- 29 10月, 2013 3 次提交
-
-
由 Giuseppe Scrivano 提交于
Expand the "secmodel" XML fragment of "host" with a sequence of baselabel's which describe the default security context used by libvirt with a specific security model and virtualization type: <secmodel> <model>selinux</model> <doi>0</doi> <baselabel type='kvm'>system_u:system_r:svirt_t:s0</baselabel> <baselabel type='qemu'>system_u:system_r:svirt_tcg_t:s0</baselabel> </secmodel> <secmodel> <model>dac</model> <doi>0</doi> <baselabel type='kvm'>107:107</baselabel> <baselabel type='qemu'>107:107</baselabel> </secmodel> "baselabel" is driver-specific information, e.g. in the DAC security model, it indicates USER_ID:GROUP_ID. Signed-off-by: NGiuseppe Scrivano <gscrivan@redhat.com> Signed-off-by: NEric Blake <eblake@redhat.com>
-
由 Giuseppe Scrivano 提交于
virSecurityManagerGetBaseLabel queries the default settings used by a security model. Signed-off-by: NGiuseppe Scrivano <gscrivan@redhat.com>
-
由 Giuseppe Scrivano 提交于
Merge the functions 'virSecurityDACSetUser' and 'virSecurityDACSetGroup' into 'virSecurityDACSetUserAndGroup'. Signed-off-by: NGiuseppe Scrivano <gscrivan@redhat.com>
-
- 28 10月, 2013 1 次提交
-
-
由 Chen Hanxiao 提交于
The lxcContainerSetID() method prints a misleading log message about setting the uid/gid when no ID map is present in the XML config. Skip the debug message in this case. Signed-off-by: NChen Hanxiao <chenhanxiao@cn.fujitsu.com>
-
- 24 10月, 2013 2 次提交
-
-
由 John Ferlan 提交于
Commit '922b7fda' resulted in two DEADCODE warnings from Coverity in remoteDispatchAuthPolkit and virAccessDriverPolkitFormatProcess. Commit '604ae657' modified the daemon.c code to remove the deadcode issue, but did not do so for viracessdriverpolkit.c. This just mimics the same changes
-
由 Martin Kletzander 提交于
According to the following valgrind output, there seems to be a invalid limit for the iterator (captured on Fedora 19): ==3945== Invalid read of size 1 ==3945== at 0x1E1FA410: libxlVmStart (libxl_driver.c:475) ==3945== by 0x1E1FAD9A: libxlDomainCreateWithFlags (libxl_driver.c:2633) ==3945== by 0x5187D46: virDomainCreate (libvirt.c:9439) ==3945== by 0x13BAA6: remoteDispatchDomainCreateHelper (remote_dispatch.h:2910) ==3945== by 0x51DE5B9: virNetServerProgramDispatch (virnetserverprogram.c:435) ==3945== by 0x51D93E7: virNetServerHandleJob (virnetserver.c:165) ==3945== by 0x50F5BF4: virThreadPoolWorker (virthreadpool.c:144) ==3945== by 0x50F5670: virThreadHelper (virthreadpthread.c:161) ==3945== by 0x8046C52: start_thread (pthread_create.c:308) ==3945== by 0x8758E1C: clone (clone.S:113) ==3945== Address 0x23424d81 is 0 bytes after a block of size 1 alloc'd ==3945== at 0x4A08121: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==3945== by 0x50B1F8C: virAllocN (viralloc.c:189) ==3945== by 0x1E1FA3CA: libxlVmStart (libxl_driver.c:468) ==3945== by 0x1E1FAD9A: libxlDomainCreateWithFlags (libxl_driver.c:2633) ==3945== by 0x5187D46: virDomainCreate (libvirt.c:9439) ==3945== by 0x13BAA6: remoteDispatchDomainCreateHelper (remote_dispatch.h:2910) ==3945== by 0x51DE5B9: virNetServerProgramDispatch (virnetserverprogram.c:435) ==3945== by 0x51D93E7: virNetServerHandleJob (virnetserver.c:165) ==3945== by 0x50F5BF4: virThreadPoolWorker (virthreadpool.c:144) ==3945== by 0x50F5670: virThreadHelper (virthreadpthread.c:161) ==3945== by 0x8046C52: start_thread (pthread_create.c:308) ==3945== by 0x8758E1C: clone (clone.S:113) ==3945== Related: https://bugzilla.redhat.com/show_bug.cgi?id=1013045Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
-
- 23 10月, 2013 1 次提交
-
-
由 Hongwei Bi 提交于
Currently, we ignore whether dnsmasqCapsRefresh succeeds or fails. We shouldn't do that as we may generate wrong dnsmasq command line (what is done just a few lines below). Signed-off-by: NHongwei Bi <hwbi2008@gmail.com> Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 22 10月, 2013 4 次提交
-
-
由 Doug Goldstein 提交于
While LOCAL_PEERCRED on the BSDs does not return the pid information of the peer, Mac OS X 10.8 added LOCAL_PEERPID to retrieve the pid so we should use that when its available to get that information.
