- 27 8月, 2015 6 次提交
-
-
由 Michal Privoznik 提交于
So, after some movement in virt-aa-helper, I've noticed the virt-aa-helper-test failing. I've ran gdb (it took me a while to realize how to do that) and this showed up immediately: Program received signal SIGSEGV, Segmentation fault. strlen () at ../sysdeps/x86_64/strlen.S:106 106 ../sysdeps/x86_64/strlen.S: No such file or directory. (gdb) bt #0 strlen () at ../sysdeps/x86_64/strlen.S:106 #1 0x0000555555561a13 in array_starts_with (str=0x5555557ce910 "/tmp/tmp.6nI2Fkv0KL/1.img", arr=0x7fffffffd160, size=-1540438016) at security/virt-aa-helper.c:525 #2 0x0000555555561d49 in valid_path (path=0x5555557ce910 "/tmp/tmp.6nI2Fkv0KL/1.img", readonly=false) at security/virt-aa-helper.c:617 #3 0x0000555555562506 in vah_add_path (buf=0x7fffffffd3e0, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", perms=0x555555581585 "rw", recursive=false) at security/virt-aa-helper.c:823 #4 0x0000555555562693 in vah_add_file (buf=0x7fffffffd3e0, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", perms=0x555555581585 "rw") at security/virt-aa-helper.c:854 #5 0x0000555555562918 in add_file_path (disk=0x5555557d4440, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", depth=0, opaque=0x7fffffffd3e0) at security/virt-aa-helper.c:931 #6 0x00007ffff78f18b1 in virDomainDiskDefForeachPath (disk=0x5555557d4440, ignoreOpenFailure=true, iter=0x5555555628a6 <add_file_path>, opaque=0x7fffffffd3e0) at conf/domain_conf.c:23286 #7 0x0000555555562b5f in get_files (ctl=0x7fffffffd670) at security/virt-aa-helper.c:982 #8 0x0000555555564100 in vahParseArgv (ctl=0x7fffffffd670, argc=5, argv=0x7fffffffd7e8) at security/virt-aa-helper.c:1277 #9 0x00005555555643d6 in main (argc=5, argv=0x7fffffffd7e8) at security/virt-aa-helper.c:1332 So I've taken look at valid_path() because it is obviously calling array_starts_with() with malformed @size. And here's the result: there are two variables to hold the size of three arrays and their value is recalculated before each call of array_starts_with(). What if we just use three variables, initialize them and do not touch them afterwards? Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 John Ferlan 提交于
Commit id 'c27553b6' added a return -1 in a failure path without the necessary VIR_FREE(stack)
-
由 Luyao Huang 提交于
https://bugzilla.redhat.com/show_bug.cgi?id=1226234#c3 If the qemu monitor fails to remove the memory from the guest for any reason, the auditlog message will incorrectly use the current actual memory (via virDomainDefGetMemoryActual) instead of the value we were attempting to reduce to. The result is the 'new-mem' and 'old-mem' values for the auditlog message would be identical. This patch creates a local 'newmem' which accounts for the current memory size minus the memory which is being removed. NB, for the success case this results in the same value that would be returned by virDomainDefGetMemoryActual without the need to do the math. This follows the existing code which would subtract the size for cur_balloon. Signed-off-by: NLuyao Huang <lhuang@redhat.com>
-
由 Luyao Huang 提交于
https://bugzilla.redhat.com/show_bug.cgi?id=1226234#c3 Prior to this patch, after successfully hot plugging memory the audit log indicated that the update failed, e.g.: type=VIRT_RESOURCE ... old-mem=1024000 new-mem=1548288 \ exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=pts/2 res=failed This patch will adjust where virDomainAuditMemory is called to ensure the proper 'ret' value is used based on success or failure. Additionally, the audit message should include the size of the memory we were attempting to change to rather than the current actual size. On failure to add, the message showed the same value for old-mem and new-mem. In order to do this, introduce a 'newmem' local which will compute the new size based on the oldmem size plus the size of memory we are about to add. NB: This would be the same as calling the virDomainDefGetMemoryActual again on success, but avoids the overhead of recalculating. Plus cur_balloon is already adjusted by the same value, so this follows that. Signed-off-by: NLuyao Huang <lhuang@redhat.com>
-
由 Moshe Levi 提交于
This patch remove the logging of errors of ioctl api and instead let the caller to choose what errors to log
-
由 Laine Stump 提交于
The ACS checks are meaningless when using the more modern VFIO driver for device assignment since VFIO has its own more complete and exact checks, but I didn't realize that when I added support for VFIO. This patch eliminates the ACS check when preparing PCI devices for assignment if VFIO is being used. This resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1256486
-
- 26 8月, 2015 7 次提交
-
-
由 Daniel P. Berrange 提交于
Older versions of glibc don't provide the setns() syscall function wrapper, so we must define it ourselves to prevent build failure on old distros. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Martin Kletzander 提交于
