1. 28 9月, 2011 2 次提交
    • L
      security: properly chown/label bidirectional and unidirectional fifos · 46e8dc71
      Laine Stump 提交于
      This patch fixes the regression with using named pipes for qemu serial
      devices noted in:
      
        https://bugzilla.redhat.com/show_bug.cgi?id=740478
      
      The problem was that, while new code in libvirt looks for a single
      bidirectional fifo of the name given in the config, then relabels that
      and continues without looking for / relabelling the two unidirectional
      fifos named ${name}.in and ${name}.out, qemu looks in the opposite
      order. So if the user had naively created all three fifos, libvirt
      would relabel the bidirectional fifo to allow qemu access, but qemu
      would attempt to use the two unidirectional fifos and fail (because it
      didn't have proper permissions/rights).
      
      This patch changes the order that libvirt looks for the fifos to match
      what qemu does - first it looks for the dual fifos, then it looks for
      the single bidirectional fifo. If it finds the dual unidirectional
      fifos first, it labels/chowns them and ignores any possible
      bidirectional fifo.
      
      (Note commit d37c6a3a (which first appeared in libvirt-0.9.2) added
      the code that checked for a bidirectional fifo. Prior to that commit,
      bidirectional fifos for serial devices didn't work because libvirt
      always required the ${name}.(in|out) fifos to exist, and qemu would
      always prefer those.
      46e8dc71
    • J
      fix AppArmor driver for pipe character devices · 03d89991
      Jamie Strandboge 提交于
      The AppArmor security driver adds only the path specified in the domain
      XML for character devices of type 'pipe'. It should be using <path>.in
      and <path>.out. We do this by creating a new vah_add_file_chardev() and
      use it for char devices instead of vah_add_file(). Also adjust
      valid_path() to accept S_FIFO (since qemu chardevs of type 'pipe' use
      fifos). This is https://launchpad.net/bugs/832507
      03d89991
  2. 23 9月, 2011 1 次提交
  3. 14 9月, 2011 1 次提交
    • P
      xml: Clean up rest of virtual XML document names for XML strings · b998f1f7
      Peter Krempa 提交于
      Commit 498d7833 cleans up some of virtual file names for parsing strings
      in memory. This patch cleans up (hopefuly) the rest forgotten by the
      first patch.
      
      This patch also changes all of the previously modified "filenames" to
      valid URI's replacing spaces for underscores.
      
      Changes to v1:
      - Replace all spaces for underscores, so that the strings form valid
        URI's
      - Replace spaces in places changed by commit 498d7833
      b998f1f7
  4. 09 9月, 2011 2 次提交
    • M
      selinux: Detect virt_use_nfs boolean set · c9b37fee
      Michal Privoznik 提交于
      If we fail setting label on a file and this file is on NFS share,
      it is wise to advise user to set virt_use_nfs selinux boolean
      variable.
      c9b37fee
    • P
      xml: Change virtual file names of xml documents parsed in memory · 498d7833
      Peter Krempa 提交于
      While parsing XML strings from memory, the previous convention in
      libvirt was to set the virtual file name to "domain.xml" or something
      similar. This could potentialy trick the user into looking for a file
      named domain.xml on the disk in an attempt to fix the error.
      
      This patch changes these filenames to something that can't be as easily
      confused for a valid filename.
      
      Examples of error messages:
      ---------------------------
      Error while loading file from disk:
      
      15:07:59.015: 527: error : catchXMLError:709 : /path/to/domain.xml:1: StartTag: invalid element name
      <domain type='kvm'><
      --------------------^
      
      Error while parsing definition in memory:
      
      15:08:43.581: 525: error : catchXMLError:709 : (domain definition):2: error parsing attribute name
        <name>vm1</name>
      --^
      498d7833
  5. 31 8月, 2011 1 次提交
    • D
      Remove bogus virSecurityManagerSetProcessFDLabel method · 18338388
      Daniel P. Berrange 提交于
      The virSecurityManagerSetProcessFDLabel method was introduced
      after a mis-understanding from a conversation about SELinux
      socket labelling. The virSecurityManagerSetSocketLabel method
      should have been used for all such scenarios.
      
