1. 29 10月, 2013 1 次提交
  2. 28 10月, 2013 1 次提交
  3. 25 10月, 2013 1 次提交
  4. 24 10月, 2013 5 次提交
    • J
      Avoid Coverity DEADCODE warning · ab479c90
      John Ferlan 提交于
      Commit '922b7fda' resulted in two DEADCODE warnings from Coverity in
      remoteDispatchAuthPolkit and virAccessDriverPolkitFormatProcess.
      Commit '604ae657' modified the daemon.c code to remove the deadcode
      issue, but did not do so for viracessdriverpolkit.c. This just mimics
      the same changes
      ab479c90
    • E
      virsh: undocument --shareable (--mode already covers it) · f919cf69
      Eric Blake 提交于
      Commit e962a579 added 'attach-disk --shareable', even though we
      already had 'attach-disk --mode=shareable'.  Worse, if the user
      types 'attach-disk --mode=readonly --shareable', we create
      non-sensical XML.  The best solution is just to undocument the
      duplicate spelling, by having it fall back to the preferred
      spelling.
      
      * tools/virsh-domain.c (cmdAttachDisk): Let alias handling fix our
      mistake in exposing a second spelling for an existing option.
      * tools/virsh.pod: Fix documentation.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      f919cf69
    • E
      virsh: allow alias to expand to opt=value pair · 2b172a8e
      Eric Blake 提交于
      We want to treat 'attach-disk --shareable' as an undocumented
      alias for 'attach-disk --mode=shareable'.  By improving our
      alias handling, we can allow all such --bool -> --opt=value
      replacements, and guarantee up front that the alias is not
      mixed with its replacement.
      
      * tools/virsh.c (vshCmddefOptParse, vshCmddefGetOption): Add
      support for expanding bool alias to --opt=value.
      (opts_echo): Add another alias to test it.
      * tests/virshtest.c (mymain): Test it.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      2b172a8e
    • M
      libxl: Fix possible invalid read · 394d6e0a
      Martin Kletzander 提交于
      According to the following valgrind output, there seems to be a
      invalid limit for the iterator (captured on Fedora 19):
      
      ==3945== Invalid read of size 1
      ==3945==    at 0x1E1FA410: libxlVmStart (libxl_driver.c:475)
      ==3945==    by 0x1E1FAD9A: libxlDomainCreateWithFlags (libxl_driver.c:2633)
      ==3945==    by 0x5187D46: virDomainCreate (libvirt.c:9439)
      ==3945==    by 0x13BAA6: remoteDispatchDomainCreateHelper (remote_dispatch.h:2910)
      ==3945==    by 0x51DE5B9: virNetServerProgramDispatch (virnetserverprogram.c:435)
      ==3945==    by 0x51D93E7: virNetServerHandleJob (virnetserver.c:165)
      ==3945==    by 0x50F5BF4: virThreadPoolWorker (virthreadpool.c:144)
      ==3945==    by 0x50F5670: virThreadHelper (virthreadpthread.c:161)
      ==3945==    by 0x8046C52: start_thread (pthread_create.c:308)
      ==3945==    by 0x8758E1C: clone (clone.S:113)
      ==3945==  Address 0x23424d81 is 0 bytes after a block of size 1 alloc'd
      ==3945==    at 0x4A08121: calloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
      ==3945==    by 0x50B1F8C: virAllocN (viralloc.c:189)
      ==3945==    by 0x1E1FA3CA: libxlVmStart (libxl_driver.c:468)
      ==3945==    by 0x1E1FAD9A: libxlDomainCreateWithFlags (libxl_driver.c:2633)
      ==3945==    by 0x5187D46: virDomainCreate (libvirt.c:9439)
      ==3945==    by 0x13BAA6: remoteDispatchDomainCreateHelper (remote_dispatch.h:2910)
      ==3945==    by 0x51DE5B9: virNetServerProgramDispatch (virnetserverprogram.c:435)
      ==3945==    by 0x51D93E7: virNetServerHandleJob (virnetserver.c:165)
      ==3945==    by 0x50F5BF4: virThreadPoolWorker (virthreadpool.c:144)
      ==3945==    by 0x50F5670: virThreadHelper (virthreadpthread.c:161)
      ==3945==    by 0x8046C52: start_thread (pthread_create.c:308)
      ==3945==    by 0x8758E1C: clone (clone.S:113)
      ==3945==
      
