- 21 10月, 2013 15 次提交
-
-
由 Daniel P. Berrange 提交于
Avoid people introducing security flaws in their apps by forbidding the use of libvirt.so in setuid programs, with a check in virInitialize. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Most of the usage of getuid()/getgid() is in cases where we are considering what privileges we have. As such the code should be using the effective IDs, not real IDs. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
We already have stubs for getuid, geteuid, getgid but not for getegid. Something in gnulib already does a check for it during configure, so we already have the HAVE_GETEGID macro defined. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
We don't want setuid programs automatically spawning libvirtd, so disable any use of autostart when setuid. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
We don't know enough about quality of external libraries used for non-UNIX transports, nor do we want to spawn external commands when setuid. Restrict to the bare minimum which is UNIX transport for local usage. Users shouldn't need to be running setuid if connecting to remote hypervisors in any case. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
The use of getenv is typically insecure, and we want people to use our wrappers, to force them to think about setuid needs. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Unconditional use of getenv is not secure in setuid env. While not all libvirt code runs in a setuid env (since much of it only exists inside libvirtd) this is not always clear to developers. So make all the code paranoid, even if it only ever runs inside libvirtd. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
When running setuid, we must be careful about what env vars we allow commands to inherit from us. Replace the virCommandAddEnvPass function with two new ones which do filtering virCommandAddEnvPassAllowSUID virCommandAddEnvPassBlockSUID And make virCommandAddEnvPassCommon use the appropriate ones Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
The virt-login-shell binary shouldn't need to execute programs relying on $PATH, but just in case set a fixed $PATH value of /bin:/usr/bin Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
The libvirt.so library has far too many library deps to allow linking against it from setuid programs. Those libraries can do stuff in __attribute__((constructor) functions which is not setuid safe. The virt-login-shell needs to link directly against individual files that it uses, with all library deps turned off except for libxml2 and libselinux. Create a libvirt-setuid-rpc-client.la library which is linked to by virt-login-shell. A config-post.h file allows this library to disable all external deps except libselinux and libxml2. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
We don't want to inherit any FDs in the new namespace except for the stdio FDs. Explicitly close them all, just in case some do not have the close-on-exec flag set. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
We must not allow file/syslog/journald log outputs when running setuid since they can be abused to do bad things. In particular the 'file' output can be used to overwrite files. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Care must be taken accessing env variables when running setuid. Introduce a virGetEnvAllowSUID for env vars which are safe to use in a setuid environment, and another virGetEnvBlockSUID for vars which are not safe. Also add a virIsSUID helper method for any other non-env var code to use. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
The virConnectDomainXMLToNative API should require 'connect:write' not 'connect:read', since it will trigger execution of the QEMU binaries listed in the XML. Also make virConnectDomainXMLFromNative API require a full read-write connection and 'connect:write' permission. Although the current impl doesn't trigger execution of QEMU, we should not rely on that impl detail from an API permissioning POV. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Chen Hanxiao 提交于
s/effect/affect Signed-off-by: NChen Hanxiao <chenhanxiao@cn.fujitsu.com>
-
- 19 10月, 2013 2 次提交
-
-
由 Geoff Hickey 提交于
The meaning of one line of code was accidentally inverted. Signed-off-by: NEric Blake <eblake@redhat.com>
-
由 Michal Privoznik 提交于
Commit e3ef20d7 allows user to configure migration ports range via qemu.conf. However, it forgot to update augeas definition file and even the test data was malicious. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 18 10月, 2013 12 次提交
-
-
由 Jiri Denemark 提交于
host-model is a nice idea but it's current implementation make it useless on some hosts so it should be used with care.
-
-
由 Wang Yufei 提交于
https://bugzilla.redhat.com/show_bug.cgi?id=1019053 When we migrate vms concurrently, there's a chance that libvirtd on destination assigns the same port for different migrations, which will lead to migration failure during prepare phase on destination. So we use virPortAllocator here to solve the problem. Signed-off-by: NWang Yufei <james.wangyufei@huawei.com> Signed-off-by: NJiri Denemark <jdenemar@redhat.com>
-
由 Michal Privoznik 提交于
In fact, the suffix should be _QUIET not _QUIT to stress the fact, that no OOM error is reported on error. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Christophe Fergeau 提交于
netcfStateInitialize() initializes the driverState variable, and when netcfStateCleanup is called, it will call virReportError() if driverState is NULL. This is not consistent with what other state objects are doing, they return -1 without reporting an error in such cases. See also https://www.redhat.com/archives/libvir-list/2013-October/msg00809.html: On Thu, Oct 17, 2013 at 01:40:19PM +0100, Daniel P. Berrange wrote: > We don't want virStateCleanup to skip execution if virStateInitialize > has failed though - every callback in virStateCleanup should be written > to be safe if its corresponding init function hasn't run.