      * src/security/security_apparmor.c, src/security/security_apparmor.c,
        src/security/security_driver.h, src/security/security_manager.c,
        src/security/security_manager.h, src/security/security_selinux.c,
        src/security/security_stack.c: Remove SetProcessFDLabel driver
      18338388
  6. 26 8月, 2011 2 次提交
    • J
      security: Introduce SetSocketLabel · 520d91f8
      Jiri Denemark 提交于
      This API labels all sockets created until ClearSocketLabel is called in
      a way that a vm can access them (i.e., they are labeled with svirt_t
      based label in SELinux).
      520d91f8
    • J
      security: Rename SetSocketLabel APIs to SetDaemonSocketLabel · 4c85d96f
      Jiri Denemark 提交于
      The APIs are designed to label a socket in a way that the libvirt daemon
      itself is able to access it (i.e., in SELinux the label is virtd_t based
      as opposed to svirt_* we use for labeling resources that need to be
      accessed by a vm). The new name reflects this.
      4c85d96f
  7. 19 8月, 2011 1 次提交
    • E
      maint: simplify lots of libxml2 clients · d89dd42d
      Eric Blake 提交于
      Repetitive patterns should be factored.  The sign of a good
      factorization is a change that kills 5x more lines than it adds :)
      
      * src/conf/domain_conf.c (virDomainDeviceDefParse)
      (virDomainSnapshotDefParseString): Use new convenience macros.
      * src/conf/storage_conf.c (virStoragePoolDefParseSourceString):
      Likewise.
      * src/cpu/cpu.c (cpuCompareXML, cpuBaselineXML): Likewise.
      * src/esx/esx_vi.c (esxVI_Context_Execute): Likewise.
      * src/qemu/qemu_migration.c (qemuMigrationCookieXMLParseStr):
      Likewise.
      * src/security/virt-aa-helper.c (caps_mockup): Likewise.
      * src/test/test_driver.c (testOpenFromFile): Likewise.
      * tests/cputest.c (cpuTestLoadXML, cpuTestLoadMultiXML):
      Likewise.
      * tools/virsh.c (cmdFreecell, makeCloneXML, cmdVNCDisplay)
      (cmdTTYConsole, cmdDetachInterface, cmdDetachDisk)
      (cmdSnapshotCreate, cmdSnapshotCreateAs, cmdSnapshotCurrent)
      (cmdSnapshotList, cmdSnapshotParent): Likewise.
      d89dd42d
  8. 22 7月, 2011 1 次提交
    • E
      build: rename files.h to virfile.h · 8e22e089
      Eric Blake 提交于
      In preparation for a future patch adding new virFile APIs.
      
      * src/util/files.h, src/util/files.c: Move...
      * src/util/virfile.h, src/util/virfile.c: ...here, and rename
      functions to virFile prefix.  Macro names are intentionally
      left alone.
      * *.c: All '#include "files.h"' uses changed.
      * src/Makefile.am (UTIL_SOURCES): Reflect rename.
      * cfg.mk (exclude_file_name_regexp--sc_prohibit_close): Likewise.
      * src/libvirt_private.syms: Likewise.
      * docs/hacking.html.in: Likewise.
      * HACKING: Regenerate.
      8e22e089
  9. 15 7月, 2011 1 次提交
    • J
      update apparmor security driver for new udev paths · 3d732040
      Jamie Strandboge 提交于
      In the Ubuntu development release we recently got a new udev that
      moves /var/run to /run, /var/lock to /run/lock and /dev/shm to /run/shm.
      This change in udev requires updating the apparmor security driver in
      libvirt[1].
      
      Attached is a patch that:
       * adjusts src/security/virt-aa-helper.c to allow both
      LOCALSTATEDIR/run/libvirt/**/%s.pid and /run/libvirt/**/%s.pid. While
      the profile is not as precise, LOCALSTATEDIR/run/ is typically a symlink
      to /run/ anyway, so there is no additional access (remember that
      apparmor resolves symlinks, which is why this is still required even
      if /var/run points to /run).
       * adjusts example/apparmor/libvirt-qemu paths for /dev/shm
      
      [1]https://launchpad.net/bugs/810270
      
      --
      Jamie Strandboge             | http://www.canonical.com
      3d732040
  10. 12 7月, 2011 1 次提交
    • M
      Add domain type checking · aa14709a
      Matthias Bolte 提交于
      The drivers were accepting domain configs without checking if those
      were actually meant for them. For example the LXC driver happily
      accepts configs with type QEMU.
      