      Related: https://bugzilla.redhat.com/show_bug.cgi?id=1013045Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
      394d6e0a
    • E
      virsh: fix doc typos · 0410eb22
      Eric Blake 提交于
      Reported in https://bugzilla.redhat.com/show_bug.cgi?id=1022872
      
      * tools/virsh.pod: s/COMMMANDS/COMMANDS/
      Signed-off-by: NEric Blake <eblake@redhat.com>
      0410eb22
  5. 23 10月, 2013 4 次提交
  6. 22 10月, 2013 10 次提交
    • D
      rpc: Retrieve peer PID via new getsockopt() for Mac · e24aec62
      Doug Goldstein 提交于
      While LOCAL_PEERCRED on the BSDs does not return the pid information of
      the peer, Mac OS X 10.8 added LOCAL_PEERPID to retrieve the pid so we
      should use that when its available to get that information.
      e24aec62
    • E
      maint: typo fixes · 160a70fe
      Eric Blake 提交于
      * ChangeLog-old: s/guarentee/guarantee/
      Signed-off-by: NEric Blake <eblake@redhat.com>
      160a70fe
    • J
      build: fix build of virt-login-shell on systems with older gnutls · 843bdb2f
      Jim Fehlig 提交于
      On systems where gnutls uses libgcrypt, I'm seeing the following
      build failure
      
      libvirt.c:314: error: variable 'virTLSThreadImpl' has initializer but incomplete type
      libvirt.c:319: error: 'GCRY_THREAD_OPTION_PTHREAD' undeclared here (not in a function)
      ...
      
      Fix by undefining WITH_GNUTLS_GCRYPT in config-post.h
      843bdb2f
    • M
      Get rid of shadowed booleans · e3e9d3b1
      Michal Privoznik 提交于
      There are still two places where we are using 1bit width unsigned
      integer to store a boolean. There's no real need for this and these
      occurrences can be replaced with 'bool'.
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      e3e9d3b1
    • J
      build: fix linking virt-login-shell · 5a0ea4b7
      Jim Fehlig 提交于
      After commit 3e2f27e1, I've noticed build failures of virt-login-shell
      when libapparmor-devel is installed on the build host
      
      CCLD     virt-login-shell
      ../src/.libs/libvirt-setuid-rpc-client.a(libvirt_setuid_rpc_client_la-vircommand.o):
      In function `virExec':
      /home/jfehlig/virt/upstream/libvirt/src/util/vircommand.c:653: undefined
      reference to `aa_change_profile'
      collect2: error: ld returned 1 exit status
      
      I was about to commit an easy fix under the build-breaker rule
      (build-fix-1.patch), but thought to extend the notion of SECDRIVER_LIBS
      to SECDRIVER_CFLAGS, and use both throughout src/Makefile.am where it
      makes sense (build-fix-2.patch).
      
      Should I just stick with the simple fix, or is something along the lines
      of patch 2 preferred?
      
      Regards,
      Jim
      
      >From a0f35945f3127ab70d051101037e821b1759b4bb Mon Sep 17 00:00:00 2001
      From: Jim Fehlig <jfehlig@suse.com>
      Date: Mon, 21 Oct 2013 15:30:02 -0600
      Subject: [PATCH] build: fix virt-login-shell build with apparmor
      
      With libapparmor-devel installed, virt-login-shell fails to link
      
      CCLD     virt-login-shell
      ../src/.libs/libvirt-setuid-rpc-client.a(libvirt_setuid_rpc_client_la-vircommand.o): In function `virExec':
      /home/jfehlig/virt/upstream/libvirt/src/util/vircommand.c:653: undefined reference to `aa_change_profile'
      collect2: error: ld returned 1 exit status
      
