We haven't had a release with network events yet, so we are free
to fix the RPC so that it actually does what we want.  Doing
client-side filtering of per-network events is inefficient if a
connection is only interested in events on a single network out
of hundreds available on the server.  But to do server-side
per-network filtering, the server needs to know which network
to filter on - so we need to pass an optional network over on
registration.  Furthermore, it is possible to have a client with
both a global and per-network filter; in the existing code, the
server sends only one event and the client replicates to both
callbacks.  But with server-side filtering, the server will send
the event twice, so we need a way for the client to know which
callbackID is sending an event, to ensure that the client can
filter out events from a registration that does not match the
callbackID from the server.  Likewise, the existing style of
deregistering by eventID alone is fine; but in the new style,
we have to remember which callbackID to delete.

This patch fixes the RPC wire definition to contain all the
needed pieces of information, and hooks into the server and
client side improvements of the previous patches, in order to
switch over to full server-side filtering of network events.
Also, since we fixed this in time, all released versions of
libvirtd that support network events also support per-network
filtering, so we can hard-code that assumption into
network_event.c.

Converting domain events to server-side filtering will require
the introduction of new RPC numbers, as well as a server
feature bit that the client can use to tell whether to use
old-style (server only supports global events) or new-style
(server supports filtered events), so that is deferred to a
later set of patches.

* src/conf/network_event.c (virNetworkEventStateRegisterClient):
Assume server-side filtering.
* src/remote/remote_protocol.x
(remote_connect_network_event_register_any_args): Add network
argument.
(remote_connect_network_event_register_any_ret): Return callbackID
instead of count.
(remote_connect_network_event_deregister_any_args): Pass
callbackID instead of eventID.
(remote_connect_network_event_deregister_any_ret): Drop unused
type.
(remote_network_event_lifecycle_msg): Add callbackID.
* daemon/remote.c
(remoteDispatchConnectNetworkEventDeregisterAny): Drop unused arg,
and deal with callbackID from client.
(remoteRelayNetworkEventLifecycle): Pass callbackID.
(remoteDispatchConnectNetworkEventRegisterAny): Likewise, and
recognize non-NULL network.
* src/remote/remote_driver.c
(remoteConnectNetworkEventRegisterAny): Pass network, and track
server side id.
(remoteConnectNetworkEventDeregisterAny): Deregister by callback id.
(remoteNetworkBuildEventLifecycle): Pass remote id to event queue.
* src/remote_protocol-structs: Regenerate.
Signed-off-by: NEric Blake <eblake@redhat.com>

Right now, the daemon side of RPC events is hard-coded to at most
one callback per eventID.  But when there are hundreds of domains
or networks coupled and multiple conections, then sending every
event to every connection that wants an event, even for the
connections that only care about events for a particular object,
is inefficient.  In order to track more than one callback in the
server, we need to store callbacks by more than just their
eventID.  This patch rearranges the daemon side to store network
callbacks in a dynamic array, which can eventually be used for
multiple callbacks of the same eventID, although actual behavior
is unchanged without further patches to the RPC protocol.  For
ease of review, domain events are saved for a later patch, as
they touch more code.

While at it, fix a bug where a malicious client could send a
negative eventID to cause network event registration to access
outside of array bounds (thankfully not a CVE, since domain
events were already doing the bounds check, and since network
events have not been released).

* daemon/libvirtd.h (daemonClientPrivate): Alter the tracking of
network events.
* daemon/remote.c (daemonClientEventCallback): New struct.
(remoteEventCallbackFree): New function.
(remoteClientInitHook, remoteRelayNetworkEventLifecycle)
(remoteClientFreeFunc)
(remoteDispatchConnectNetworkEventRegisterAny): Track network
callbacks differently.
(remoteDispatchConnectNetworkEventDeregisterAny): Enforce bounds.
Signed-off-by: NEric Blake <eblake@redhat.com>

We point to the manpages where available and redirect to libvirt's
homepage as a last resort.

into remoteDispatchObjectEventSend as it will later be used for both
the domain and network events.