-
由 Michal Privoznik 提交于
There are still two places where we are using 1bit width unsigned integer to store a boolean. There's no real need for this and these occurrences can be replaced with 'bool'. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Jim Fehlig 提交于
After commit 3e2f27e1, I've noticed build failures of virt-login-shell when libapparmor-devel is installed on the build host CCLD virt-login-shell ../src/.libs/libvirt-setuid-rpc-client.a(libvirt_setuid_rpc_client_la-vircommand.o): In function `virExec': /home/jfehlig/virt/upstream/libvirt/src/util/vircommand.c:653: undefined reference to `aa_change_profile' collect2: error: ld returned 1 exit status I was about to commit an easy fix under the build-breaker rule (build-fix-1.patch), but thought to extend the notion of SECDRIVER_LIBS to SECDRIVER_CFLAGS, and use both throughout src/Makefile.am where it makes sense (build-fix-2.patch). Should I just stick with the simple fix, or is something along the lines of patch 2 preferred? Regards, Jim >From a0f35945f3127ab70d051101037e821b1759b4bb Mon Sep 17 00:00:00 2001 From: Jim Fehlig <jfehlig@suse.com> Date: Mon, 21 Oct 2013 15:30:02 -0600 Subject: [PATCH] build: fix virt-login-shell build with apparmor With libapparmor-devel installed, virt-login-shell fails to link CCLD virt-login-shell ../src/.libs/libvirt-setuid-rpc-client.a(libvirt_setuid_rpc_client_la-vircommand.o): In function `virExec': /home/jfehlig/virt/upstream/libvirt/src/util/vircommand.c:653: undefined reference to `aa_change_profile' collect2: error: ld returned 1 exit status Fix by linking libvirt_setuid_rpc_client with previously determined SECDRIVER_LIBS in src/Makefile.am. While at it, introduce SECDRIVER_CFLAGS and use both throughout src/Makefile.am where it makes sense. Signed-off-by: NJim Fehlig <jfehlig@suse.com>
-
由 Ryota Ozaki 提交于
HW_PHYSMEM is available on Mac OS X as well as FreeBSD, however, its resulting value for Mac OS X is 32 bits. Mac OS X provides HW_MEMSIZE that is 64 bits version of HW_PHYSMEM. We have to use it. I tested the patch on Mac OS X 10.6.8, 10.7.4, 10.8.5 and FreeBSD 9.2. Signed-off-by: NRyota Ozaki <ozaki.ryota@gmail.com>
-
- 21 10月, 2013 15 次提交
-
-
由 Laine Stump 提交于
This patch (and the two patches that precede it) resolve: https://bugzilla.redhat.com/show_bug.cgi?id=1005682 When libvirt was changed to delay the final cleanup of device removal until the qemu process had signaled it with a DEVICE_DELETED event for that device, the hostdev removal function (qemuDomainRemoveHostDevice()) was written to properly handle the removal of a hostdev that was actually an SRIOV virtual function (defined with <interface type='hostdev'>). However, the function used to search for a device matching the alias name provided in the DEVICE_DELETED message (virDomainDefFindDevice()) would search through the list of netdevs before hostdevs, so qemuDomainRemoveHostDevice() was never called; instead the netdev function, qemuDomainRemoveNetDevice() (which *doesn't* properly cleanup after removal of <interface type='hostdev'>), was called. (As a reminder - each <interface type='hostdev'> results in a virDomainNetDef which contains a virDomainHostdevDef having a parent type of VIR_DOMAIN_DEVICE_NET, and parent.data.net pointing back to the virDomainNetDef; both Defs point to the same device info object (and the info contains the device's "alias", which is used by qemu to identify the device). The virDomainHostdevDef is added to the domain's hostdevs list *and* the virDomainNetDef is added to the domain's nets list, so searching either list for a particular alias will yield a positive result.) This function modifies the qemuDomainRemoveNetDevice() to short circuit itself and call qemu DomainRemoveHostDevice() instead when the actual device is a VIR_DOMAIN_NET_TYPE_HOSTDEV (similar logic to what is done in the higher level qemuDomainDetachNetDevice()) Note that even if virDomainDefFindDevice() changes in the future so that it finds the hostdev entry first, the current code will continue to work properly.
