1. 09 7月, 2014 2 次提交
  2. 08 7月, 2014 1 次提交
  3. 26 6月, 2014 1 次提交
  4. 20 6月, 2014 3 次提交
  5. 12 6月, 2014 1 次提交
    • P
      security: Don't skip labelling for network disks · cc6484d4
      Peter Krempa 提交于
      A network disk might actually be backed by local storage. Also the path
      iterator actually handles networked disks well now so remove the code
      that skips the labelling in dac and selinux security driver.
      cc6484d4
  6. 03 6月, 2014 2 次提交
    • J
      conf: more enum cleanups in "src/conf/domain_conf.h" · 5a2bd4c9
      Julio Faracco 提交于
      In "src/conf/domain_conf.h" there are many enum declarations. The
      cleanup in this header filer was started, but it wasn't enough and
      there are many other files that has enum variables declared. So, the
      commit was starting to be big. This commit finish the cleanup in this
      header file and in other files that has enum variables, parameters,
      or functions declared.
      Signed-off-by: NJulio Faracco <jcfaracco@gmail.com>
      Signed-off-by: NEric Blake <eblake@redhat.com>
      5a2bd4c9
    • J
      conf: enum cleanups in "src/conf/domain_conf.h" · d4dad162
      Julio Faracco 提交于
      In "src/conf/domain_conf.h" there are many enumerations (enum)
      declarations to be converted as a typedef too. As mentioned before,
      it's better to use a typedef for variable types, function types and
      other usages. I think this file has most of those enum declarations
      at "src/conf/". So, me and Eric Blake plan to keep the cleanups all
      over the source code. This time, most of the files changed in this
      commit are related to part of one file: "src/conf/domain_conf.h".
      Signed-off-by: NJulio Faracco <jcfaracco@gmail.com>
      d4dad162
  7. 19 5月, 2014 2 次提交
  8. 17 5月, 2014 7 次提交
  9. 15 5月, 2014 3 次提交
  10. 02 4月, 2014 2 次提交
    • E
      util: move detection of shared filesystems · 5160ab79
      Eric Blake 提交于
      The code in virstoragefile.c is getting more complex as I
      consolidate backing chain handling code.  But for the setuid
      virt-login-shell, we don't need to crawl backing chains.  It's
      easier to audit things for setuid security if there are fewer
      files involved, so this patch moves the one function that
      virFileOpen() was actually relying on to also live in virfile.c.
      
      * src/util/virstoragefile.c (virStorageFileIsSharedFS)
      (virStorageFileIsSharedFSType): Move...
      * src/util/virfile.c (virFileIsSharedFS, virFileIsSharedFSType):
      ...to here, and rename.
      (virFileOpenAs): Update caller.
      * src/security/security_selinux.c
      (virSecuritySELinuxSetFileconHelper)
      (virSecuritySELinuxSetSecurityAllLabel)
      (virSecuritySELinuxRestoreSecurityImageLabelInt): Likewise.
      * src/security/security_dac.c
      (virSecurityDACRestoreSecurityImageLabelInt): Likewise.
      * src/qemu/qemu_driver.c (qemuOpenFileAs): Likewise.
      * src/qemu/qemu_migration.c (qemuMigrationIsSafe): Likewise.
      * src/util/virstoragefile.h: Adjust declarations.
      * src/util/virfile.h: Likewise.
      * src/libvirt_private.syms (virfile.h, virstoragefile.h): Move
      symbols as appropriate.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      5160ab79
    • E
      conf: move host disk type to util/ · 16ac4c9d
      Eric Blake 提交于
      A continuation of the migration of disk details to virstoragefile.
      This patch moves a single enum, but converting the name has quite
      a bit of fallout.
      