      Add a check for the expected domain types to the virDomainDefParse*
      functions.
      aa14709a
  11. 06 7月, 2011 2 次提交
    • M
      apparmor: Finish incomplete renaming of relabel to norelabel · 2d2d6a01
      Matthias Bolte 提交于
      Commit 693eac38 was incomplete here.
      2d2d6a01
    • D
      Fix default value of security label 'relabel' attribute · 693eac38
      Daniel P. Berrange 提交于
      When no <seclabel> is present in the XML, the virDomainSeclabelDef
      struct is left as all zeros. Unfortunately, this means it gets setup
      as type=dynamic, with relabel=no, which is an illegal combination.
      
      Change the 'bool relabel' attribute in virDomainSeclabelDef to
      the inverse 'bool norelabel' so that the default initialization
      is sensible
      
      * src/conf/domain_conf.c, src/conf/domain_conf.h,
        src/security/security_apparmor.c, src/security/security_selinux.c:
        Replace 'relabel' with 'norelabel'
      693eac38
  12. 04 7月, 2011 2 次提交
    • D
      Allow for resource relabelling with static labels · 6321fd97
      Daniel P. Berrange 提交于
      Add a new attribute to the <seclabel> XML to allow resource
      relabelling to be enabled with static label usage.
      
        <seclabel model='selinux' type='static' relabel='yes'>
          <label>system_u:system_r:svirt_t:s0:c392,c662</label>
        </seclabel>
      
      * docs/schemas/domain.rng: Add relabel attribute
      * src/conf/domain_conf.c, src/conf/domain_conf.h: Parse
        the 'relabel' attribute
      * src/qemu/qemu_process.c: Unconditionally clear out the
        'imagelabel' attribute
      * src/security/security_apparmor.c: Skip based on 'relabel'
        attribute instead of label type
      * src/security/security_selinux.c: Skip based on 'relabel'
        attribute instead of label type and fill in <imagelabel>
        attribute if relabel is enabled.
      6321fd97
    • D
      Allow a base label to be specified in dynamic labelling mode · 4ebfc427
      Daniel P. Berrange 提交于
      Normally the dynamic labelling mode will always use a base
      label of 'svirt_t' for VMs. Introduce a <baselabel> field
      in the <seclabel> XML to allow this base label to be changed
      
      eg
      
         <seclabel type='dynamic' model='selinux'>
           <baselabel>system_u:object_r:virt_t:s0</baselabel>
         </seclabel>
      
      * docs/schemas/domain.rng: Add <baselabel>
      * src/conf/domain_conf.c, src/conf/domain_conf.h: Parsing
        of base label
      * src/qemu/qemu_process.c: Don't reset 'model' attribute if
        a base label is specified
      * src/security/security_apparmor.c: Refuse to support base label
      * src/security/security_selinux.c: Use 'baselabel' when generating
        label, if available
      4ebfc427
  13. 28 6月, 2011 2 次提交
    • D
      Add a virSecurityManagerSetProcessFDLabel · 8e3c6fbb
      Daniel P. Berrange 提交于
      Add a new security driver method for labelling an FD with
      the process label, rather than the image label
      
      * src/libvirt_private.syms, src/security/security_apparmor.c,
        src/security/security_dac.c, src/security/security_driver.h,
        src/security/security_manager.c, src/security/security_manager.h,
        src/security/security_selinux.c, src/security/security_stack.c:
        Add virSecurityManagerSetProcessFDLabel & impl
      8e3c6fbb
    • D
      Rename virSecurityManagerSetFDLabel method · 4438c63e
      Daniel P. Berrange 提交于
      The virSecurityManagerSetFDLabel method is used to label
      file descriptors associated with disk images. There will
      shortly be a need to label other file descriptors in a
      different way. So the current name is ambiguous. Rename
      the method to virSecurityManagerSetImageFDLabel to clarify
      its purpose
      