      Fix by linking libvirt_setuid_rpc_client with previously determined
      SECDRIVER_LIBS in src/Makefile.am.  While at it, introduce SECDRIVER_CFLAGS
      and use both throughout src/Makefile.am where it makes sense.
      Signed-off-by: NJim Fehlig <jfehlig@suse.com>
      5a0ea4b7
    • M
      vircgroupmock: Mock access() to some more files · 32799f1a
      Michal Privoznik 提交于
      Currently, if access(path, mode) is invoked, we check if @path has this
      special prefix SYSFS_PREFIX. If it does, we modify the path a bit and
      call realaccess. If it doesn't we act just like a wrapper and call
      realaccess directly. However, we are mocking fopen() as well. And as one
      can clearly see there, fopen("/proc/cgroups") will succeed. Hence, we
      have an error in our mocked access(): We need to check whether @path is
      not equal to /proc/cgroups as it may not exists on real system we're
      running however we definitely know how to fopen() it.
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      32799f1a
    • M
      tests: Use lv_abs_top_builddir instead of bare abs_top_builddir · 9eb68903
      Michal Privoznik 提交于
      As stated in the comment above introduction of the lv_abs_top_builddir
      variable, older automake doesn't provide abs_top_builddir variable.
      Hence, we are creating our own one with lv_ prefix. However, when
      exporting env variables to the tests, the variables are not evaluated
      but only substituted. Hence:
      
        LIBVIRT_DRIVER_DIR="$(abs_top_builddir)/src/.libs"
      
      is set to "/src/.libs" with old automake (even though we *think* we've
      set the $abs_top_builddir variable just a few line above).
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      9eb68903
    • P
      virsh: Fix job watching when STDIN is not a tty · 47e63966
      Peter Krempa 提交于
      In commit b46c4787 I changed the code to
      watch long running jobs in virsh. Unfortunately I didn't take into
      account that poll may get a hangup if the terminal is not a TTY and will
      be closed.
      
      This patch avoids polling the STDIN fd when there's no TTY.
      47e63966
    • C
      docs: fix some typos about 'informations' · dc33207d
      Chen Hanxiao 提交于
      s/informations/information
      Signed-off-by: NChen Hanxiao <chenhanxiao@cn.fujitsu.com>
      dc33207d
    • R
      nodeinfo: fix physical memory size on Mac OS X · ae6b5da3
      Ryota Ozaki 提交于
      HW_PHYSMEM is available on Mac OS X as well as FreeBSD, however,
      its resulting value for Mac OS X is 32 bits. Mac OS X provides
      HW_MEMSIZE that is 64 bits version of HW_PHYSMEM. We have to use it.
      
      I tested the patch on Mac OS X 10.6.8, 10.7.4, 10.8.5 and FreeBSD 9.2.
      Signed-off-by: NRyota Ozaki <ozaki.ryota@gmail.com>
      ae6b5da3
  7. 21 10月, 2013 18 次提交
    • L
      qemu: fix removal of <interface type='hostdev'> · 69e047ae
      Laine Stump 提交于
      This patch (and the two patches that precede it) resolve:
      
        https://bugzilla.redhat.com/show_bug.cgi?id=1005682
      
      When libvirt was changed to delay the final cleanup of device removal
      until the qemu process had signaled it with a DEVICE_DELETED event for
      that device, the hostdev removal function
      (qemuDomainRemoveHostDevice()) was written to properly handle the
      removal of a hostdev that was actually an SRIOV virtual function
      (defined with <interface type='hostdev'>). However, the function used
      to search for a device matching the alias name provided in the
      DEVICE_DELETED message (virDomainDefFindDevice()) would search through
      the list of netdevs before hostdevs, so qemuDomainRemoveHostDevice()
      was never called; instead the netdev function,
      qemuDomainRemoveNetDevice() (which *doesn't* properly cleanup after
      removal of <interface type='hostdev'>), was called.
      