When images are on mounted filesystems, there is no guarantee libvirtd will start before they are mounted. Since we want to start after both local and remote filesystems are mounted, we need to add both local-fs and remote-fs as targets that should precede starting libvirtd service. Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
-
由 Peter Kieser 提交于
This is a cryptographically signed message in MIME format. Some UEFI firmwares may want to use a non-volatile memory to store some variables. If AppArmor is enabled, and NVRAM store file is set currently virt-aa-helper does not add the NVRAM store file to the template. Add this file for read/write when this functionality is defined in domain XML. Signed-off-by: NPeter Kieser <peter@kieser.ca>
-
由 Sergey Bronnikov 提交于
-
由 ik.nitk 提交于
This patch adds feature for lxc containers to inherit namespaces. This is very similar to what lxc-tools or docker provides. Look for "man lxc-start" and you will find that you can pass command args as [ --share-[net|ipc|uts] name|pid ]. Or check out docker networking option in which you can give --net=container:NAME_or_ID as an option for sharing +namespace. >From this patch you can add extra libvirt option to share namespace in following way. <lxc:namespace> <lxc:sharenet type='netns' value='red'/> <lxc:shareipc type='pid' value='12345'/> <lxc:shareuts type='name' value='container1'/> </lxc:namespace> The netns option is specific to sharenet. It can be used to inherit from existing network namespace. Co-authored: Daniel P. Berrange <berrange@redhat.com>
-
由 Martin Kletzander 提交于
Commit f1f68ca3 overused mdir_name() event though it was not needed in the latest version, hence labelling directory one level up in the tree and not the one it should. If anyone with SElinux managed to try run a domain with guest agent set up, it's highly possible that they will need to run 'restorecon -F /var/lib/libvirt/qemu/channel/target' to fix what was done. Reported-by: NLuyao Huang <lhuang@redhat.com> Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
-
由 Luyao Huang 提交于
https://bugzilla.redhat.com/show_bug.cgi?id=1253107 Make a call virCgroupGetBlkioWeight to re-read blkio.weight right after it is set in order to keep internal data up-to-date. Signed-off-by: NLuyao Huang <lhuang@redhat.com>
-
- 25 8月, 2015 2 次提交
-
-
由 Sergey Bronnikov 提交于
-
由 Sergey Bronnikov 提交于
Parallels driver was renamed to Virtuozzo. Replace old name by new one for libvirt docs and schemas.
-
- 24 8月, 2015 18 次提交
-
-
由 Vasiliy Tolstov 提交于
Commit aa2cc7 modified a previously unnecessary but innocuous check for interface IP address during interface update incorrectly, causing all attempted updates (e.g. changing link state) to interfaces of type='ethernet' for QEMU to fail. This patch fixes the issue by completely removing the check for IP address, which is pointless since QEMU doesn't support setting interface IP addresses from the domain interface XML anyway. Signed-off-by: NVasiliy Tolstov <v.tolstov@selfip.ru> Signed-off-by: NLaine Stump <laine@laine.org>
-
由 Tomas Meszaros 提交于
Signed-off-by: NTomas Meszaros <exo@tty.sk>
-
由 Luyao Huang 提交于
We will try to set the node to cpuset.mems without check if it is available, since we already have helper to check this. Call virNumaNodesetIsAvailable to check if node is available, then try to change it in the cgroup. Signed-off-by: NLuyao Huang <lhuang@redhat.com>
-
由 Guido Günther 提交于
Remove unused variable, tag unused parameter and adjust return type. introduced by 3f48345f CC security/libvirt_security_manager_la-security_selinux.lo security/security_selinux.c: In function 'virSecuritySELinuxDomainSetDirLabel': security/security_selinux.c:2520:5: error: return makes pointer from integer without a cast [-Werror] security/security_selinux.c:2514:9: error: unused variable 'ret' [-Werror=unused-variable] security/security_selinux.c:2509:59: error: unused parameter 'mgr' [-Werror=unused-parameter]
-
由 Guido Günther 提交于
While a zero allocation in safezero should be fine it isn't when we use posix_fallocate which returns EINVAL on a zero allocation. While we could skip the zero allocation in safezero_posix_fallocate it's an optimization to do it for all allocations. This fixes vm installation via virtinst for me which otherwise aborts like: Starting install... Retrieving file linux... | 5.9 MB 00:01 ... Retrieving file initrd.gz... | 29 MB 00:07 ... ERROR Couldn't create storage volume 'virtinst-linux.sBgds4': 'cannot fill file '/var/lib/libvirt/boot/virtinst-linux.sBgds4': Invalid argument' The error was introduced by e30297b0 as spotted by Chunyan Liu
-
由 intrigeri 提交于
We forbid access to /usr/share/, but (at least on Debian-based systems) the Open Virtual Machine Firmware files needed for booting UEFI virtual machines in QEMU live in /usr/share/ovmf/. Therefore, we need to add that directory to the list of read only paths. A similar patch was suggested by Jamie Strandboge <jamie@canonical.com> on https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1483071.
