1. 13 2月, 2014 3 次提交
    • E
      event: convert remaining domain events to new style · 158795d2
      Eric Blake 提交于
      Following the patterns established by lifecycle events, this
      creates all the new RPC calls needed to pass callback IDs
      for every domain event, and changes the limits in client and
      server codes to use modern style when possible.
      
      I've tested all combinations: both 'old client and new server'
      and 'new client and old server' continue to work with the old
      RPCs, and 'new client and new server' benefit from server-side
      filtering with the new RPCs.
      
      * src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_EVENT_*): Add
      REMOTE_PROC_DOMAIN_EVENT_CALLBACK_* counterparts.
      * daemon/remote.c (remoteRelayDomainEvent*): Send callbackID via
      newer RPC when used with new-style registration.
      (remoteDispatchConnectDomainEventCallbackRegisterAny): Extend to
      cover all domain events.
      * src/remote/remote_driver.c (remoteDomainBuildEvent*): Add new
      Callback and Helper functions.
      (remoteEvents): Match order of RPC numbers, register new handlers.
      (remoteConnectDomainEventRegisterAny)
      (remoteConnectDomainEventDeregisterAny): Extend to cover all
      domain events.
      * src/remote_protocol-structs: Regenerate.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      158795d2
    • E
      event: server RPC protocol tweaks for domain lifecycle events · 03722957
      Eric Blake 提交于
      This patch adds some new RPC call numbers, but for ease of review,
      they sit idle until a later patch adds the client counterpart to
      drive the new RPCs.  Also for ease of review, I limited this patch
      to just the lifecycle event; although converting the remaining
      15 domain events will be quite mechanical.  On the server side,
      we have to have a function per RPC call, largely with duplicated
      bodies (the key difference being that we store in our callback
      opaque pointer whether events should be fired with old or new
      style); meanwhile, a single function can drive multiple RPC
      messages.  With a strategic choice of XDR struct layout, we can
      make the event generation code for both styles fairly compact.
      
      I debated about adding a tri-state witness variable per
      connection (values 'unknown', 'legacy', 'modern').  It would start
      as 'unknown', move to 'legacy' if any RPC call is made to a legacy
      event call, and move to 'modern' if the feature probe is made;
      then the event code could issue an error if the witness state is
      incorrect (a legacy RPC call while in 'modern', a modern RPC call
      while in 'unknown' or 'legacy', and a feature probe while in
      'legacy' or 'modern').  But while it might prevent odd behavior
      caused by protocol fuzzing, I don't see that it would prevent
      any security holes, so I considered it bloat.
      
      Note that sticking @acl markers on the new RPCs generates unused
      functions in access/viraccessapicheck.c, because there is no new
      API call that needs to use the new checks; however, having a
      consistent .x file is worth the dead code.
      
      * src/libvirt_internal.h (VIR_DRV_FEATURE_REMOTE_EVENT_CALLBACK):
      New feature.
      * src/remote/remote_protocol.x
      (REMOTE_PROC_CONNECT_DOMAIN_EVENT_CALLBACK_REGISTER_ANY)
      (REMOTE_PROC_CONNECT_DOMAIN_EVENT_CALLBACK_DEREGISTER_ANY)
      (REMOTE_PROC_DOMAIN_EVENT_CALLBACK_LIFECYCLE): New RPCs.
      * daemon/remote.c (daemonClientCallback): Add field.
      (remoteDispatchConnectDomainEventCallbackRegisterAny)
      (remoteDispatchConnectDomainEventCallbackDeregisterAny): New
      functions.
      (remoteDispatchConnectDomainEventRegisterAny)
      (remoteDispatchConnectDomainEventDeregisterAny): Mark legacy use.
      (remoteRelayDomainEventLifecycle): Change message based on legacy
      or new use.
      (remoteDispatchConnectSupportsFeature): Advertise new feature.
      * src/remote_protocol-structs: Regenerate.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      03722957
    • E
      event: dynamically manage server-side RPC domain events · 047fd2e8
      Eric Blake 提交于
      This patch continues the earlier conversion made for network
      events, with a goal of introducing server-side event filtering
      in a later patch.  Actual behavior is unchanged without
      further RPC changes.
      