      (As a reminder - each <interface type='hostdev'> results in a
      virDomainNetDef which contains a virDomainHostdevDef having a parent
      type of VIR_DOMAIN_DEVICE_NET, and parent.data.net pointing back to
      the virDomainNetDef; both Defs point to the same device info object
      (and the info contains the device's "alias", which is used by qemu to
      identify the device). The virDomainHostdevDef is added to the domain's
      hostdevs list *and* the virDomainNetDef is added to the domain's nets
      list, so searching either list for a particular alias will yield a
      positive result.)
      
      This function modifies the qemuDomainRemoveNetDevice() to short
      circuit itself and call qemu DomainRemoveHostDevice() instead when the
      actual device is a VIR_DOMAIN_NET_TYPE_HOSTDEV (similar logic to what
      is done in the higher level qemuDomainDetachNetDevice())
      
      Note that even if virDomainDefFindDevice() changes in the future so
      that it finds the hostdev entry first, the current code will continue
      to work properly.
      69e047ae
    • L
      qemu: move qemuDomainRemoveNetDevice to avoid forward reference · c5561644
      Laine Stump 提交于
      pure code movement to setup for next patch.
      c5561644
    • L
      qemu: simplify calling qemuDomainHostdevNetConfigRestore · 7a600cf7
      Laine Stump 提交于
      This function was called in three places, and in each the call was
      qualified by a slightly different conditional. In reality, this
      function should only be called for a hostdev if all of the following
      are true:
      
        1) mode='subsystem'
        2) type='pci'
        3) there is a parent device definition which is an <interface>
           (VIR_DOMAIN_DEVICE_NET)
      
      We can simplify the callers and make them more consistent by checking
      these conditions at the top ov qemuDomainHostdevNetConfigRestore and
      returning 0 if one of them isn't satisfied.
      
      The location of the call to qemuDomainHostdevNetConfigRestore() has
      also been changed in the hot-plug case - it is moved into the caller
      of its previous location (i.e. from qemuDomainRemovePCIHostDevice() to
      qemuDomainRemoveHostDevice()). This was done to be more consistent
      about which functions pay attention to whether or not this is one of
      the special <interface> hostdevs or just a normal hostdev -
      qemuDomainRemoveHostDevice() already contained a call to
      networkReleaseActualDevice() and virDomainNetDefFree(), so it makes
      sense for it to also handle the resetting of the device's MAC address
      and vlan tag (which is what's done by
      qemuDomainHostdevNetConfigRestore()).
      7a600cf7
    • D
      Move virt-login-shell into libvirt-login-shell sub-RPM · 8adc9269
      Daniel P. Berrange 提交于
      Many people will not want the setuid virt-login-shell binary
      installed by default, so move it into a separate sub-RPM
      named libvirt-login-shell. This RPM is only generated if
      LXC is enabled
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      8adc9269
    • D
      Block all use of libvirt.so in setuid programs · 9cd6a57d
      Daniel P. Berrange 提交于
      Avoid people introducing security flaws in their apps by
      forbidding the use of libvirt.so in setuid programs, with
      a check in virInitialize.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      9cd6a57d
    • D
      Remove (nearly) all use of getuid()/getgid() · 9b0af092
      Daniel P. Berrange 提交于
      Most of the usage of getuid()/getgid() is in cases where we are
      considering what privileges we have. As such the code should be
      using the effective IDs, not real IDs.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      9b0af092
    • D
      Add stub getegid impl for platforms lacking it · c566fa1a
      Daniel P. Berrange 提交于
      We already have stubs for getuid, geteuid, getgid but
      not for getegid. Something in gnulib already does a
      check for it during configure, so we already have the
      HAVE_GETEGID macro defined.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      c566fa1a
    • D
      Don't allow remote driver daemon autostart when running setuid · 171bb129
      Daniel P. Berrange 提交于
      We don't want setuid programs automatically spawning libvirtd,
      so disable any use of autostart when setuid.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      171bb129
    • D
      Only allow the UNIX transport in remote driver when setuid · e22b0232
      Daniel P. Berrange 提交于
      We don't know enough about quality of external libraries used
      for non-UNIX transports, nor do we want to spawn external
      commands when setuid. Restrict to the bare minimum which is
      UNIX transport for local usage. Users shouldn't need to be
      running setuid if connecting to remote hypervisors in any
      case.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      e22b0232
    • D
      Block all use of getenv with syntax-check · 71b21f12
      Daniel P. Berrange 提交于
      The use of getenv is typically insecure, and we want people
      to use our wrappers, to force them to think about setuid
      needs.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      71b21f12
    • D
      Remove all direct use of getenv · 1e4a02bd
      Daniel P. Berrange 提交于
      Unconditional use of getenv is not secure in setuid env.
      While not all libvirt code runs in a setuid env (since
      much of it only exists inside libvirtd) this is not always
      clear to developers. So make all the code paranoid, even
      if it only ever runs inside libvirtd.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      1e4a02bd
    • D
      Make virCommand env handling robust in setuid env · 9b8f307c
      Daniel P. Berrange 提交于
      When running setuid, we must be careful about what env vars
      we allow commands to inherit from us. Replace the
      virCommandAddEnvPass function with two new ones which do
      filtering
      
