- 19 2月, 2014 3 次提交
-
-
由 Eric Blake 提交于
Use helper virProcessRunInMountNamespace in lxcDomainShutdownFlags and lxcDomainReboot. Otherwise, a malicious guest could use symlinks to force the host to manipulate the wrong file in the host's namespace. Idea by Dan Berrange, based on an initial report by Reco <recoverym4n@gmail.com> at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732394Signed-off-by: NEric Blake <eblake@redhat.com> (cherry picked from commit aebbcdd3)
-
由 Daniel P. Berrange 提交于
Implement virProcessRunInMountNamespace, which runs callback of type virProcessNamespaceCallback in a container namespace. This uses a child process to run the callback, since you can't change the mount namespace of a thread. This implies that callbacks have to be careful about what code they run due to async safety rules. Idea by Dan Berrange, based on an initial report by Reco <recoverym4n@gmail.com> at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732394Signed-off-by: NDaniel Berrange <berrange@redhat.com> Signed-off-by: NEric Blake <eblake@redhat.com> (cherry picked from commit 7c72ef6f)
-
由 Daniel P. Berrange 提交于
Add a helper function which takes a file path and ensures that all directory components leading up to the file exist. IOW, it strips the filename part of the path and passes the result to virFileMakePath. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit c321bfc5)
-
- 18 2月, 2014 1 次提交
-
-
由 Eric Blake 提交于
Our backing file chain code was not very robust to an ill-timed EINTR, which could lead to a short read causing us to randomly treat metadata differently than usual. But the existing virFileReadLimFD forces an error if we don't read the entire file, even though we only care about the header of the file. So add a new virFile function that does what we want. * src/util/virfile.h (virFileReadHeaderFD): New prototype. * src/util/virfile.c (virFileReadHeaderFD): New function. * src/libvirt_private.syms (virfile.h): Export it. * src/util/virstoragefile.c (virStorageFileGetMetadataInternal) (virStorageFileProbeFormatFromFD): Use it. Signed-off-by: NEric Blake <eblake@redhat.com> (cherry picked from commit 5327fad4) Conflicts: src/util/virstoragefile.c: buffer signedness
-
- 06 2月, 2014 1 次提交
-
-
由 Daniel P. Berrange 提交于
Add virRWLock backed up by a POSIX rwlock primitive Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit c065984b)
-
- 30 10月, 2013 7 次提交
-
-
由 Daniel P. Berrange 提交于
Most of the usage of getuid()/getgid() is in cases where we are considering what privileges we have. As such the code should be using the effective IDs, not real IDs. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit 9b0af092)
-
由 Daniel P. Berrange 提交于
We already have stubs for getuid, geteuid, getgid but not for getegid. Something in gnulib already does a check for it during configure, so we already have the HAVE_GETEGID macro defined. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit c566fa1a)
-
由 Daniel P. Berrange 提交于
The use of getenv is typically insecure, and we want people to use our wrappers, to force them to think about setuid needs. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit 71b21f12)
-
由 Daniel P. Berrange 提交于
Unconditional use of getenv is not secure in setuid env. While not all libvirt code runs in a setuid env (since much of it only exists inside libvirtd) this is not always clear to developers. So make all the code paranoid, even if it only ever runs inside libvirtd. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit 1e4a02bd)
-
由 Daniel P. Berrange 提交于
When running setuid, we must be careful about what env vars we allow commands to inherit from us. Replace the virCommandAddEnvPass function with two new ones which do filtering virCommandAddEnvPassAllowSUID virCommandAddEnvPassBlockSUID And make virCommandAddEnvPassCommon use the appropriate ones Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit 9b8f307c) Conflicts: src/qemu/qemu_command.c
-
由 Daniel P. Berrange 提交于
In Fedora 20, libvirt_lxc crashes immediately at startup with a trace #0 0x00007f0cddb653ec in free () from /lib64/libc.so.6 #1 0x00007f0ce0e16f4a in virFree (ptrptr=ptrptr@entry=0x7f0ce1830058) at util/viralloc.c:580 #2 0x00007f0ce0e2764b in virResetError (err=0x7f0ce1830030) at util/virerror.c:354 #3 0x00007f0ce0e27a5a in virResetLastError () at util/virerror.c:387 #4 0x00007f0ce0e28858 in virEventRegisterDefaultImpl () at util/virevent.c:233 #5 0x00007f0ce0db47c6 in main (argc=11, argv=0x7fff4596c328) at lxc/lxc_controller.c:2352 Normally virInitialize calls virErrorInitialize and virThreadInitialize, but we don't link to libvirt.so in libvirt_lxc, and nor did we ever call the error or thread initializers. I have absolutely no idea how this has ever worked, let alone what caused it to stop working in Fedora 20. In addition not all code paths from virLogSetFromEnv will ensure virLogInitialize is called correctly, which is another possible crash scenario. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit 97973ebb)
-
由 Daniel P. Berrange 提交于