      * daemon/libvirtd.h (daemonClientPrivate): Alter the tracking of
      domain events.
      * daemon/remote.c (remoteClientInitHook, remoteClientFreeFunc)
      (remoteRelayDomainEvent*)
      (remoteDispatchConnectDomainEventRegister)
      (remoteDispatchConnectDomainEventRegisterAny): Track domain
      callbacks dynamically.
      047fd2e8
  2. 05 2月, 2014 1 次提交
    • E
      event: move event filtering to daemon (regression fix) · 11f20e43
      Eric Blake 提交于
      https://bugzilla.redhat.com/show_bug.cgi?id=1058839
      
      Commit f9f56340 for CVE-2014-0028 almost had the right idea - we
      need to check the ACL rules to filter which events to send.  But
      it overlooked one thing: the event dispatch queue is running in
      the main loop thread, and therefore does not normally have a
      current virIdentityPtr.  But filter checks can be based on current
      identity, so when libvirtd.conf contains access_drivers=["polkit"],
      we ended up rejecting access for EVERY event due to failure to
      look up the current identity, even if it should have been allowed.
      
      Furthermore, even for events that are triggered by API calls, it
      is important to remember that the point of events is that they can
      be copied across multiple connections, which may have separate
      identities and permissions.  So even if events were dispatched
      from a context where we have an identity, we must change to the
      correct identity of the connection that will be receiving the
      event, rather than basing a decision on the context that triggered
      the event, when deciding whether to filter an event to a
      particular connection.
      
      If there were an easy way to get from virConnectPtr to the
      appropriate virIdentityPtr, then object_event.c could adjust the
      identity prior to checking whether to dispatch an event.  But
      setting up that back-reference is a bit invasive.  Instead, it
      is easier to delay the filtering check until lower down the
      stack, at the point where we have direct access to the RPC
      client object that owns an identity.  As such, this patch ends
      up reverting a large portion of the framework of commit f9f56340.
      We also have to teach 'make check' to special-case the fact that
      the event registration filtering is done at the point of dispatch,
      rather than the point of registration.  Note that even though we
      don't actually use virConnectDomainEventRegisterCheckACL (because
      the RegisterAny variant is sufficient), we still generate the
      function for the purposes of documenting that the filtering
      takes place.
      
      Also note that I did not entirely delete the notion of a filter
      from object_event.c; I still plan on using that for my upcoming
      patch series for qemu monitor events in libvirt-qemu.so.  In
      other words, while this patch changes ACL filtering to live in
      remote.c and therefore we have no current client of the filtering
      in object_event.c, the notion of filtering in object_event.c is
      still useful down the road.
      
      * src/check-aclrules.pl: Exempt event registration from having to
      pass checkACL filter down call stack.
      * daemon/remote.c (remoteRelayDomainEventCheckACL)
      (remoteRelayNetworkEventCheckACL): New functions.
      (remoteRelay*Event*): Use new functions.
      * src/conf/domain_event.h (virDomainEventStateRegister)
      (virDomainEventStateRegisterID): Drop unused parameter.
      * src/conf/network_event.h (virNetworkEventStateRegisterID):
      Likewise.
      * src/conf/domain_event.c (virDomainEventFilter): Delete unused
      function.
      * src/conf/network_event.c (virNetworkEventFilter): Likewise.
      * src/libxl/libxl_driver.c: Adjust caller.
      * src/lxc/lxc_driver.c: Likewise.
      * src/network/bridge_driver.c: Likewise.
      * src/qemu/qemu_driver.c: Likewise.
      * src/remote/remote_driver.c: Likewise.
      * src/test/test_driver.c: Likewise.
      * src/uml/uml_driver.c: Likewise.
      * src/vbox/vbox_tmpl.c: Likewise.
      * src/xen/xen_driver.c: Likewise.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      11f20e43
  3. 16 1月, 2014 2 次提交
    • E
      event: wire up RPC for server-side network event filtering · 8d9d098b
      Eric Blake 提交于
      We haven't had a release with network events yet, so we are free
      to fix the RPC so that it actually does what we want.  Doing
      client-side filtering of per-network events is inefficient if a
      connection is only interested in events on a single network out
      of hundreds available on the server.  But to do server-side
      per-network filtering, the server needs to know which network
      to filter on - so we need to pass an optional network over on
      registration.  Furthermore, it is possible to have a client with
      both a global and per-network filter; in the existing code, the
      server sends only one event and the client replicates to both
      callbacks.  But with server-side filtering, the server will send
      the event twice, so we need a way for the client to know which
      callbackID is sending an event, to ensure that the client can
      filter out events from a registration that does not match the
      callbackID from the server.  Likewise, the existing style of
      deregistering by eventID alone is fine; but in the new style,
      we have to remember which callbackID to delete.
      