        virCommandAddEnvPassAllowSUID
        virCommandAddEnvPassBlockSUID
      
      And make virCommandAddEnvPassCommon use the appropriate
      ones
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      9b8f307c
    • D
      Set a sane $PATH for virt-login-shell · d665003d
      Daniel P. Berrange 提交于
      The virt-login-shell binary shouldn't need to execute programs
      relying on $PATH, but just in case set a fixed $PATH value
      of /bin:/usr/bin
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      d665003d
    • D
      Don't link virt-login-shell against libvirt.so (CVE-2013-4400) · 3e2f27e1
      Daniel P. Berrange 提交于
      The libvirt.so library has far too many library deps to allow
      linking against it from setuid programs. Those libraries can
      do stuff in __attribute__((constructor) functions which is
      not setuid safe.
      
      The virt-login-shell needs to link directly against individual
      files that it uses, with all library deps turned off except
      for libxml2 and libselinux.
      
      Create a libvirt-setuid-rpc-client.la library which is linked
      to by virt-login-shell. A config-post.h file allows this library
      to disable all external deps except libselinux and libxml2.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      3e2f27e1
    • D
      Close all non-stdio FDs in virt-login-shell (CVE-2013-4400) · b7fcc799
      Daniel P. Berrange 提交于
      We don't want to inherit any FDs in the new namespace
      except for the stdio FDs. Explicitly close them all,
      just in case some do not have the close-on-exec flag
      set.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      b7fcc799
    • D
      Only allow 'stderr' log output when running setuid (CVE-2013-4400) · 8c3586ea
      Daniel P. Berrange 提交于
      We must not allow file/syslog/journald log outputs when running
      setuid since they can be abused to do bad things. In particular
      the 'file' output can be used to overwrite files.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      8c3586ea
    • D
      Add helpers for getting env vars in a setuid environment · ae53e5d1
      Daniel P. Berrange 提交于
      Care must be taken accessing env variables when running
      setuid. Introduce a virGetEnvAllowSUID for env vars which
      are safe to use in a setuid environment, and another
      virGetEnvBlockSUID for vars which are not safe. Also add
      a virIsSUID helper method for any other non-env var code
      to use.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      ae53e5d1
    • D
      Fix perms for virConnectDomainXML{To,From}Native (CVE-2013-4401) · 57687fd6
      Daniel P. Berrange 提交于
      The virConnectDomainXMLToNative API should require 'connect:write'
      not 'connect:read', since it will trigger execution of the QEMU
      binaries listed in the XML.
      
      Also make virConnectDomainXMLFromNative API require a full
      read-write connection and 'connect:write' permission. Although the
      current impl doesn't trigger execution of QEMU, we should not
      rely on that impl detail from an API permissioning POV.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      57687fd6