      * src/conf/domain_conf.h (virDomainDiskType): Move...
      * src/util/virstoragefile.h (virStorageType): ...and rename.
      * src/bhyve/bhyve_command.c (bhyveBuildDiskArgStr)
      (virBhyveProcessBuildLoadCmd): Update clients.
      * src/conf/domain_conf.c (virDomainDiskSourceDefParse)
      (virDomainDiskDefParseXML, virDomainDiskSourceDefFormatInternal)
      (virDomainDiskDefFormat, virDomainDiskGetActualType)
      (virDomainDiskDefForeachPath, virDomainDiskSourceIsBlockType):
      Likewise.
      * src/conf/snapshot_conf.h (_virDomainSnapshotDiskDef): Likewise.
      * src/conf/snapshot_conf.c (virDomainSnapshotDiskDefParseXML)
      (virDomainSnapshotAlignDisks, virDomainSnapshotDiskDefFormat):
      Likewise.
      * src/esx/esx_driver.c (esxAutodetectSCSIControllerModel)
      (esxDomainDefineXML): Likewise.
      * src/locking/domain_lock.c (virDomainLockManagerAddDisk):
      Likewise.
      * src/lxc/lxc_controller.c
      (virLXCControllerSetupLoopDeviceDisk)
      (virLXCControllerSetupNBDDeviceDisk)
      (virLXCControllerSetupLoopDevices, virLXCControllerSetupDisk):
      Likewise.
      * src/parallels/parallels_driver.c (parallelsGetHddInfo):
      Likewise.
      * src/phyp/phyp_driver.c (phypDiskType): Likewise.
      * src/qemu/qemu_command.c (qemuGetDriveSourceString)
      (qemuDomainDiskGetSourceString, qemuBuildDriveStr)
      (qemuBuildCommandLine, qemuParseCommandLineDisk)
      (qemuParseCommandLine): Likewise.
      * src/qemu/qemu_conf.c (qemuCheckSharedDevice)
      (qemuTranslateDiskSourcePool)
      (qemuTranslateSnapshotDiskSourcePool): Likewise.
      * src/qemu/qemu_domain.c (qemuDomainDeviceDefPostParse)
      (qemuDomainDetermineDiskChain): Likewise.
      * src/qemu/qemu_driver.c (qemuDomainGetBlockInfo)
      (qemuDomainSnapshotPrepareDiskExternalBackingInactive)
      (qemuDomainSnapshotPrepareDiskExternalBackingActive)
      (qemuDomainSnapshotPrepareDiskExternalOverlayActive)
      (qemuDomainSnapshotPrepareDiskExternalOverlayInactive)
      (qemuDomainSnapshotPrepareDiskInternal)
      (qemuDomainSnapshotPrepare)
      (qemuDomainSnapshotCreateSingleDiskActive): Likewise.
      * src/qemu/qemu_hotplug.c (qemuDomainChangeEjectableMedia):
      Likewise.
      * src/qemu/qemu_migration.c (qemuMigrationIsSafe): Likewise.
      * src/security/security_apparmor.c
      (AppArmorRestoreSecurityImageLabel)
      (AppArmorSetSecurityImageLabel): Likewise.
      * src/security/security_dac.c (virSecurityDACSetSecurityImageLabel)
      (virSecurityDACRestoreSecurityImageLabelInt)
      (virSecurityDACSetSecurityAllLabel): Likewise.
      * src/security/security_selinux.c
      (virSecuritySELinuxRestoreSecurityImageLabelInt)
      (virSecuritySELinuxSetSecurityImageLabel)
      (virSecuritySELinuxSetSecurityAllLabel): Likewise.
      * src/storage/storage_backend.c (virStorageFileBackendForType):
      Likewise.
      * src/storage/storage_backend_fs.c (virStorageFileBackendFile)
      (virStorageFileBackendBlock): Likewise.
      * src/storage/storage_backend_gluster.c
      (virStorageFileBackendGluster): Likewise.
      * src/vbox/vbox_tmpl.c (vboxDomainGetXMLDesc, vboxAttachDrives)
      (vboxDomainAttachDeviceImpl, vboxDomainDetachDevice): Likewise.
      * src/vmware/vmware_conf.c (vmwareVmxPath): Likewise.
      * src/vmx/vmx.c (virVMXParseDisk, virVMXFormatDisk)
      (virVMXFormatFloppy): Likewise.
      * src/xenxs/xen_sxpr.c (xenParseSxprDisks, xenParseSxpr)
      (xenFormatSxprDisk): Likewise.
      * src/xenxs/xen_xm.c (xenParseXM, xenFormatXMDisk): Likewise.
      * tests/securityselinuxlabeltest.c (testSELinuxLoadDef):
      Likewise.
      * src/libvirt_private.syms (domain_conf.h): Move symbols...
      (virstoragefile.h): ...as appropriate.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      16ac4c9d
  11. 25 3月, 2014 2 次提交
  12. 18 3月, 2014 1 次提交
  13. 11 3月, 2014 1 次提交
  14. 30 1月, 2014 1 次提交
    • O
      util: Add one argument for several scsi utils · 10c9ceff
      Osier Yang 提交于
      To support passing the path of the test data to the utils, one
      more argument is added to virSCSIDeviceGetSgName,
      virSCSIDeviceGetDevName, and virSCSIDeviceNew, and the related
      code is changed accordingly.
      
