- 28 9月, 2011 2 次提交
-
-
由 Laine Stump 提交于
This patch fixes the regression with using named pipes for qemu serial devices noted in: https://bugzilla.redhat.com/show_bug.cgi?id=740478 The problem was that, while new code in libvirt looks for a single bidirectional fifo of the name given in the config, then relabels that and continues without looking for / relabelling the two unidirectional fifos named ${name}.in and ${name}.out, qemu looks in the opposite order. So if the user had naively created all three fifos, libvirt would relabel the bidirectional fifo to allow qemu access, but qemu would attempt to use the two unidirectional fifos and fail (because it didn't have proper permissions/rights). This patch changes the order that libvirt looks for the fifos to match what qemu does - first it looks for the dual fifos, then it looks for the single bidirectional fifo. If it finds the dual unidirectional fifos first, it labels/chowns them and ignores any possible bidirectional fifo. (Note commit d37c6a3a (which first appeared in libvirt-0.9.2) added the code that checked for a bidirectional fifo. Prior to that commit, bidirectional fifos for serial devices didn't work because libvirt always required the ${name}.(in|out) fifos to exist, and qemu would always prefer those.
-
由 Jamie Strandboge 提交于
The AppArmor security driver adds only the path specified in the domain XML for character devices of type 'pipe'. It should be using <path>.in and <path>.out. We do this by creating a new vah_add_file_chardev() and use it for char devices instead of vah_add_file(). Also adjust valid_path() to accept S_FIFO (since qemu chardevs of type 'pipe' use fifos). This is https://launchpad.net/bugs/832507
-
- 23 9月, 2011 1 次提交
-
-
由 Michal Privoznik 提交于
Previous patch c9b37fee tried to deal with virt_use_nfs. But setfilecon() returns EOPNOTSUPP on NFS so we need to move the warning to else branch.
-
- 14 9月, 2011 1 次提交
-
-
由 Peter Krempa 提交于
Commit 498d7833 cleans up some of virtual file names for parsing strings in memory. This patch cleans up (hopefuly) the rest forgotten by the first patch. This patch also changes all of the previously modified "filenames" to valid URI's replacing spaces for underscores. Changes to v1: - Replace all spaces for underscores, so that the strings form valid URI's - Replace spaces in places changed by commit 498d7833
-
- 09 9月, 2011 2 次提交
-
-
由 Michal Privoznik 提交于
If we fail setting label on a file and this file is on NFS share, it is wise to advise user to set virt_use_nfs selinux boolean variable.
-
由 Peter Krempa 提交于
While parsing XML strings from memory, the previous convention in libvirt was to set the virtual file name to "domain.xml" or something similar. This could potentialy trick the user into looking for a file named domain.xml on the disk in an attempt to fix the error. This patch changes these filenames to something that can't be as easily confused for a valid filename. Examples of error messages: --------------------------- Error while loading file from disk: 15:07:59.015: 527: error : catchXMLError:709 : /path/to/domain.xml:1: StartTag: invalid element name <domain type='kvm'>< --------------------^ Error while parsing definition in memory: 15:08:43.581: 525: error : catchXMLError:709 : (domain definition):2: error parsing attribute name <name>vm1</name> --^
-
- 31 8月, 2011 1 次提交
-
-
由 Daniel P. Berrange 提交于
The virSecurityManagerSetProcessFDLabel method was introduced after a mis-understanding from a conversation about SELinux socket labelling. The virSecurityManagerSetSocketLabel method should have been used for all such scenarios. * src/security/security_apparmor.c, src/security/security_apparmor.c, src/security/security_driver.h, src/security/security_manager.c, src/security/security_manager.h, src/security/security_selinux.c, src/security/security_stack.c: Remove SetProcessFDLabel driver
-
- 26 8月, 2011 2 次提交
-
-
由 Jiri Denemark 提交于
This API labels all sockets created until ClearSocketLabel is called in a way that a vm can access them (i.e., they are labeled with svirt_t based label in SELinux).
-
由 Jiri Denemark 提交于
The APIs are designed to label a socket in a way that the libvirt daemon itself is able to access it (i.e., in SELinux the label is virtd_t based as opposed to svirt_* we use for labeling resources that need to be accessed by a vm). The new name reflects this.