The log message regex has been [0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}\.[0-9]{3}\+[0-9]{4}: [0-9]+: debug|info|warning|error : The precedence of '|' is high though, so this is equivalent to matching [0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}\.[0-9]{3}\+[0-9]{4}: [0-9]+: debug Or info Or warning Or error : Which is clearly not what it should have done. This caused the code to skip over things which are not log messages. The solution is to simply add brackets. A test case is also added to validate correctness. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit 5787f0b9)
-
- 21 10月, 2013 2 次提交
-
-
由 Daniel P. Berrange 提交于
We must not allow file/syslog/journald log outputs when running setuid since they can be abused to do bad things. In particular the 'file' output can be used to overwrite files. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit 8c3586ea)
-
由 Daniel P. Berrange 提交于
Care must be taken accessing env variables when running setuid. Introduce a virGetEnvAllowSUID for env vars which are safe to use in a setuid environment, and another virGetEnvBlockSUID for vars which are not safe. Also add a virIsSUID helper method for any other non-env var code to use. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit ae53e5d1)
-
- 15 10月, 2013 1 次提交
-
-
由 Ján Tomko 提交于
https://bugzilla.redhat.com/show_bug.cgi?id=1008619 1,003 bytes in 1 blocks are definitely lost in loss record 599 of 635 ==404== by 0x50728A7: virBufferAddChar (virbuffer.c:185) ==404== by 0x50BC466: virSystemdEscapeName (virsystemd.c:67) ==404== by 0x50BC6B2: virSystemdMakeSliceName (virsystemd.c:108) ==404== by 0x50BC870: virSystemdCreateMachine (virsystemd.c:169) ==404== by 0x5078267: virCgroupNewMachine (vircgroup.c:1498) (cherry picked from commit 09b48562)
-
- 18 9月, 2013 2 次提交
-
-
由 Daniel P. Berrange 提交于
The polkit access driver will want to use the process start time field. This was already set for network identities, but not for the system identity. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit e65667c0)
-
由 Daniel P. Berrange 提交于
Future improvements to the polkit code will require access to the numeric user ID, not merely user name. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit db7a5688)
-
- 17 9月, 2013 1 次提交
-
-
由 Eric Blake 提交于
Bother those kernel developers. In the latest rawhide, kernel and glibc have now been unified so that <netinet/in.h> and <linux/in6.h> no longer clash; but <linux/if_bridge.h> is still not self-contained. Because of the latest header change, the build is failing with: checking for linux/param.h... no configure: error: You must install kernel-headers in order to compile libvirt with QEMU or LXC support with details: In file included from conftest.c:561:0: /usr/include/linux/in6.h:71:18: error: field 'flr_dst' has incomplete type struct in6_addr flr_dst; We need a workaround to avoid our workaround :) * configure.ac (NETINET_LINUX_WORKAROUND): New test. * src/util/virnetdevbridge.c (includes): Use it. Signed-off-by: NEric Blake <eblake@redhat.com> (cherry picked from commit e62e0094)
-
- 05 9月, 2013 1 次提交
-
-
由 Michal Privoznik 提交于
The @qemunbd variable can be used uninitialized. (cherry picked from commit 2dba0323)
-
- 30 8月, 2013 1 次提交
-
-
由 Eric Blake 提交于
FreeBSD 10 recently changed their definition of RAND_MAX, to try and cover the fact that their evenly distributed results of rand() really are a smaller range than a full power of 2. As a result, I did some investigation, and learned: 1. POSIX requires random() to be evenly distributed across exactly 31 bits. glibc also guarantees this for rand(), but the two are unrelated, and POSIX only associates RAND_MAX with rand(). Avoiding RAND_MAX altogether thus avoids a build failure on FreeBSD 10. 2. Concatenating random bits from a PRNG will NOT provide uniform coverage over the larger value UNLESS the period of the original PRNG is at least as large as the number of bits being concatenated. Simple example: suppose that RAND_MAX were 1 with a period of 2**1 (which means that the PRNG merely alternates between 0 and 1). Concatenating two successive rand() calls would then invariably result in 01 or 10, which is a rather non-uniform distribution (00 and 11 are impossible) and an even worse period (2**0, since our second attempt will get the same number as our first attempt). But a RAND_MAX of 1 with a period of 2**2 (alternating between 0, 1, 1, 0) provides sane coverage of all four values, if properly tempered. (Back-to-back calls would still only see half the values if we don't do some tempering). We therefore want to guarantee a period of at least 2**64, preferably larger (as a tempering factor); POSIX only makes this guarantee for random() with 256 bytes of info. * src/util/virrandom.c (virRandomBits): Use constants that are accurate for the PRNG we are using, not an unrelated PRNG. (randomState): Ensure the period of our PRNG exceeds our usage. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 22 8月, 2013 2 次提交
-
-
由 Peter Krempa 提交于
Re-arrange the code so that the returned bitmap is always initialized to NULL even on early failures and return an error message as some callers are already expecting it. Fix up the rest not to shadow the error.