-
由 Laine Stump 提交于
pure code movement to setup for next patch.
-
由 Laine Stump 提交于
This function was called in three places, and in each the call was qualified by a slightly different conditional. In reality, this function should only be called for a hostdev if all of the following are true: 1) mode='subsystem' 2) type='pci' 3) there is a parent device definition which is an <interface> (VIR_DOMAIN_DEVICE_NET) We can simplify the callers and make them more consistent by checking these conditions at the top ov qemuDomainHostdevNetConfigRestore and returning 0 if one of them isn't satisfied. The location of the call to qemuDomainHostdevNetConfigRestore() has also been changed in the hot-plug case - it is moved into the caller of its previous location (i.e. from qemuDomainRemovePCIHostDevice() to qemuDomainRemoveHostDevice()). This was done to be more consistent about which functions pay attention to whether or not this is one of the special <interface> hostdevs or just a normal hostdev - qemuDomainRemoveHostDevice() already contained a call to networkReleaseActualDevice() and virDomainNetDefFree(), so it makes sense for it to also handle the resetting of the device's MAC address and vlan tag (which is what's done by qemuDomainHostdevNetConfigRestore()).
-
由 Daniel P. Berrange 提交于
Avoid people introducing security flaws in their apps by forbidding the use of libvirt.so in setuid programs, with a check in virInitialize. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Most of the usage of getuid()/getgid() is in cases where we are considering what privileges we have. As such the code should be using the effective IDs, not real IDs. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
We already have stubs for getuid, geteuid, getgid but not for getegid. Something in gnulib already does a check for it during configure, so we already have the HAVE_GETEGID macro defined. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
We don't want setuid programs automatically spawning libvirtd, so disable any use of autostart when setuid. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
We don't know enough about quality of external libraries used for non-UNIX transports, nor do we want to spawn external commands when setuid. Restrict to the bare minimum which is UNIX transport for local usage. Users shouldn't need to be running setuid if connecting to remote hypervisors in any case. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
The use of getenv is typically insecure, and we want people to use our wrappers, to force them to think about setuid needs. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Unconditional use of getenv is not secure in setuid env. While not all libvirt code runs in a setuid env (since much of it only exists inside libvirtd) this is not always clear to developers. So make all the code paranoid, even if it only ever runs inside libvirtd. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
When running setuid, we must be careful about what env vars we allow commands to inherit from us. Replace the virCommandAddEnvPass function with two new ones which do filtering virCommandAddEnvPassAllowSUID virCommandAddEnvPassBlockSUID And make virCommandAddEnvPassCommon use the appropriate ones Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
The libvirt.so library has far too many library deps to allow linking against it from setuid programs. Those libraries can do stuff in __attribute__((constructor) functions which is not setuid safe. The virt-login-shell needs to link directly against individual files that it uses, with all library deps turned off except for libxml2 and libselinux. Create a libvirt-setuid-rpc-client.la library which is linked to by virt-login-shell. A config-post.h file allows this library to disable all external deps except libselinux and libxml2. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
We must not allow file/syslog/journald log outputs when running setuid since they can be abused to do bad things. In particular the 'file' output can be used to overwrite files. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Care must be taken accessing env variables when running setuid. Introduce a virGetEnvAllowSUID for env vars which are safe to use in a setuid environment, and another virGetEnvBlockSUID for vars which are not safe. Also add a virIsSUID helper method for any other non-env var code to use. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