-
- 19 8月, 2011 1 次提交
-
-
由 Eric Blake 提交于
Repetitive patterns should be factored. The sign of a good factorization is a change that kills 5x more lines than it adds :) * src/conf/domain_conf.c (virDomainDeviceDefParse) (virDomainSnapshotDefParseString): Use new convenience macros. * src/conf/storage_conf.c (virStoragePoolDefParseSourceString): Likewise. * src/cpu/cpu.c (cpuCompareXML, cpuBaselineXML): Likewise. * src/esx/esx_vi.c (esxVI_Context_Execute): Likewise. * src/qemu/qemu_migration.c (qemuMigrationCookieXMLParseStr): Likewise. * src/security/virt-aa-helper.c (caps_mockup): Likewise. * src/test/test_driver.c (testOpenFromFile): Likewise. * tests/cputest.c (cpuTestLoadXML, cpuTestLoadMultiXML): Likewise. * tools/virsh.c (cmdFreecell, makeCloneXML, cmdVNCDisplay) (cmdTTYConsole, cmdDetachInterface, cmdDetachDisk) (cmdSnapshotCreate, cmdSnapshotCreateAs, cmdSnapshotCurrent) (cmdSnapshotList, cmdSnapshotParent): Likewise.
-
- 22 7月, 2011 1 次提交
-
-
由 Eric Blake 提交于
In preparation for a future patch adding new virFile APIs. * src/util/files.h, src/util/files.c: Move... * src/util/virfile.h, src/util/virfile.c: ...here, and rename functions to virFile prefix. Macro names are intentionally left alone. * *.c: All '#include "files.h"' uses changed. * src/Makefile.am (UTIL_SOURCES): Reflect rename. * cfg.mk (exclude_file_name_regexp--sc_prohibit_close): Likewise. * src/libvirt_private.syms: Likewise. * docs/hacking.html.in: Likewise. * HACKING: Regenerate.
-
- 15 7月, 2011 1 次提交
-
-
由 Jamie Strandboge 提交于
In the Ubuntu development release we recently got a new udev that moves /var/run to /run, /var/lock to /run/lock and /dev/shm to /run/shm. This change in udev requires updating the apparmor security driver in libvirt[1]. Attached is a patch that: * adjusts src/security/virt-aa-helper.c to allow both LOCALSTATEDIR/run/libvirt/**/%s.pid and /run/libvirt/**/%s.pid. While the profile is not as precise, LOCALSTATEDIR/run/ is typically a symlink to /run/ anyway, so there is no additional access (remember that apparmor resolves symlinks, which is why this is still required even if /var/run points to /run). * adjusts example/apparmor/libvirt-qemu paths for /dev/shm [1]https://launchpad.net/bugs/810270 -- Jamie Strandboge | http://www.canonical.com
-
- 12 7月, 2011 1 次提交
-
-
由 Matthias Bolte 提交于
The drivers were accepting domain configs without checking if those were actually meant for them. For example the LXC driver happily accepts configs with type QEMU. Add a check for the expected domain types to the virDomainDefParse* functions.
-
- 06 7月, 2011 2 次提交
-
-
由 Matthias Bolte 提交于
Commit 693eac38 was incomplete here.
-
由 Daniel P. Berrange 提交于
When no <seclabel> is present in the XML, the virDomainSeclabelDef struct is left as all zeros. Unfortunately, this means it gets setup as type=dynamic, with relabel=no, which is an illegal combination. Change the 'bool relabel' attribute in virDomainSeclabelDef to the inverse 'bool norelabel' so that the default initialization is sensible * src/conf/domain_conf.c, src/conf/domain_conf.h, src/security/security_apparmor.c, src/security/security_selinux.c: Replace 'relabel' with 'norelabel'
-
- 04 7月, 2011 2 次提交
-
-
由 Daniel P. Berrange 提交于
Add a new attribute to the <seclabel> XML to allow resource relabelling to be enabled with static label usage. <seclabel model='selinux' type='static' relabel='yes'> <label>system_u:system_r:svirt_t:s0:c392,c662</label> </seclabel> * docs/schemas/domain.rng: Add relabel attribute * src/conf/domain_conf.c, src/conf/domain_conf.h: Parse the 'relabel' attribute * src/qemu/qemu_process.c: Unconditionally clear out the 'imagelabel' attribute * src/security/security_apparmor.c: Skip based on 'relabel' attribute instead of label type * src/security/security_selinux.c: Skip based on 'relabel' attribute instead of label type and fill in <imagelabel> attribute if relabel is enabled.