- Use SIGUSR1, not SIGHUP, on reload. At present, virtlockd only
  responds to the former.

- Fix PID file for virtlockd.

- Do not start virtlockd in any runlevels by default. It needs to be
  explicitly selected in libvirt's qemu.conf anyway, so there is no
  need to have it running on all systems regardless.

- Fix chkconfig priorities to ensure virtlockd is started before
  libvirtd is started, and stopped after libvirtd is stopped.

- Add "Should-Start: virtlockd" to the libvirtd initscript's LSB header,
  for the same reason.

- Add "Default-Stop" to both libvirtd and virtlockd initscripts. LSB
  does not guarantee that this defaults to the inverse of
  "Default-Start".
Signed-off-by: NMichael Chapman <mike@very.puzzling.org>
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

https://bugzilla.redhat.com/show_bug.cgi?id=1033061

Currently, initialization of drivers is done in a separate thread. This
is done for several reasons: a driver that is initialized may require
running event loop, it may take ages to initialize driver (e.g. due to
autostarting domains). While the thread is spawn and run, the main()
continues its execution. However, if something goes bad, or the event
loop is just exited (e.g. due to a --timeout or SIGINT) we try to
cleanup all the drivers. So we have two threads running Initialize() and
Cleanup() concurrently. This may result in accessing stale pointers -
e.g. netcf driver will free() itself in stateCleanup callback, while the
init thread may come, open a dummy connection in order to autostart some
domains and voilà: do_open() iterates over interface drivers and
accesses stale netcf driver.

The fix consists in not running stateCleanup if the init thread is still
running.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

Unconditional use of getenv is not secure in setuid env.
While not all libvirt code runs in a setuid env (since
much of it only exists inside libvirtd) this is not always
clear to developers. So make all the code paranoid, even
if it only ever runs inside libvirtd.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The libvirt.so library has far too many library deps to allow
linking against it from setuid programs. Those libraries can
do stuff in __attribute__((constructor) functions which is
not setuid safe.

The virt-login-shell needs to link directly against individual
files that it uses, with all library deps turned off except
for libxml2 and libselinux.

Create a libvirt-setuid-rpc-client.la library which is linked
to by virt-login-shell. A config-post.h file allows this library
to disable all external deps except libselinux and libxml2.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

If we fail to get domain, we had to judge whether
it's null or not when doing 'cleanup'.
Signed-off-by: NChen Hanxiao <chenhanxiao@cn.fujitsu.com>

The libvirtd server pushes data out to clients. It does not
know what protocol version the client might have, so must be
conservative and use the old payload limits. ie send no more
than 256kb of data per packet.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

When a client disconnects from libvirtd, all event callbacks
must be removed. This involves running the public API

  virConnectDomainEventDeregisterAny

This code does not run in normal API dispatch context, so no
identity was set. The result was that the access control drivers
denied the attempt to deregister callbacks. The callbacks thus
continued to trigger after the client was free'd causing fairly
predictable use of free memory & a crash.

This can be triggered by any client with readonly access when
the ACL drivers are active.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Caused by commit 012c25e8 splitting out a convenience library.

  CC       libvirtd_conf_la-libvirtd-config.lo
In file included from ../src/rpc/virnetmessage.h:24:0,
                 from ../src/rpc/virnetserverprogram.h:27,
                 from ../src/rpc/virnetserver.h:32,
                 from libvirtd-config.c:31:
../src/rpc/virnetprotocol.h:9:21: fatal error: rpc/rpc.h: No such file
or directory

* daemon/Makefile.am (libvirtd_conf_la_CFLAGS): Add XDR_CFLAGS.
Signed-off-by: NEric Blake <eblake@redhat.com>

Signed-off-by: NGiuseppe Scrivano <gscrivan@redhat.com>
Signed-off-by: NEric Blake <eblake@redhat.com>

A previous patch used existing #define for the various files in /etc/pki
instead of hardcoding them in the help output. However I missed that
remote_driver.h contains #define for more paths that are present
in the daemon help output.
This commit uses the existing constants for the path to the
configuration file and to the libvirt sockets.