-
由 Roman Bogorodskiy 提交于
Provide an implementation of virNetDev(Set|Clear)IPv4Address based on BSD ifconfig tool in addition to 'ip' from Linux iproute2 package.
-
- 19 8月, 2013 2 次提交
-
-
由 Peter Krempa 提交于
On hosts that don't have the DBus service running or installed the new systemd cgroups code failed with hard error instead of falling back to "manual" cgroup creation. Use the new helper to check for the system bus and use the fallback code in case it isn't available.
-
由 Peter Krempa 提交于
Some systems may not use DBus in their system. Add a method to check if the system bus is available that doesn't print error messages so that code can later check for this condition and use an alternative approach.
-
- 16 8月, 2013 2 次提交
-
-
由 Peter Krempa 提交于
The virBitmapParse function was calling virBitmapIsSet() function that requires the caller to check the bounds of the bitmap without checking them. This resulted into crashes when parsing a bitmap string that was exceeding the bounds used as argument. This patch refactors the function to use virBitmapSetBit without checking if the bit is set (this function does the checks internally) and then counts the bits in the bitmap afterwards (instead of keeping track while parsing the string). This patch also changes the "parse_error" label to a more common "error". The refactor should also get rid of the need to call sa_assert on the returned variable as the callpath should allow coverity to infer the possible return values. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=997367 Thanks to Alex Jia for tracking down the issue. This issue is introduced by commit 0fc89098.
-
由 Eric Blake 提交于
* src/util/virnetdevvportprofile.c: Fix typo. * src/conf/domain_conf.c: Likewise. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 13 8月, 2013 8 次提交
-
-
由 Roman Bogorodskiy 提交于
Complete the refactoring by adding missing stubs so it compiles on platform without cgroup support. Signed-off-by: NEric Blake <eblake@redhat.com>
-
由 Roman Bogorodskiy 提交于
Complete moving to VIR_CGROUP_SUPPORTED Signed-off-by: NEric Blake <eblake@redhat.com>
-
由 Roman Bogorodskiy 提交于
Continue converting to VIR_CGROUP_SUPPORTED Signed-off-by: NEric Blake <eblake@redhat.com>
-
由 Roman Bogorodskiy 提交于
- Convert virCgroupGet* to VIR_CGROUP_SUPPORTED - Convert virCgroup(Get|Set)FreezerState to VIR_CGROUP_SUPPORTED Signed-off-by: NEric Blake <eblake@redhat.com>
-
由 Roman Bogorodskiy 提交于
- Introduce VIR_CGROUP_SUPPORTED conditional - Convert virCgroupKill* to use it - Convert virCgroupIsolateMount() to use it - Convert virCgroupRemoveRecursively to VIR_CGROUP_SUPPORTED Signed-off-by: NEric Blake <eblake@redhat.com>
-
由 Eric Blake 提交于
Make future patches smaller by matching a sane header listing in the first place. No semantic change. * src/util/vircgroup.h: Move free next to new, and controller functions next to each other. * src/util/vircgroup.c (virCgroupFree, virCgroupHasController) (virCgroupPathOfController, virCgroupRemoveRecursively) (virCgroupRemove): Sort implementation to be closer to header. Signed-off-by: NEric Blake <eblake@redhat.com>
-
由 Eric Blake 提交于
Avoid a forward declaration of a static function. * src/util/vircgroup.c (virCgroupPartitionNeedsEscaping) (virCgroupParticionEscape): Move up. Signed-off-by: NEric Blake <eblake@redhat.com>
-
由 Eric Blake 提交于
Format all functions with two blank lines between, and return type on separate line from function name. Also break some lines longer than 80 columns. This makes the subsequent macro refactoring less noisy. * src/util/vircgroup.c: Match prevailing style. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 10 8月, 2013 1 次提交
-
-
由 Daniel P. Berrange 提交于