-
由 Daniel P. Berrange 提交于
Normally the dynamic labelling mode will always use a base label of 'svirt_t' for VMs. Introduce a <baselabel> field in the <seclabel> XML to allow this base label to be changed eg <seclabel type='dynamic' model='selinux'> <baselabel>system_u:object_r:virt_t:s0</baselabel> </seclabel> * docs/schemas/domain.rng: Add <baselabel> * src/conf/domain_conf.c, src/conf/domain_conf.h: Parsing of base label * src/qemu/qemu_process.c: Don't reset 'model' attribute if a base label is specified * src/security/security_apparmor.c: Refuse to support base label * src/security/security_selinux.c: Use 'baselabel' when generating label, if available
-
- 28 6月, 2011 2 次提交
-
-
由 Daniel P. Berrange 提交于
Add a new security driver method for labelling an FD with the process label, rather than the image label * src/libvirt_private.syms, src/security/security_apparmor.c, src/security/security_dac.c, src/security/security_driver.h, src/security/security_manager.c, src/security/security_manager.h, src/security/security_selinux.c, src/security/security_stack.c: Add virSecurityManagerSetProcessFDLabel & impl
-
由 Daniel P. Berrange 提交于
The virSecurityManagerSetFDLabel method is used to label file descriptors associated with disk images. There will shortly be a need to label other file descriptors in a different way. So the current name is ambiguous. Rename the method to virSecurityManagerSetImageFDLabel to clarify its purpose * src/libvirt_private.syms, src/qemu/qemu_migration.c, src/qemu/qemu_process.c, src/security/security_apparmor.c, src/security/security_dac.c, src/security/security_driver.h, src/security/security_manager.c, src/security/security_manager.h, src/security/security_selinux.c, src/security/security_stack.c: s/FDLabel/ImageFDLabel/
-
- 25 6月, 2011 1 次提交
-
-
由 Jamie Strandboge 提交于
Commit 12317957 introduced an incompatible architectural change for the AppArmor security driver. Specifically, virSecurityManagerSetAllLabel() is now called much later in src/qemu/qemu_process.c:qemuProcessStart(). Previously, SetAllLabel() was called immediately after GenLabel() such that after the dynamic label (profile name) was generated, SetAllLabel() would be called to create and load the AppArmor profile into the kernel before qemuProcessHook() was executed. With 12317957, qemuProcessHook() is now called before SetAllLabel(), such that aa_change_profile() ends up being called before the AppArmor profile is loaded into the kernel (via ProcessLabel() in qemuProcessHook()). This patch addresses the change by making GenLabel() load the AppArmor profile into the kernel after the label (profile name) is generated. SetAllLabel() is then adjusted to only reload_profile() and append stdin_fn to the profile when it is specified. This also makes the AppArmor driver work like its SELinux counterpart with regard to SetAllLabel() and stdin_fn. Bug-Ubuntu: https://launchpad.net/bugs/801569
-
- 20 6月, 2011 1 次提交
-
-
由 Jamie Strandboge 提交于
During a savevm operation, libvirt will now use fd migration if qemu supports it. When the AppArmor driver is enabled, AppArmorSetFDLabel() is used but since this function simply returns '0', the dynamic AppArmor profile is not updated and AppArmor blocks access to the save file. This patch implements AppArmorSetFDLabel() to get the pathname of the file by resolving the fd symlink in /proc, and then gives that pathname to reload_profile(), which fixes 'virsh save' when AppArmor is enabled. Reference: https://launchpad.net/bugs/795800
-
- 08 6月, 2011 1 次提交
-
-
由 Eric Blake 提交于
Regression introduced in commit 02e86910. * src/security/virt-aa-helper.c (includes): Reflect move of virRun.
-
- 04 6月, 2011 1 次提交
-
-
由 Laine Stump 提交于
This fixes: https://bugzilla.redhat.com/show_bug.cgi?id=702044 https://bugzilla.redhat.com/show_bug.cgi?id=709454 Both of these complain of a failure to use an image file that resides on a read-only NFS volume. The function in the DAC security driver that chowns image files to the qemu user:group before using them already has special cases to ignore failure of chown on read-only file systems, and in a few other cases, but it hadn't been checking for EINVAL, which is what is returned if the qemu user doesn't even exist on the NFS server. Since the explanation of EINVAL in the chown man page almost exactly matches the log message already present for the case of EOPNOTSUPP, I've just added EINVAL to that same conditional.
-
- 02 6月, 2011 1 次提交
-
-
由 Eric Blake 提交于
Regression introduced in commit d6623003 (v0.8.8) - using the wrong sizeof operand meant that security manager private data was overlaying the allowDiskFormatProbing member of struct _virSecurityManager. This reopens disk probing, which was supposed to be prevented by the solution to CVE-2010-2238. * src/security/security_manager.c (virSecurityManagerGetPrivateData): Use correct offset.