The 'stats' variable was not initialized to NULL, so if some
early validation of the RPC call fails, it is possible to jump
to the 'cleanup' label and VIR_FREE an uninitialized pointer.
This is a security flaw, since the API can be called from a
readonly connection which can trigger the validation checks.

This was introduced in release v0.9.1 onwards by

  commit 158ba873
  Author: Daniel P. Berrange <berrange@redhat.com>
  Date:   Wed Apr 13 16:21:35 2011 +0100

    Merge all returns paths from dispatcher into single path
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

With the existing pkcheck (pid, start time) tuple for identifying
the process, there is a race condition, where a process can make
a libvirt RPC call and in another thread exec a setuid application,
causing it to change to effective UID 0. This in turn causes polkit
to do its permission check based on the wrong UID.

To address this, libvirt must get the UID the caller had at time
of connect() (from SO_PEERCRED) and pass a (pid, start time, uid)
triple to the pkcheck program.

This fix requires that libvirt is re-built against a version of
polkit that has the fix for its CVE-2013-4288, so that libvirt
can see 'pkg-config --variable pkcheck_supports_uid polkit-gobject-1'
Signed-off-by: NColin Walters <walters@redhat.com>
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

There are constants for these paths in remote_driver.h so we can
use these rather than duplicating them in the help output.
Signed-off-by: NChristophe Fergeau <cfergeau@redhat.com>
Signed-off-by: NEric Blake <eblake@redhat.com>

The help message indicates that the CA certificate is
$sysconfdir/pki/CA/caert.pem while the actual path is
$sysconfdir/pki/CA/cacert.pem
Signed-off-by: NChristophe Fergeau <cfergeau@redhat.com>
Signed-off-by: NEric Blake <eblake@redhat.com>

If we use subdir-objects with automake, any reference to a
cross-directory .c file will result in automake creating
rules that track dependency in the cross directory.  But this
presents a problem during 'make distclean' - if the cross
directory is cleaned up first, then the daemon directory will
be left with dangling references to .Po dependency files that
no longer exist.

Meanwhile, referring to the cross-directory .c file means
that we are compiling the file twice - once in src, and once
in daemon.  Better is to compile just once in src into a
convenience library, and then use that library from daemon.

The tests directory had a similar situation of a cross-directory
.c file; to solve that, we actually need a convenience library.

* daemon/Makefile.am (DAEMON_SOURCES): Drop .c files...
(libvirtd_LDADD): ...and instead use library.
(libvirtd_conf_la_SOURCES): Declare a new convenience library.
(libvirtd_LDFLAGS): Drop duplicate flag.
* tests/Makefile.am (libvirtdconftest_SOURCES): Drop .c file...
(libvirtdconftest_LDADD): ..and instead use library.
Signed-off-by: NEric Blake <eblake@redhat.com>

Trying to enable automake's subdir-objects option resulted in
the creation of literal directories such as src/$(srcdir)/remote/.
I traced this to the fact that we had used a literal $(srcdir)
in a location that later fed an automake *_SOURCES variable.
This has also been reported as an automake bug:
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=13928
but it's better to fix our code than to wait for an automake fix.

Some things to remember that affect VPATH builds, and where an
in-tree build is blissfully unaware of the issues: if a VPATH
build fails to find a file that was used as a prereq of any
other target, then the rule for that file will expand $@ to
prefer the current build dir (bad because a VPATH build on a
fresh checkout will then stick $@ in the current directory
instead of the desired srcdir); conversely, if a VPATH build
finds the file in srcdir but decides it needs to be rebuilt,
then the rule for that file will expand $@ to include the
directory where it was found out-of-date (bad for an explicit
listing of $(srcdir)/$@ because an incremental VPATH build will
then expand srcdir twice).  As we want these files to go into
srcdir unconditionally, we have to massage or avoid $@ for any
recipe that involves one of these files.

Therefore, this patch removes all uses of $(srcdir) from any
generated file name that later feeds a *_SOURCES variable, and
then rewrites all the recipes to generate those files to
hard-code their creation into srcdir without the use of $@.

