the ACL drivers are active. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 24 9月, 2013 1 次提交
-
-
由 Giuseppe Scrivano 提交于
Signed-off-by: NGiuseppe Scrivano <gscrivan@redhat.com> Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 20 9月, 2013 1 次提交
-
-
由 Jiri Denemark 提交于
-
- 19 9月, 2013 1 次提交
-
-
由 Daniel P. Berrange 提交于
The 'stats' variable was not initialized to NULL, so if some early validation of the RPC call fails, it is possible to jump to the 'cleanup' label and VIR_FREE an uninitialized pointer. This is a security flaw, since the API can be called from a readonly connection which can trigger the validation checks. This was introduced in release v0.9.1 onwards by commit 158ba873 Author: Daniel P. Berrange <berrange@redhat.com> Date: Wed Apr 13 16:21:35 2011 +0100 Merge all returns paths from dispatcher into single path Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 18 9月, 2013 1 次提交
-
-
由 Daniel P. Berrange 提交于
With the existing pkcheck (pid, start time) tuple for identifying the process, there is a race condition, where a process can make a libvirt RPC call and in another thread exec a setuid application, causing it to change to effective UID 0. This in turn causes polkit to do its permission check based on the wrong UID. To address this, libvirt must get the UID the caller had at time of connect() (from SO_PEERCRED) and pass a (pid, start time, uid) triple to the pkcheck program. This fix requires that libvirt is re-built against a version of polkit that has the fix for its CVE-2013-4288, so that libvirt can see 'pkg-config --variable pkcheck_supports_uid polkit-gobject-1' Signed-off-by: NColin Walters <walters@redhat.com> Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 04 9月, 2013 1 次提交
-
-
由 Nehal J Wani 提交于
Fixes for argument layouts of various functions in daemon/remote.c
-
- 29 8月, 2013 11 次提交
-
-
由 Daniel P. Berrange 提交于
The return values for the virConnectListAllSecrets call were not bounds checked. This is a robustness issue for clients if something where to cause corruption of the RPC stream data. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
The return values for the virConnectListAllNWFilters call were not bounds checked. This is a robustness issue for clients if something where to cause corruption of the RPC stream data. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
The return values for the virConnectListAllNodeDevices call were not bounds checked. This is a robustness issue for clients if something where to cause corruption of the RPC stream data. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
The return values for the virConnectListAllInterfaces call were not bounds checked. This is a robustness issue for clients if something where to cause corruption of the RPC stream data. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
The return values for the virConnectListAllNetworks call were not bounds checked. This is a robustness issue for clients if something where to cause corruption of the RPC stream data. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
The return values for the virStoragePoolListAllVolumes call were not bounds checked. This is a robustness issue for clients if something where to cause corruption of the RPC stream data. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
The return values for the virConnectListAllStoragePools call were not bounds checked. This is a robustness issue for clients if something where to cause corruption of the RPC stream data. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
The return values for the virConnectListAllDomains call were not bounds checked. This is a robustness issue for clients if something where to cause corruption of the RPC stream data. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
The return values for the virDomain{SnapshotListAllChildren,ListAllSnapshots} calls were not bounds checked. This is a robustness issue for clients if something where to cause corruption of the RPC stream data. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
The return values for the virDomainGetJobStats call were not bounds checked. This is a robustness issue for clients if something where to cause corruption of the RPC stream data. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
The parameters for the virDomainMigrate*Params RPC calls were not bounds checks, meaning a malicious client can cause libvirtd to consume arbitrary memory This issue was introduced in the 1.1.0 release of libvirt Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 18 7月, 2013 2 次提交
-
-
由 Jiri Denemark 提交于
-
由 Daniel P. Berrange 提交于
Since they make use of file descriptor passing, the remote protocol methods for virDomainCreate{XML}WithFiles must be written by hand. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 10 7月, 2013 2 次提交
-
-
由 Daniel P. Berrange 提交于
Convert the type of loop iterators named 'i', 'j', k', 'ii', 'jj', 'kk', to be 'size_t' instead of 'int' or 'unsigned int', also santizing 'ii', 'jj', 'kk' to use the normal 'i', 'j', 'k' naming Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Michal Privoznik 提交于
-
- 25 6月, 2013 1 次提交
-
-
由 Jiri Denemark 提交于
This patch implements extensible variants of all internal migration APIs used for v3 migration.
-
- 31 5月, 2013 1 次提交
-
-
由 Eric Blake 提交于
This is a recurring problem for cygwin :) For example, see commit 23a4df88. qemu/qemu_driver.c: In function 'qemuStateInitialize': qemu/qemu_driver.c:691:13: error: format '%d' expects type 'int', but argument 8 has type 'uid_t' [-Wformat] * src/qemu/qemu_driver.c (qemuStateInitialize): Add casts. * daemon/remote.c (remoteDispatchAuthList): Likewise. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 21 5月, 2013 1 次提交
-
-
由 Osier Yang 提交于
-
- 16 5月, 2013 1 次提交
-
-
由 Ján Tomko 提交于
CVE-2013-1962 remoteDispatchStoragePoolListAllVolumes wasn't freeing the pool. The pool also held a reference to the connection, preventing it from getting freed and closing the netcf interface driver, which held two sockets open.
-
- 09 5月, 2013 1 次提交
-
-
由 Jim Fehlig 提交于
Commit 979e9c56 missed one case of providing the timestamp parameter to virNetServerClientGetUNIXIdentity() when WITH_POLKIT0 is defined.
-
- 08 5月, 2013 1 次提交
-
-
由 Daniel P. Berrange 提交于
Since PIDs can be reused, polkit prefers to be given a (PID,start time) pair. If given a PID on its own, it will attempt to lookup the start time in /proc/pid/stat, though this is subject to races. It is safer if the client app resolves the PID start time itself, because as long as the app has the client socket open, the client PID won't be reused. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 05 5月, 2013 1 次提交
-
-
由 Michal Privoznik 提交于
-
- 03 5月, 2013 1 次提交
-
-
由 Daniel P. Berrange 提交于
Since the 'nparams' variable passed to virTypedParametersFree is supposed to represent the size of the 'params' array, it is bad practice to initialize it to a non-zero value, until the array has been allocated. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 02 5月, 2013 1 次提交
-
-
由 Michal Privoznik 提交于
The source code base needs to be adapted as well. Some files include virutil.h just for the string related functions (here, the include is substituted to match the new file), some include virutil.h without any need (here, the include is removed), and some require both.
-
- 24 4月, 2013 1 次提交
-
-
由 Daniel P. Berrange 提交于
Ensure that the driver struct field names match the public API names. For an API virXXXX we must have a driver struct field xXXXX. ie strip the leading 'vir' and lowercase any leading uppercase letters. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-