      * src/libvirt_private.syms,
        src/qemu/qemu_migration.c, src/qemu/qemu_process.c,
        src/security/security_apparmor.c, src/security/security_dac.c,
        src/security/security_driver.h, src/security/security_manager.c,
        src/security/security_manager.h, src/security/security_selinux.c,
        src/security/security_stack.c: s/FDLabel/ImageFDLabel/
      4438c63e
  14. 25 6月, 2011 1 次提交
    • J
      Move load of AppArmor profile to GenLabel() · 0b501bd4
      Jamie Strandboge 提交于
      Commit 12317957 introduced an incompatible
      architectural change for the AppArmor security driver. Specifically,
      virSecurityManagerSetAllLabel() is now called much later in
      src/qemu/qemu_process.c:qemuProcessStart(). Previously, SetAllLabel() was
      called immediately after GenLabel() such that after the dynamic label (profile
      name) was generated, SetAllLabel() would be called to create and load the
      AppArmor profile into the kernel before qemuProcessHook() was executed. With
      12317957, qemuProcessHook() is now called
      before SetAllLabel(), such that aa_change_profile() ends up being called
      before the AppArmor profile is loaded into the kernel (via ProcessLabel() in
      qemuProcessHook()).
      
      This patch addresses the change by making GenLabel() load the AppArmor
      profile into the kernel after the label (profile name) is generated.
      SetAllLabel() is then adjusted to only reload_profile() and append stdin_fn to
      the profile when it is specified. This also makes the AppArmor driver work
      like its SELinux counterpart with regard to SetAllLabel() and stdin_fn.
      Bug-Ubuntu: https://launchpad.net/bugs/801569
      0b501bd4
  15. 20 6月, 2011 1 次提交
    • J
      apparmor: implement AppArmorSetFDLabel() · b9757fea
      Jamie Strandboge 提交于
      During a savevm operation, libvirt will now use fd migration if qemu
      supports it. When the AppArmor driver is enabled, AppArmorSetFDLabel()
      is used but since this function simply returns '0', the dynamic AppArmor
      profile is not updated and AppArmor blocks access to the save file. This
      patch implements AppArmorSetFDLabel() to get the pathname of the file by
      resolving the fd symlink in /proc, and then gives that pathname to
      reload_profile(), which fixes 'virsh save' when AppArmor is enabled.
      
      Reference: https://launchpad.net/bugs/795800
      b9757fea
  16. 08 6月, 2011 1 次提交
  17. 04 6月, 2011 1 次提交
    • L
      security driver: ignore EINVAL when chowning an image file · 62ed801c
      Laine Stump 提交于
      This fixes:
      
        https://bugzilla.redhat.com/show_bug.cgi?id=702044
        https://bugzilla.redhat.com/show_bug.cgi?id=709454
      
      Both of these complain of a failure to use an image file that resides
      on a read-only NFS volume. The function in the DAC security driver
      that chowns image files to the qemu user:group before using them
      already has special cases to ignore failure of chown on read-only file
      systems, and in a few other cases, but it hadn't been checking for
      EINVAL, which is what is returned if the qemu user doesn't even exist
      on the NFS server.
      
      Since the explanation of EINVAL in the chown man page almost exactly
      matches the log message already present for the case of EOPNOTSUPP,
      I've just added EINVAL to that same conditional.
      62ed801c
  18. 02 6月, 2011 1 次提交
    • E
      security: plug regression introduced in disk probe logic · b598ac55
      Eric Blake 提交于
      Regression introduced in commit d6623003 (v0.8.8) - using the
      wrong sizeof operand meant that security manager private data
      was overlaying the allowDiskFormatProbing member of struct
      _virSecurityManager.  This reopens disk probing, which was
      supposed to be prevented by the solution to CVE-2010-2238.
      
      * src/security/security_manager.c
      (virSecurityManagerGetPrivateData): Use correct offset.
      b598ac55
  19. 14 5月, 2011 2 次提交
  20. 13 5月, 2011 1 次提交
  21. 10 5月, 2011 1 次提交
  22. 06 5月, 2011 2 次提交
    • D
      Fix security driver handling of FIFOs with QEMU · d37c6a3a
      Daniel P. Berrange 提交于
      When setting up a FIFO for QEMU, it allows either a pair
      of fifos used unidirectionally, or a single fifo used
      bidirectionally. Look for the bidirectional fifo first
      when labelling since that is more useful
      
      * src/security/security_dac.c,
        src/security/security_selinux.c: Fix fifo handling
      d37c6a3a
    • E
      maint: rename virBufferVSprintf to virBufferAsprintf · 68ea80cf
      Eric Blake 提交于
      We already have virAsprintf, so picking a similar name helps for
      seeing a similar purpose.  Furthermore, the prefix V before printf
      generally implies 'va_list', even though this variant was '...', and
      the old name got in the way of adding a new va_list version.
      