* src/Makefile.am (REMOTE_DRIVER_GENERATED): Drop $(srcdir); VPATH
builds know how to find the files, and automake subdir-objects
fails with it in place.
(LXC_MONITOR_PROTOCOL_GENERATED, (LXC_MONITOR_GENERATED)
(ACCESS_DRIVER_GENERATED, LOCK_PROTOCOL_GENERATED): Likewise.
(*_client_bodies.h): Hard-code rules to write into srcdir, as
VPATH tries to build $@ locally if missing.
(util/virkeymaps.h): Likewise.
(lxc/lxc_monitor_dispatch.h): Likewise.
(access/viraccessapi*): Likewise.
(locking/lock_daemon_dispatch_stubs.h): Likewise.
* daemon/Makeflie.am (DAEMON_GENERATED, remote_dispatch.h):
Likewise.
Signed-off-by: NEric Blake <eblake@redhat.com>

fixup DAEMON_GENERATED

Automake has builtin support to prevent botched conditional nesting,
but only if you use:
if FOO
else !FOO
endif !FOO

An example error message when using the wrong name:

daemon/Makefile.am:378: error: else reminder (LIBVIRT_INIT_SCRIPT_SYSTEMD_TRUE) incompatible with current conditional: LIBVIRT_INIT_SCRIPT_SYSTEMD_FALSE
daemon/Makefile.am:381: error: endif reminder (LIBVIRT_INIT_SCRIPT_SYSTEMD_TRUE) incompatible with current conditional: LIBVIRT_INIT_SCRIPT_SYSTEMD_FALSE

As our makefiles tend to have quite a bit of nested conditionals,
it's better to take advantage of the benefits of the build system
double-checking that our conditionals are well-nested, but that
requires a syntax check to enforce our usage style.

Alas, unlike C preprocessor and spec files, we can't use indentation
to make it easier to see how deeply nesting goes.

* cfg.mk (sc_makefile_conditionals): New rule.
* daemon/Makefile.am: Enforce the style.
* gnulib/tests/Makefile.am: Likewise.
* python/Makefile.am: Likewise.
* src/Makefile.am: Likewise.
* tests/Makefile.am: Likewise.
* tools/Makefile.am: Likewise.
Signed-off-by: NEric Blake <eblake@redhat.com>

Fixes for argument layouts of various functions in daemon/remote.c

The return values for the virConnectListAllSecrets call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The return values for the virConnectListAllNWFilters call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The return values for the virConnectListAllNodeDevices call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The return values for the virConnectListAllInterfaces call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The return values for the virConnectListAllNetworks call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The return values for the virStoragePoolListAllVolumes call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The return values for the virConnectListAllStoragePools call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The return values for the virConnectListAllDomains call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The return values for the virDomain{SnapshotListAllChildren,ListAllSnapshots}
calls were not bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The return values for the virDomainGetJobStats call were not
bounds checked. This is a robustness issue for clients if
something where to cause corruption of the RPC stream data.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The parameters for the virDomainMigrate*Params RPC calls were
not bounds checks, meaning a malicious client can cause libvirtd
to consume arbitrary memory

This issue was introduced in the 1.1.0 release of libvirt
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

and use it when available

by adding it to AM_LDFLAGS instead of every linking rule and
by avoiding a forked grep.

The virtlockd/libvirtd daemons had listed '?' as the short option
for --help. getopt_long uses '?' for any unknown option. We want
to be able to distinguish unknown options (which use EXIT_FAILURE)
from correct usage of help (which should use EXIT_SUCCESS). Thus
we should use 'h' as a short option for --help. Also add this to
the man page docs

The virtlockd/libvirtd daemons did not list any short option
for the --version arg. Add -V as a valid short option, since
-v is already used for --verbose.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Broken in commit 1199edb1

This configuration knob lets user to set the length of queue of
connection requests waiting to be accept()-ed by the daemon. IOW, it
just controls the @backlog passed to listen:

  int listen(int sockfd, int backlog);