-
- 14 5月, 2011 2 次提交
-
-
由 Matthias Bolte 提交于
Commit aaf20355 was incomplete here and missed to remove some parts.
-
由 Cole Robinson 提交于
Untested
-
- 13 5月, 2011 1 次提交
-
-
由 Cole Robinson 提交于
virt-aa-helper isn't even compile tested since I don't have the setup for it. v2: virt-aa-helper fixes from Eric
-
- 10 5月, 2011 1 次提交
-
-
由 Matthias Bolte 提交于
-
- 06 5月, 2011 2 次提交
-
-
由 Daniel P. Berrange 提交于
When setting up a FIFO for QEMU, it allows either a pair of fifos used unidirectionally, or a single fifo used bidirectionally. Look for the bidirectional fifo first when labelling since that is more useful * src/security/security_dac.c, src/security/security_selinux.c: Fix fifo handling
-
由 Eric Blake 提交于
We already have virAsprintf, so picking a similar name helps for seeing a similar purpose. Furthermore, the prefix V before printf generally implies 'va_list', even though this variant was '...', and the old name got in the way of adding a new va_list version. global rename performed with: $ git grep -l virBufferVSprintf \ | xargs -L1 sed -i 's/virBufferVSprintf/virBufferAsprintf/g' then revert the changes in ChangeLog-old.
-
- 17 4月, 2011 1 次提交
-
-
由 Matthias Bolte 提交于
And from all related macros and functions.
-
- 16 4月, 2011 1 次提交
-
-
由 Eric Blake 提交于
It costs quite a few processor cycles to go through printf parsing just to determine that we only meant to append. * src/xen/xend_internal.c (xend_op_ext): Consolidate multiple printfs into one. * src/qemu/qemu_command.c (qemuBuildWatchdogDevStr) (qemuBuildUSBInputDevStr, qemuBuildSoundDevStr) (qemuBuildSoundCodecStr, qemuBuildVideoDevStr): Likewise. (qemuBuildCpuArgStr, qemuBuildCommandLine): Prefer virBufferAdd over virBufferVsprintf for trivial appends. * src/phyp/phyp_driver.c (phypExec, phypUUIDTable_Push) (phypUUIDTable_Pull): Likewise. * src/conf/nwfilter_conf.c (macProtocolIDFormatter) (arpOpcodeFormatter, formatIPProtocolID, printStringItems) (virNWFilterPrintStateMatchFlags, virNWIPAddressFormat) (virNWFilterDefFormat): Likewise. * src/security/virt-aa-helper.c (main): Likewise. * src/util/sexpr.c (sexpr2string): Likewise. * src/xenxs/xen_sxpr.c (xenFormatSxprChr): Likewise. * src/xenxs/xen_xm.c (xenFormatXMDisk): Likewise.
-
- 05 4月, 2011 2 次提交
-
-
由 Matthias Bolte 提交于
-
由 Eric Blake 提交于
Even with -Wuninitialized (which is part of autobuild.sh --enable-compile-warnings=error), gcc does NOT catch this use of an uninitialized variable: { if (cond) goto error; int a = 1; error: printf("%d", a); } which prints 0 (supposing the stack started life wiped) if cond was true. Clang will catch it, but we don't use clang as often. Using gcc -Wjump-misses-init catches it, but also gives false positives: { if (cond) goto error; int a = 1; return a; error: return 0; } Here, a was never used in the scope of the error block, so declaring it after goto is technically fine (and clang agrees). However, given that our HACKING already documents a preference to C89 decl-before-statement, the false positive warning is enough of a prod to comply with HACKING. [Personally, I'd _really_ rather use C99 decl-after-statement to minimize scope, but until gcc can efficiently and reliably catch scoping and uninitialized usage bugs, I'll settle with the compromise of enforcing a coding standard that happens to reject false positives if it can also detect real bugs.] * acinclude.m4 (LIBVIRT_COMPILE_WARNINGS): Add -Wjump-misses-init. * src/util/util.c (__virExec): Adjust offenders. * src/conf/domain_conf.c (virDomainTimerDefParseXML): Likewise. * src/remote/remote_driver.c (doRemoteOpen): Likewise. * src/phyp/phyp_driver.c (phypGetLparNAME, phypGetLparProfile) (phypGetVIOSFreeSCSIAdapter, phypVolumeGetKey) (phypGetStoragePoolDevice) (phypVolumeGetPhysicalVolumeByStoragePool) (phypVolumeGetPath): Likewise. * src/vbox/vbox_tmpl.c (vboxNetworkUndefineDestroy) (vboxNetworkCreate, vboxNetworkDumpXML) (vboxNetworkDefineCreateXML): Likewise. * src/xenapi/xenapi_driver.c (getCapsObject) (xenapiDomainDumpXML): Likewise. * src/xenapi/xenapi_utils.c (createVMRecordFromXml): Likewise. * src/security/security_selinux.c (SELinuxGenNewContext): Likewise. * src/qemu/qemu_command.c (qemuBuildCommandLine): Likewise. * src/qemu/qemu_hotplug.c (qemuDomainChangeEjectableMedia): Likewise. * src/qemu/qemu_process.c (qemuProcessWaitForMonitor): Likewise. * src/qemu/qemu_monitor_text.c (qemuMonitorTextGetPtyPaths): Likewise. * src/qemu/qemu_driver.c (qemudDomainShutdown) (qemudDomainBlockStats, qemudDomainMemoryPeek): Likewise. * src/storage/storage_backend_iscsi.c (virStorageBackendCreateIfaceIQN): Likewise. * src/node_device/node_device_udev.c (udevProcessPCI): Likewise.