      This patch fixes the RPC wire definition to contain all the
      needed pieces of information, and hooks into the server and
      client side improvements of the previous patches, in order to
      switch over to full server-side filtering of network events.
      Also, since we fixed this in time, all released versions of
      libvirtd that support network events also support per-network
      filtering, so we can hard-code that assumption into
      network_event.c.
      
      Converting domain events to server-side filtering will require
      the introduction of new RPC numbers, as well as a server
      feature bit that the client can use to tell whether to use
      old-style (server only supports global events) or new-style
      (server supports filtered events), so that is deferred to a
      later set of patches.
      
      * src/conf/network_event.c (virNetworkEventStateRegisterClient):
      Assume server-side filtering.
      * src/remote/remote_protocol.x
      (remote_connect_network_event_register_any_args): Add network
      argument.
      (remote_connect_network_event_register_any_ret): Return callbackID
      instead of count.
      (remote_connect_network_event_deregister_any_args): Pass
      callbackID instead of eventID.
      (remote_connect_network_event_deregister_any_ret): Drop unused
      type.
      (remote_network_event_lifecycle_msg): Add callbackID.
      * daemon/remote.c
      (remoteDispatchConnectNetworkEventDeregisterAny): Drop unused arg,
      and deal with callbackID from client.
      (remoteRelayNetworkEventLifecycle): Pass callbackID.
      (remoteDispatchConnectNetworkEventRegisterAny): Likewise, and
      recognize non-NULL network.
      * src/remote/remote_driver.c
      (remoteConnectNetworkEventRegisterAny): Pass network, and track
      server side id.
      (remoteConnectNetworkEventDeregisterAny): Deregister by callback id.
      (remoteNetworkBuildEventLifecycle): Pass remote id to event queue.
      * src/remote_protocol-structs: Regenerate.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      8d9d098b
    • E
      event: track callbackID on daemon side of RPC · b9d14ef0
      Eric Blake 提交于
      Right now, the daemon side of RPC events is hard-coded to at most
      one callback per eventID.  But when there are hundreds of domains
      or networks coupled and multiple conections, then sending every
      event to every connection that wants an event, even for the
      connections that only care about events for a particular object,
      is inefficient.  In order to track more than one callback in the
      server, we need to store callbacks by more than just their
      eventID.  This patch rearranges the daemon side to store network
      callbacks in a dynamic array, which can eventually be used for
      multiple callbacks of the same eventID, although actual behavior
      is unchanged without further patches to the RPC protocol.  For
      ease of review, domain events are saved for a later patch, as
      they touch more code.
      
      While at it, fix a bug where a malicious client could send a
      negative eventID to cause network event registration to access
      outside of array bounds (thankfully not a CVE, since domain
      events were already doing the bounds check, and since network
      events have not been released).
      
      * daemon/libvirtd.h (daemonClientPrivate): Alter the tracking of
      network events.
      * daemon/remote.c (daemonClientEventCallback): New struct.
      (remoteEventCallbackFree): New function.
      (remoteClientInitHook, remoteRelayNetworkEventLifecycle)
      (remoteClientFreeFunc)
      (remoteDispatchConnectNetworkEventRegisterAny): Track network
      callbacks differently.
      (remoteDispatchConnectNetworkEventDeregisterAny): Enforce bounds.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      b9d14ef0
  4. 11 12月, 2013 1 次提交
  5. 10 12月, 2013 1 次提交
  6. 18 10月, 2013 1 次提交
  7. 27 9月, 2013 1 次提交
    • D
      Fix crash in libvirtd when events are registered & ACLs active · 8294aa0c
      Daniel P. Berrange 提交于
      When a client disconnects from libvirtd, all event callbacks
      must be removed. This involves running the public API
      
        virConnectDomainEventDeregisterAny
      
      This code does not run in normal API dispatch context, so no
      identity was set. The result was that the access control drivers
      denied the attempt to deregister callbacks. The callbacks thus
      continued to trigger after the client was free'd causing fairly
      predictable use of free memory & a crash.
      