      Later tests for the scsi utils will be based on this patch.
      Signed-off-by: NOsier Yang <jyang@redhat.com>
      10c9ceff
  15. 23 1月, 2014 1 次提交
    • O
      util: Add "shareable" field for virSCSIDevice struct · 2b66504d
      Osier Yang 提交于
      Unlike the host devices of other types, SCSI host device XML supports
      "shareable" tag. This patch introduces it for the virSCSIDevice struct
      for a later patch use (to detect if the SCSI device is shareable when
      preparing the SCSI host device in QEMU driver).
      2b66504d
  16. 30 10月, 2013 1 次提交
  17. 29 10月, 2013 2 次提交
  18. 29 8月, 2013 1 次提交
    • E
      security: provide supplemental groups even when parsing label (CVE-2013-4291) · 745aa55f
      Eric Blake 提交于
      Commit 29fe5d74 (released in 1.1.1) introduced a latent problem
      for any caller of virSecurityManagerSetProcessLabel and where
      the domain already had a uid:gid label to be parsed.  Such a
      setup would collect the list of supplementary groups during
      virSecurityManagerPreFork, but then ignores that information,
      and thus fails to call setgroups() to adjust the supplementary
      groups of the process.
      
      Upstream does not use virSecurityManagerSetProcessLabel for
      qemu (it uses virSecurityManagerSetChildProcessLabel instead),
      so this problem remained latent until backporting the initial
      commit into v0.10.2-maint (commit c061ff5e, released in 0.10.2.7),
      where virSecurityManagerSetChildProcessLabel has not been
      backported.  As a result of using a different code path in the
      backport, attempts to start a qemu domain that runs as qemu:qemu
      will end up with supplementary groups unchanged from the libvirtd
      parent process, rather than the desired supplementary groups of
      the qemu user.  This can lead to failure to start a domain
      (typical Fedora setup assigns user 107 'qemu' to both group 107
      'qemu' and group 36 'kvm', so a disk image that is only readable
      under kvm group rights is locked out).  Worse, it is a security
      hole (the qemu process will inherit supplemental group rights
      from the parent libvirtd process, which means it has access
      rights to files owned by group 0 even when such files should
      not normally be visible to user qemu).
      
      LXC does not use the DAC security driver, so it is not vulnerable
      at this time.  Still, it is better to plug the latent hole on
      the master branch first, before cherry-picking it to the only
      vulnerable branch v0.10.2-maint.
      
      * src/security/security_dac.c (virSecurityDACGetIds): Always populate
      groups and ngroups, rather than only when no label is parsed.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      745aa55f
  19. 24 7月, 2013 1 次提交
    • M
      Expose ownership ID parsing · bba579b6
      Martin Kletzander 提交于
      Parsing 'user:group' is useful even outside the DAC security driver,
      so expose the most abstract function which has no DAC security driver
      bits in itself.
      bba579b6
  20. 19 7月, 2013 1 次提交
    • E
      security_dac: compute supplemental groups before fork · 29fe5d74
      Eric Blake 提交于
      Commit 75c12564 states that virGetGroupList must not be called
      between fork and exec, then commit ee777e99 promptly violated
      that for lxc's use of virSecurityManagerSetProcessLabel.  Hoist
      the supplemental group detection to the time that the security
      manager needs to fork.  Qemu is safe, as it uses
      virSecurityManagerSetChildProcessLabel which in turn uses
      virCommand to determine supplemental groups.
      
      This does not fix the fact that virSecurityManagerSetProcessLabel
      calls virSecurityDACParseIds calls parseIds which eventually
      calls getpwnam_r, which also violates fork/exec async-signal-safe
      safety rules, but so far no one has complained of hitting
      deadlock in that case.
      