-
- 25 3月, 2011 1 次提交
-
-
由 Eric Blake 提交于
Child processes don't always reach _exit(); if they die from a signal, then any messages should still be accurate. Most users either expect a 0 status (thankfully, if status==0, then WIFEXITED(status) is true and WEXITSTATUS(status)==0 for all known platforms) or were filtering on WIFEXITED before printing a status, but a few were missing this check. Additionally, nwfilter_ebiptables_driver was making an assumption that works on Linux (where WEXITSTATUS shifts and WTERMSIG just masks) but fails on other platforms (where WEXITSTATUS just masks and WTERMSIG shifts). * src/util/command.h (virCommandTranslateStatus): New helper. * src/libvirt_private.syms (command.h): Export it. * src/util/command.c (virCommandTranslateStatus): New function. (virCommandWait): Use it to also diagnose status from signals. * src/security/security_apparmor.c (load_profile): Likewise. * src/storage/storage_backend.c (virStorageBackendQEMUImgBackingFormat): Likewise. * src/util/util.c (virExecDaemonize, virRunWithHook) (virFileOperation, virDirCreate): Likewise. * daemon/remote.c (remoteDispatchAuthPolkit): Likewise. * src/nwfilter/nwfilter_ebiptables_driver.c (ebiptablesExecCLI): Likewise.
-
- 09 3月, 2011 1 次提交
-
-
由 Eric Blake 提交于
On cygwin: CC libvirt_driver_security_la-security_dac.lo security/security_dac.c: In function 'virSecurityDACSetProcessLabel': security/security_dac.c:618: warning: format '%d' expects type 'int', but argument 7 has type 'uid_t' [-Wformat] We've done this before (see src/util/util.c). * src/security/security_dac.c (virSecurityDACSetProcessLabel): On cygwin, uid_t is a 32-bit long.
-
- 03 3月, 2011 1 次提交
-
-
由 Soren Hansen 提交于
virSecurityDAC{Set,Restore}ChardevCallback expect virSecurityManagerPtr, but are passed virDomainObjPtr instead. This makes virSecurityDACSetChardevLabel set a wrong uid/gid on chardevs. This patch fixes this behaviour. Signed-off-by: NSoren Hansen <soren@linux2go.dk>
-
- 24 2月, 2011 1 次提交
-
-
由 Daniel P. Berrange 提交于
Remove the <stdbool.h> header from all source files / headers and just put it into internal.h * src/internal.h: Add <stdbool.h>
-
- 23 2月, 2011 1 次提交
-
-
由 Eric Blake 提交于
Leak introduced in commit d6623003. * src/qemu/qemu_driver.c (qemuSecurityInit): Avoid leak on failure. * src/security/security_stack.c (virSecurityStackClose): Avoid leaking component drivers.
-
- 21 2月, 2011 1 次提交
-
-
由 Eric Blake 提交于
Done mechanically with: $ git grep -l '\bDEBUG0\? *(' | xargs -L1 sed -i 's/\bDEBUG0\? *(/VIR_&/' followed by manual deletion of qemudDebug in daemon/libvirtd.c, along with a single 'make syntax-check' fallout in the same file, and the actual deletion in src/util/logging.h. * src/util/logging.h (DEBUG, DEBUG0): Delete. * daemon/libvirtd.h (qemudDebug): Likewise. * global: Change remaining clients over to VIR_DEBUG counterpart.
-