      global rename performed with:
      
      $ git grep -l virBufferVSprintf \
        | xargs -L1 sed -i 's/virBufferVSprintf/virBufferAsprintf/g'
      
      then revert the changes in ChangeLog-old.
      68ea80cf
  23. 17 4月, 2011 1 次提交
  24. 16 4月, 2011 1 次提交
    • E
      maint: use lighter-weight function for straight appends · dbe3bad9
      Eric Blake 提交于
      It costs quite a few processor cycles to go through printf parsing
      just to determine that we only meant to append.
      
      * src/xen/xend_internal.c (xend_op_ext): Consolidate multiple
      printfs into one.
      * src/qemu/qemu_command.c (qemuBuildWatchdogDevStr)
      (qemuBuildUSBInputDevStr, qemuBuildSoundDevStr)
      (qemuBuildSoundCodecStr, qemuBuildVideoDevStr): Likewise.
      (qemuBuildCpuArgStr, qemuBuildCommandLine): Prefer virBufferAdd
      over virBufferVsprintf for trivial appends.
      * src/phyp/phyp_driver.c (phypExec, phypUUIDTable_Push)
      (phypUUIDTable_Pull): Likewise.
      * src/conf/nwfilter_conf.c (macProtocolIDFormatter)
      (arpOpcodeFormatter, formatIPProtocolID, printStringItems)
      (virNWFilterPrintStateMatchFlags, virNWIPAddressFormat)
      (virNWFilterDefFormat): Likewise.
      * src/security/virt-aa-helper.c (main): Likewise.
      * src/util/sexpr.c (sexpr2string): Likewise.
      * src/xenxs/xen_sxpr.c (xenFormatSxprChr): Likewise.
      * src/xenxs/xen_xm.c (xenFormatXMDisk): Likewise.
      dbe3bad9
  25. 05 4月, 2011 2 次提交
    • M
      97176c63
    • E
      build: detect potentential uninitialized variables · 0d166c6b
      Eric Blake 提交于
      Even with -Wuninitialized (which is part of autobuild.sh
      --enable-compile-warnings=error), gcc does NOT catch this
      use of an uninitialized variable:
      
      {
        if (cond)
          goto error;
        int a = 1;
      error:
        printf("%d", a);
      }
      
      which prints 0 (supposing the stack started life wiped) if
      cond was true.  Clang will catch it, but we don't use clang
      as often.  Using gcc -Wjump-misses-init catches it, but also
      gives false positives:
      
      {
        if (cond)
          goto error;
        int a = 1;
        return a;
      error:
        return 0;
      }
      
      Here, a was never used in the scope of the error block, so
      declaring it after goto is technically fine (and clang agrees).
      However, given that our HACKING already documents a preference
      to C89 decl-before-statement, the false positive warning is
      enough of a prod to comply with HACKING.
      
      [Personally, I'd _really_ rather use C99 decl-after-statement
      to minimize scope, but until gcc can efficiently and reliably
      catch scoping and uninitialized usage bugs, I'll settle with
      the compromise of enforcing a coding standard that happens to
      reject false positives if it can also detect real bugs.]
      