-
由 Zhou Yimin 提交于
Introduced by 7b87a3 When I quit the process which only register VIR_DOMAIN_EVENT_ID_REBOOT, I got error like: "libvirt: XML-RPC error : internal error: domain event 0 not registered". Then I add the following code, it fixed. Signed-off-by: NZhou Yimin <zhouyimin@huawei.com> Signed-off-by: NEric Blake <eblake@redhat.com>
-
由 Chen Hanxiao 提交于
If we fail to get domain, we had to judge whether it's null or not when doing 'cleanup'. Signed-off-by: NChen Hanxiao <chenhanxiao@cn.fujitsu.com>
-
由 John Ferlan 提交于
The header definition didn't match the function declaration, so adjusted header to reflect the definition. Found during a Coverity build where STATIC_ANALYSIS is enabled resulting in the internal.h adding __nonnull__ handling to arguments. Commit '6d264c91' added support for the qemuMonitorJSONDrivePivot() and commit 'fbc3adc9' added a corresponding test which ended up triggering the build failure which I didn't notice until today!
-
由 Chen Hanxiao 提交于
'--print-xml' option is very useful for doing some test. But we had to specify a real domain for it. This patch could enable us to specify a fake domain when using --print-xml option. Signed-off-by: NChen Hanxiao <chenhanxiao@cn.fujitsu.com> Signed-off-by: NEric Blake <eblake@redhat.com>
-
由 Geoff Hickey 提交于
Code cleanup: remove explicit NULL comparisons like ptr == NULL and ptr != NULL from the ESX code, replacing them with the simpler ptr and !ptr. Part three of three.
-
由 Geoff Hickey 提交于
Code cleanup: remove explicit NULL comparisons like ptr == NULL and ptr != NULL from the ESX code, replacing them with the simpler ptr and !ptr. Part two of three.
-
由 Geoff Hickey 提交于
Code cleanup: remove explicit NULL comparisons like ptr == NULL and ptr != NULL from the ESX code, replacing them with the simpler ptr and !ptr. Part one of three.
-
- 17 10月, 2013 6 次提交
-
-
由 Daniel P. Berrange 提交于
QEMU has support for SASL auth for SPICE guests, but libvirt has no way to enable it. Following the example from VNC where it is globally enabled via qemu.conf Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Michal Privoznik 提交于
The last argument of memmove is the amount of bytes to be moved. The amount is in Bytes. We are moving some void pointers around. However, since sizeof(void *) is not Byte on any architecture, we've got the arithmetic wrong.
-
由 Brian Candler 提交于
This patch improves the error checking in the LOCAL_PEERCRED version of virNetSocketGetUNIXIdentity, used by FreeBSD and Mac OSX. 1. The error return paths now correctly unlock the socket. This is implemented in exactly the same way as the SO_PEERCRED version, using "goto cleanup" 2. cr.cr_ngroups is initialised to -1, and cr.cr_ngroups is checked for negative and overlarge values. This means that if the getsockopt() call returns success but doesn't actually update the xucred structure, this is now caught. This happened previously when getsockopt was called with SOL_SOCKET instead of SOL_LOCAL, prior to commit 5a468b38, and resulted in random uids being accepted. Signed-off-by: NEric Blake <eblake@redhat.com>
-
由 Chen Hanxiao 提交于
s/it's/its Signed-off-by: NChen Hanxiao <chenhanxiao@cn.fujitsu.com>
-
由 Giuseppe Scrivano 提交于
prevent aclocal from preferring .m4 files under m4/ over the version provided by gnulib, by using only one directory. I have noticed this after './configure --help' gave me two different versions of "--enable-threads". This was caused by aclocal that preferred the version of lock.m4 provided by autopoint instead of using the newer version distributed with gnulib. Having two different directories made sense back when we checked gnulib files into libvirt.git, but that was ages ago. Signed-off-by: NGiuseppe Scrivano <gscrivan@redhat.com> Signed-off-by: NEric Blake <eblake@redhat.com>
-
由 Eric Blake 提交于
The RNG grammar did not allow arbitrary interleaving, which makes it harder than necessary to create a new pool from handwritten XML. * docs/schemas/storagepool.rng: Allow interleaving. * tests/storagepoolxml2xmlin/pool-sheepdog.xml: Test interleave. * tests/storagepoolxml2xmlin/pool-iscsi-auth.xml: Likewise. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 16 10月, 2013 5 次提交
-
-
由 Eric Blake 提交于
We forgot to document several pool types. * docs/formatstorage.html.in: Add docs for scsi, mpath, rbd, and sheepdog. Signed-off-by: NEric Blake <eblake@redhat.com>
-
由 Christophe Fergeau 提交于
-
由 Osier Yang 提交于
<...> /* Size of message length field. Not counted in VIR_NET_MESSAGE_MAX * and VIR_NET_MESSAGE_INITIAL. */ const VIR_NET_MESSAGE_LEN_MAX = 4; </...> However, msg->bufferLength includes the length word. The wrong checking was introduced by commit e914dcfd. * src/rpc/virnetmessage.c: - Correct the checking in virNetMessageEncodePayloadRaw - Use a new variable to track the new payload length in virNetMessageEncodePayloadRaw
-
由 Daniel P. Berrange 提交于
The recent patch series proposing the addition of PPC little endian arch support to Linux defines new arch names 'ppcle' and 'ppc64le': https://lists.ozlabs.org/pipermail/linuxppc-dev/2013-August/109908.html This just makes libvirt know about these arch names, so it doesn't immediately trip up if it seems these new names from uname. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
A typo in the setup of NBD backed filesystems meant the /dev/nbdN device would not be added to the cgroups device ACL. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-