-
由 Guido Günther 提交于
First check overrides, then read only files then restricted access itself. This allows us to mark files for read only access whose parents were already restricted for read write. Based on a proposal by Martin Kletzander
-
由 Guido Günther 提交于
-
由 Martin Kletzander 提交于
The output of that function was not tested until now. In order to keep the paths in /tmp, the test driver config is "fixed" as well. Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
-
由 Martin Kletzander 提交于
We are automatically generating some socket paths for domains, but all those paths end up in a directory that's the same for multiple domains. The problem is that multiple domains can each run with different seclabels (users, selinux contexts, etc.). The idea here is to create a per-domain directory labelled in a way that each domain can access its own unix sockets. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1146886Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
-
由 Martin Kletzander 提交于
Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
-
由 Martin Kletzander 提交于
Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
-
由 Martin Kletzander 提交于
Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
-
由 Martin Kletzander 提交于
That function can be used for setting security labels on arbitrary directories. Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
-
由 Martin Kletzander 提交于
SELinux security driver already does that, but DAC driver somehow missed the memo. Let's fix it so it works the same way. Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
-
由 Martin Kletzander 提交于
In virSecuritySELinuxSetSecurityChardevLabel() we are labelling unix socket path, but accessing another structure of the union. This does not pose a problem currently as both paths are at the same offset, but this should be fixed for the future. Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
-
由 Erik Skultety 提交于
Now that we have virNetDaemon object holding all the data and being capable of referencing multiple servers, having a duplicate reference to a single server stored in virLockDaemon isn't necessary anymore. This patch removes the above described element.
-
由 Erik Skultety 提交于
JSON data that are used to initialize tests in virnetdaemontest should be in a consistent format, i.e. not using tabs for indentation, those should be replaced by spaces.
-
- 22 8月, 2015 4 次提交
-
-
由 Andrea Bolognani 提交于
-
由 Andrea Bolognani 提交于
While the check is appropriate for eg. the x86 and generic drivers, there are some valid ppc64 guest configurations where the CPU model is supposed to be NULL. Moving this check from the generic code to the drivers makes it possible to accomodate both use cases. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1251927
-
由 Andrea Bolognani 提交于
Not all combinations of host CPU models and compatibility modes are valid, so we need to make sure we don't try to do something that QEMU will reject. Moreover, we need to apply a different logic to guests using host-model and host-passthrough modes when testing them for host compatibility. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1251927
-
由 Andrea Bolognani 提交于
If a guest CPU is defined using <cpu mode='host-model'/> the <model> sub-element will contain the compatibility mode to use. That means we can't just copy the host CPU model on cpuUpdate(), otherwise we'll overwrite that information and migration of such guests will fail. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1251927
-
- 21 8月, 2015 2 次提交
-
-
由 Martin Kletzander 提交于
Commit a2c5d16a switched to generating libvirt_admin.syms, but forgot to add the generated file into .gitignore, hence causing tree pollution post-build. Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
-
由 John Ferlan 提交于
Since iothreadid = 0 is invalid, we need to check for it when attempting to add a disk; otherwise, someone would think/believe their attempt to add an IOThread to the disk would succeed. Luckily other code ignored things when ->iothread == 0...
-
- 20 8月, 2015 1 次提交
-
-
由 Guido Günther 提交于
We're using the %.html.tmp for all html files now so drop the unused one and rather make sure the needed directory exists. This fixes build failures as described in https://www.redhat.com/archives/libvir-list/2015-August/msg00603.html
-