      This can be triggered by any client with readonly access when
      the ACL drivers are active.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      8294aa0c
  8. 24 9月, 2013 1 次提交
  9. 20 9月, 2013 1 次提交
  10. 19 9月, 2013 1 次提交
    • D
      Fix crash in remoteDispatchDomainMemoryStats (CVE-2013-4296) · e7f400a1
      Daniel P. Berrange 提交于
      The 'stats' variable was not initialized to NULL, so if some
      early validation of the RPC call fails, it is possible to jump
      to the 'cleanup' label and VIR_FREE an uninitialized pointer.
      This is a security flaw, since the API can be called from a
      readonly connection which can trigger the validation checks.
      
      This was introduced in release v0.9.1 onwards by
      
        commit 158ba873
        Author: Daniel P. Berrange <berrange@redhat.com>
        Date:   Wed Apr 13 16:21:35 2011 +0100
      
          Merge all returns paths from dispatcher into single path
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      e7f400a1
  11. 18 9月, 2013 1 次提交
    • D
      Add support for using 3-arg pkcheck syntax for process (CVE-2013-4311) · 922b7fda
      Daniel P. Berrange 提交于
      With the existing pkcheck (pid, start time) tuple for identifying
      the process, there is a race condition, where a process can make
      a libvirt RPC call and in another thread exec a setuid application,
      causing it to change to effective UID 0. This in turn causes polkit
      to do its permission check based on the wrong UID.
      
      To address this, libvirt must get the UID the caller had at time
      of connect() (from SO_PEERCRED) and pass a (pid, start time, uid)
      triple to the pkcheck program.
      
      This fix requires that libvirt is re-built against a version of
      polkit that has the fix for its CVE-2013-4288, so that libvirt
      can see 'pkg-config --variable pkcheck_supports_uid polkit-gobject-1'
      Signed-off-by: NColin Walters <walters@redhat.com>
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      922b7fda
  12. 04 9月, 2013 1 次提交
  13. 29 8月, 2013 11 次提交
  14. 18 7月, 2013 2 次提交
  15. 10 7月, 2013 2 次提交
  16. 25 6月, 2013 1 次提交
  17. 31 5月, 2013 1 次提交
    • E
      build: cast [ug]id_t when printing · f43bb1dc
      Eric Blake 提交于
      This is a recurring problem for cygwin :)
      For example, see commit 23a4df88.
      
      qemu/qemu_driver.c: In function 'qemuStateInitialize':
      qemu/qemu_driver.c:691:13: error: format '%d' expects type 'int', but argument 8 has type 'uid_t' [-Wformat]
      
      * src/qemu/qemu_driver.c (qemuStateInitialize): Add casts.
      * daemon/remote.c (remoteDispatchAuthList): Likewise.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      f43bb1dc
  18. 21 5月, 2013 1 次提交
  19. 16 5月, 2013 1 次提交
    • J
      daemon: fix leak after listing all volumes · ca697e90
      Ján Tomko 提交于
      CVE-2013-1962
      
      remoteDispatchStoragePoolListAllVolumes wasn't freeing the pool.
      The pool also held a reference to the connection, preventing it from
      getting freed and closing the netcf interface driver, which held two
      sockets open.
      ca697e90
  20. 09 5月, 2013 1 次提交
  21. 08 5月, 2013 1 次提交
  22. 05 5月, 2013 1 次提交
  23. 03 5月, 2013 1 次提交
  24. 02 5月, 2013 1 次提交
    • M
      virutil: Move string related functions to virstring.c · 7c9a2d88
      Michal Privoznik 提交于
      The source code base needs to be adapted as well. Some files
      include virutil.h just for the string related functions (here,
      the include is substituted to match the new file), some include
      virutil.h without any need (here, the include is removed), and
      some require both.
      7c9a2d88
  25. 24 4月, 2013 1 次提交