The virConnectDomainXMLToNative API should require 'connect:write' not 'connect:read', since it will trigger execution of the QEMU binaries listed in the XML. Also make virConnectDomainXMLFromNative API require a full read-write connection and 'connect:write' permission. Although the current impl doesn't trigger execution of QEMU, we should not rely on that impl detail from an API permissioning POV. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 19 10月, 2013 2 次提交
-
-
由 Geoff Hickey 提交于
The meaning of one line of code was accidentally inverted. Signed-off-by: NEric Blake <eblake@redhat.com>
-
由 Michal Privoznik 提交于
Commit e3ef20d7 allows user to configure migration ports range via qemu.conf. However, it forgot to update augeas definition file and even the test data was malicious. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 18 10月, 2013 9 次提交
-
-
-
由 Wang Yufei 提交于
https://bugzilla.redhat.com/show_bug.cgi?id=1019053 When we migrate vms concurrently, there's a chance that libvirtd on destination assigns the same port for different migrations, which will lead to migration failure during prepare phase on destination. So we use virPortAllocator here to solve the problem. Signed-off-by: NWang Yufei <james.wangyufei@huawei.com> Signed-off-by: NJiri Denemark <jdenemar@redhat.com>
-
由 Michal Privoznik 提交于
In fact, the suffix should be _QUIET not _QUIT to stress the fact, that no OOM error is reported on error. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Christophe Fergeau 提交于
netcfStateInitialize() initializes the driverState variable, and when netcfStateCleanup is called, it will call virReportError() if driverState is NULL. This is not consistent with what other state objects are doing, they return -1 without reporting an error in such cases. See also https://www.redhat.com/archives/libvir-list/2013-October/msg00809.html: On Thu, Oct 17, 2013 at 01:40:19PM +0100, Daniel P. Berrange wrote: > We don't want virStateCleanup to skip execution if virStateInitialize > has failed though - every callback in virStateCleanup should be written > to be safe if its corresponding init function hasn't run.
-
由 Zhou Yimin 提交于
Introduced by 7b87a3 When I quit the process which only register VIR_DOMAIN_EVENT_ID_REBOOT, I got error like: "libvirt: XML-RPC error : internal error: domain event 0 not registered". Then I add the following code, it fixed. Signed-off-by: NZhou Yimin <zhouyimin@huawei.com> Signed-off-by: NEric Blake <eblake@redhat.com>
-
由 John Ferlan 提交于
The header definition didn't match the function declaration, so adjusted header to reflect the definition. Found during a Coverity build where STATIC_ANALYSIS is enabled resulting in the internal.h adding __nonnull__ handling to arguments. Commit '6d264c91' added support for the qemuMonitorJSONDrivePivot() and commit 'fbc3adc9' added a corresponding test which ended up triggering the build failure which I didn't notice until today!
-
由 Geoff Hickey 提交于
Code cleanup: remove explicit NULL comparisons like ptr == NULL and ptr != NULL from the ESX code, replacing them with the simpler ptr and !ptr. Part three of three.
-
由 Geoff Hickey 提交于
Code cleanup: remove explicit NULL comparisons like ptr == NULL and ptr != NULL from the ESX code, replacing them with the simpler ptr and !ptr. Part two of three.
-
由 Geoff Hickey 提交于
Code cleanup: remove explicit NULL comparisons like ptr == NULL and ptr != NULL from the ESX code, replacing them with the simpler ptr and !ptr. Part one of three.
-
- 17 10月, 2013 3 次提交
-
-
由 Daniel P. Berrange 提交于
QEMU has support for SASL auth for SPICE guests, but libvirt has no way to enable it. Following the example from VNC where it is globally enabled via qemu.conf Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Michal Privoznik 提交于
The last argument of memmove is the amount of bytes to be moved. The amount is in Bytes. We are moving some void pointers around. However, since sizeof(void *) is not Byte on any architecture, we've got the arithmetic wrong.
-
由 Brian Candler 提交于
This patch improves the error checking in the LOCAL_PEERCRED version of virNetSocketGetUNIXIdentity, used by FreeBSD and Mac OSX. 1. The error return paths now correctly unlock the socket. This is implemented in exactly the same way as the SO_PEERCRED version, using "goto cleanup" 2. cr.cr_ngroups is initialised to -1, and cr.cr_ngroups is checked for negative and overlarge values. This means that if the getsockopt() call returns success but doesn't actually update the xucred structure, this is now caught. This happened previously when getsockopt was called with SOL_SOCKET instead of SOL_LOCAL, prior to commit 5a468b38, and resulted in random uids being accepted. Signed-off-by: NEric Blake <eblake@redhat.com>
-