      * acinclude.m4 (LIBVIRT_COMPILE_WARNINGS): Add -Wjump-misses-init.
      * src/util/util.c (__virExec): Adjust offenders.
      * src/conf/domain_conf.c (virDomainTimerDefParseXML): Likewise.
      * src/remote/remote_driver.c (doRemoteOpen): Likewise.
      * src/phyp/phyp_driver.c (phypGetLparNAME, phypGetLparProfile)
      (phypGetVIOSFreeSCSIAdapter, phypVolumeGetKey)
      (phypGetStoragePoolDevice)
      (phypVolumeGetPhysicalVolumeByStoragePool)
      (phypVolumeGetPath): Likewise.
      * src/vbox/vbox_tmpl.c (vboxNetworkUndefineDestroy)
      (vboxNetworkCreate, vboxNetworkDumpXML)
      (vboxNetworkDefineCreateXML): Likewise.
      * src/xenapi/xenapi_driver.c (getCapsObject)
      (xenapiDomainDumpXML): Likewise.
      * src/xenapi/xenapi_utils.c (createVMRecordFromXml): Likewise.
      * src/security/security_selinux.c (SELinuxGenNewContext):
      Likewise.
      * src/qemu/qemu_command.c (qemuBuildCommandLine): Likewise.
      * src/qemu/qemu_hotplug.c (qemuDomainChangeEjectableMedia):
      Likewise.
      * src/qemu/qemu_process.c (qemuProcessWaitForMonitor): Likewise.
      * src/qemu/qemu_monitor_text.c (qemuMonitorTextGetPtyPaths):
      Likewise.
      * src/qemu/qemu_driver.c (qemudDomainShutdown)
      (qemudDomainBlockStats, qemudDomainMemoryPeek): Likewise.
      * src/storage/storage_backend_iscsi.c
      (virStorageBackendCreateIfaceIQN): Likewise.
      * src/node_device/node_device_udev.c (udevProcessPCI): Likewise.
      0d166c6b
  26. 25 3月, 2011 1 次提交
    • E
      command: properly diagnose process exit via signal · 208a044a
      Eric Blake 提交于
      Child processes don't always reach _exit(); if they die from a
      signal, then any messages should still be accurate.  Most users
      either expect a 0 status (thankfully, if status==0, then
      WIFEXITED(status) is true and WEXITSTATUS(status)==0 for all
      known platforms) or were filtering on WIFEXITED before printing
      a status, but a few were missing this check.  Additionally,
      nwfilter_ebiptables_driver was making an assumption that works
      on Linux (where WEXITSTATUS shifts and WTERMSIG just masks)
      but fails on other platforms (where WEXITSTATUS just masks and
      WTERMSIG shifts).
      
      * src/util/command.h (virCommandTranslateStatus): New helper.
      * src/libvirt_private.syms (command.h): Export it.
      * src/util/command.c (virCommandTranslateStatus): New function.
      (virCommandWait): Use it to also diagnose status from signals.
      * src/security/security_apparmor.c (load_profile): Likewise.
      * src/storage/storage_backend.c
      (virStorageBackendQEMUImgBackingFormat): Likewise.
      * src/util/util.c (virExecDaemonize, virRunWithHook)
      (virFileOperation, virDirCreate): Likewise.
      * daemon/remote.c (remoteDispatchAuthPolkit): Likewise.
      * src/nwfilter/nwfilter_ebiptables_driver.c (ebiptablesExecCLI):
      Likewise.
      208a044a
  27. 09 3月, 2011 1 次提交
    • E
      build: avoid compiler warning on cygwin · 3dfd4ea3
      Eric Blake 提交于
      On cygwin:
      
        CC       libvirt_driver_security_la-security_dac.lo
      security/security_dac.c: In function 'virSecurityDACSetProcessLabel':
      security/security_dac.c:618: warning: format '%d' expects type 'int', but argument 7 has type 'uid_t' [-Wformat]
      
      We've done this before (see src/util/util.c).
      
      * src/security/security_dac.c (virSecurityDACSetProcessLabel): On
      cygwin, uid_t is a 32-bit long.
      3dfd4ea3
  28. 03 3月, 2011 1 次提交
  29. 24 2月, 2011 1 次提交
  30. 23 2月, 2011 1 次提交
    • E
      security: avoid memory leak · 009fce98
      Eric Blake 提交于
      Leak introduced in commit d6623003.
      
      * src/qemu/qemu_driver.c (qemuSecurityInit): Avoid leak on failure.
      * src/security/security_stack.c (virSecurityStackClose): Avoid
      leaking component drivers.
      009fce98
  31. 21 2月, 2011 1 次提交
    • E
      maint: kill all remaining uses of old DEBUG macro · 994e7567
      Eric Blake 提交于
      Done mechanically with:
      $ git grep -l '\bDEBUG0\? *(' | xargs -L1 sed -i 's/\bDEBUG0\? *(/VIR_&/'
      
      followed by manual deletion of qemudDebug in daemon/libvirtd.c, along
      with a single 'make syntax-check' fallout in the same file, and the
      actual deletion in src/util/logging.h.
      
      * src/util/logging.h (DEBUG, DEBUG0): Delete.
      * daemon/libvirtd.h (qemudDebug): Likewise.
      * global: Change remaining clients over to VIR_DEBUG counterpart.
      994e7567