Recentish (2011) kernels introduced a new device called /dev/loop-control, which causes libvirt's detection of loop devices to get confused since it only checks for a prefix of 'loop'. Also check that the next character is a digit Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 09 8月, 2013 1 次提交
-
-
由 Eric Blake 提交于
This is a second attempt at fixing the problem first attempted in commit 2df8d991; basically undoing the fact that it was reverted in commit 43cee32f, plus fixing two more issues: the code in configure.ac has to EXACTLY match virnetdevbridge.c with regards to declaring in6 types before using if_bridge.h, and the fact that RHEL 5 has even more conflicts: In file included from util/virnetdevbridge.c:49: /usr/include/linux/in6.h:47: error: conflicting types for 'in6addr_any' /usr/include/netinet/in.h:206: error: previous declaration of 'in6addr_any' was here /usr/include/linux/in6.h:49: error: conflicting types for 'in6addr_loopback' /usr/include/netinet/in.h:207: error: previous declaration of 'in6addr_loopback' was here The rest of this commit message borrows from the original try of 2df8d991: A fresh checkout on a RHEL 6 machine with these packages: kernel-headers-2.6.32-405.el6.x86_64 glibc-2.12-1.128.el6.x86_64 failed to configure with this message: checking for linux/if_bridge.h... no configure: error: You must install kernel-headers in order to compile libvirt with QEMU or LXC support Digging in config.log, we see that the problem is identical to what we fixed earlier in commit d12c2811: configure:98831: checking for linux/if_bridge.h configure:98853: gcc -std=gnu99 -c -g -O2 conftest.c >&5 In file included from /usr/include/linux/if_bridge.h:17, from conftest.c:559: /usr/include/linux/in6.h:31: error: redefinition of 'struct in6_addr' /usr/include/linux/in6.h:48: error: redefinition of 'struct sockaddr_in6' /usr/include/linux/in6.h:56: error: redefinition of 'struct ipv6_mreq' configure:98860: $? = 1 I had not hit it earlier because I was using incremental builds, where config.cache had shielded me from the kernel-headers breakage. * configure.ac (if_bridge.h): Avoid conflicting type definitions. * src/util/virnetdevbridge.c (includes): Also sanitize for RHEL 5. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 08 8月, 2013 1 次提交
-
-
由 Eric Blake 提交于
Commit 3d0e3c1a reintroduced a problem previously squelched in commit 7e5aa78d. Add a syntax check this time around. util/virutil.c: In function 'virGetGroupList': util/virutil.c:1015: error: 'for' loop initial declaration used outside C99 mode * cfg.mk (sc_prohibit_loop_var_decl): New rule. * src/util/virutil.c (virGetGroupList): Fix offender. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 07 8月, 2013 1 次提交
-
-
由 Guido Günther 提交于
The change from initgroups to virGetGroupList/setgroups in cab36cfe71ba83b71e536ba5c98e596f02b697b0 dropped the primary group from processes group list iff the passed in group to virGetGroupList differs from the user's primary group. So always include the primary group to bring back the old behaviour. Debian has the kvm group as primary group but uses libvirt-qemu:libvirt-qemu as user:group to run the kvm process so without this change the /dev/kvm is inaccessible.
-
- 02 8月, 2013 1 次提交
-
-
由 Daniel P. Berrange 提交于
The journald code would crash if a NULL was passed for the filename / funcname in the logging code. This shouldn't happen in general, but it is better to be safe, since there have been bugs triggering this. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 01 8月, 2013 1 次提交
-
-
由 Guannan Ren 提交于
*src/util/virstoragefile.c: Add a helper function to get the first name of missing backing files, if the name is NULL, it means the diskchain is not broken. *src/qemu/qemu_domain.c: qemuDiskChainCheckBroken(disk) to check if its chain is broken
-