      * src/security/security_dac.c (_virSecurityDACData): Track groups
      in private data.
      (virSecurityDACPreFork): New function, to set them.
      (virSecurityDACClose): Clean up new fields.
      (virSecurityDACGetIds): Alter signature.
      (virSecurityDACSetSecurityHostdevLabelHelper)
      (virSecurityDACSetChardevLabel, virSecurityDACSetProcessLabel)
      (virSecurityDACSetChildProcessLabel): Update callers.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      29fe5d74
  21. 12 7月, 2013 1 次提交
    • E
      util: make virSetUIDGID async-signal-safe · ee777e99
      Eric Blake 提交于
      https://bugzilla.redhat.com/show_bug.cgi?id=964358
      
      POSIX states that multi-threaded apps should not use functions
      that are not async-signal-safe between fork and exec, yet we
      were using getpwuid_r and initgroups.  Although rare, it is
      possible to hit deadlock in the child, when it tries to grab
      a mutex that was already held by another thread in the parent.
      I actually hit this deadlock when testing multiple domains
      being started in parallel with a command hook, with the following
      backtrace in the child:
      
       Thread 1 (Thread 0x7fd56bbf2700 (LWP 3212)):
       #0  __lll_lock_wait ()
           at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:136
       #1  0x00007fd5761e7388 in _L_lock_854 () from /lib64/libpthread.so.0
       #2  0x00007fd5761e7257 in __pthread_mutex_lock (mutex=0x7fd56be00360)
           at pthread_mutex_lock.c:61
       #3  0x00007fd56bbf9fc5 in _nss_files_getpwuid_r (uid=0, result=0x7fd56bbf0c70,
           buffer=0x7fd55c2a65f0 "", buflen=1024, errnop=0x7fd56bbf25b8)
           at nss_files/files-pwd.c:40
       #4  0x00007fd575aeff1d in __getpwuid_r (uid=0, resbuf=0x7fd56bbf0c70,
           buffer=0x7fd55c2a65f0 "", buflen=1024, result=0x7fd56bbf0cb0)
           at ../nss/getXXbyYY_r.c:253
       #5  0x00007fd578aebafc in virSetUIDGID (uid=0, gid=0) at util/virutil.c:1031
       #6  0x00007fd578aebf43 in virSetUIDGIDWithCaps (uid=0, gid=0, capBits=0,
           clearExistingCaps=true) at util/virutil.c:1388
       #7  0x00007fd578a9a20b in virExec (cmd=0x7fd55c231f10) at util/vircommand.c:654
       #8  0x00007fd578a9dfa2 in virCommandRunAsync (cmd=0x7fd55c231f10, pid=0x0)
           at util/vircommand.c:2247
       #9  0x00007fd578a9d74e in virCommandRun (cmd=0x7fd55c231f10, exitstatus=0x0)
           at util/vircommand.c:2100
       #10 0x00007fd56326fde5 in qemuProcessStart (conn=0x7fd53c000df0,
           driver=0x7fd55c0dc4f0, vm=0x7fd54800b100, migrateFrom=0x0, stdin_fd=-1,
           stdin_path=0x0, snapshot=0x0, vmop=VIR_NETDEV_VPORT_PROFILE_OP_CREATE,
           flags=1) at qemu/qemu_process.c:3694
       ...
      
      The solution is to split the work of getpwuid_r/initgroups into the
      unsafe portions (getgrouplist, called pre-fork) and safe portions
      (setgroups, called post-fork).
      
      * src/util/virutil.h (virSetUIDGID, virSetUIDGIDWithCaps): Adjust
      signature.
      * src/util/virutil.c (virSetUIDGID): Add parameters.
      (virSetUIDGIDWithCaps): Adjust clients.
      * src/util/vircommand.c (virExec): Likewise.
      * src/util/virfile.c (virFileAccessibleAs, virFileOpenForked)
      (virDirCreate): Likewise.
      * src/security/security_dac.c (virSecurityDACSetProcessLabel):
      Likewise.
      * src/lxc/lxc_container.c (lxcContainerSetID): Likewise.
      * configure.ac (AC_CHECK_FUNCS_ONCE): Check for setgroups, not
      initgroups.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      ee777e99
  22. 11 7月, 2013 1 次提交
  23. 10 7月, 2013 1 次提交
  24. 26 6月, 2013 1 次提交