and use it when available

by adding it to AM_LDFLAGS instead of every linking rule and
by avoiding a forked grep.

otherwise having a strict --no-copy-dt-needed-entries fails in several
places like:

    CCLD     virdbustest
    /usr/bin/ld: virdbustest-virdbustest.o: undefined reference to symbol 'dbus_message_unref'
    /lib/x86_64-linux-gnu/libdbus-1.so.3: error adding symbols: DSO missing from command line
    collect2: error: ld returned 1 exit status

This adds two new pages to the website, acl.html describing
the general access control framework and permissions models,
and aclpolkit.html describing the use of polkit as an
access control driver.

page.xsl is modified to support a new syntax

  <div id="include" filename="somefile.htmlinc"/>

which will cause the XSL transform to replace that <div>
with the contents of 'somefile.htmlinc'. We use this in
the acl.html.in file, to pull the table of permissions
for each libvirt object. This table is autogenerated
from the enums in src/access/viraccessperms.h by the
genaclperms.pl script.

newapi.xsl is modified so that the list of permissions
checks shown against each API will link to the description
of the permissions in acl.html
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

The virtlockd daemon supports an /etc/libvirt/virtlockd.conf
config file, but we never installed a default config, nor
created any augeas scripts. This change addresses that omission.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Create a virtlockd.pod.in file containing the man page
content for virtlockd.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

So that app developers / admins know what access control checks
are performed for each API, this patch extends the API docs
generator to include details of the ACLs for each.

The gendispatch.pl script is extended so that it generates
a simple XML describing ACL rules, eg.

  <aclinfo>
    ...
    <api name='virConnectNumOfDomains'>
      <check object='connect' perm='search_domains'/>
      <filter object='domain' perm='getattr'/>
    </api>
    <api name='virDomainAttachDeviceFlags'>
      <check object='domain' perm='write'/>
      <check object='domain' perm='save' flags='!VIR_DOMAIN_AFFECT_CONFIG|VIR_DOMAIN_AFFECT_LIVE'/>
      <check object='domain' perm='save' flags='VIR_DOMAIN_AFFECT_CONFIG'/>
    </api>
    ...
  </aclinfo>

The newapi.xsl template loads the XML files containing the ACL
rules and generates a short block of HTML for each API describing
the parameter checks and return value filters (if any).
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

* Move platform specific things (e.g. firewalling and route
  collision checks) into bridge_driver_platform
* Create two platform specific implementations:
    - bridge_driver_linux: Linux implementation using iptables,
      it's actually the code moved from bridge_driver.c
    - bridge_driver_nop: dumb implementation that does nothing
Signed-off-by: NEric Blake <eblake@redhat.com>

A VPATH build 'make check' was failing with:

  GEN      check-driverimpls
Can't open ../../src/../../src/lxc/lxc_monitor_protocol.h: No such file or directory at ../../src/check-driverimpls.pl line 29, <> line 27153.
Can't open ../../src/../../src/lxc/lxc_monitor_protocol.c: No such file or directory at ../../src/check-driverimpls.pl line 29, <> line 27153.
...
  GEN      check-aclrules
cannot read ../../src/../../src/remote/remote_protocol.x at ../../src/check-aclrules.pl line 128.

because $(srcdir) was being prepended to file names that already
included it.

* src/Makefile.am (check-driverimpls): Don't add srcdir twice.
Signed-off-by: NEric Blake <eblake@redhat.com>

util/virdbuspriv.h needed to be added to UTIL_SOURCES in the makefile.

To register virtual machines and containers with systemd-machined,
and thus have cgroups auto-created, we need to talk over DBus.
This is somewhat tedious code, so introduce a dedicated function
to isolate the DBus call in one place.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Makefiles are another easy file to enforce line limits.

Mostly straightforward; interesting tricks worth noting:
src/Makefile.am: $(confdir) was already defined, use it in more places
tests/Makefile.am: path_add and VG required some interesting compression

* cfg.mk (sc_prohibit_long_lines): Add another test.
* Makefile.am: Fix offenders.
* daemon/Makefile.am: Likewise.
* docs/Makefile.am: Likewise.
* python/Makefile.am: Likewise.
* src/Makefile.am: Likewise.
* tests/Makefile.am: Likewise.
Signed-off-by: NEric Blake <eblake@redhat.com>

The 'check-aclrules' test case validates that there are ACL
checks in each method. This extends it so that it can also
validate that methods which return info about lists of objects,
will filter their returned info throw an ACL check.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

On a mingw VPATH build (such as done by ./autobuild.sh), the tarball
created by 'make dist' was including generated files.  The VPATH
rules were then seeing that the tarball files were up-to-date, and
not regenerating files locally, leading to this failure:

  GEN      libvirt.syms
cat: libvirt_access.syms: No such file or directory
cat: libvirt_access_qemu.syms: No such file or directory
cat: libvirt_access_lxc.syms: No such file or directory
make: *** [libvirt.syms] Error 1

We already have a category for generated sym files, which are
intentionally not part of the tarball; stick the access sym
files in that category.  The rearrange the declarations a bit
to make it harder to repeat the problem, dropping things that
are now redundant (for example, BUILT_FILES already includes
GENERATED_SYM_FILES, so it does not also need to call out
ACCESS_DRIVER_SYM_FILES).

* src/Makefile.am (USED_SYM_FILES): Don't include generated files.
(GENERATED_SYM_FILES): Access syms files are generated.
(libvirt.syms): Include access syms files here.
(ACCESS_DRIVER_SYMFILES): Rename...
(ACCESS_DRIVER_SYM_FILES): ...for consistency.
Signed-off-by: NEric Blake <eblake@redhat.com>

On mingw, configure sets the name of the lxc symfile to
libvirt_lxc.defs rather than libvirt_lxc.syms.  But tarballs
must be arch-independent, regardless of the configure options
used for the tree where we ran 'make dist'.  This led to the
following failure in autobuild.sh:

  CCLD     libvirt-lxc.la
  CCLD     libvirt-qemu.la
/usr/lib64/gcc/i686-w64-mingw32/4.7.2/../../../../i686-w64-mingw32/bin/ld: cannot find libvirt_lxc.def: No such file or directory
collect2: error: ld returned 1 exit status
make[3]: *** [libvirt-lxc.la] Error 1
make[3]: *** Waiting for unfinished jobs....

We were already doing the right thing with libvirt_qemu.syms.

* src/Makefile.am (EXTRA_DIST): Don't ship a built file which
depends on configure for its final name.
Signed-off-by: NEric Blake <eblake@redhat.com>

VPATH build failed for the generated access driver files.
Signed-off-by: NViktor Mihajlovski <mihajlov@linux.vnet.ibm.com>

Add a script which parses the driver API code and validates
that every API registered in a virNNNDriverPtr table contains
an ACL check matching the API name.

NB this currently whitelists a few xen driver functions
which are temporarily lacking in access control checks.
The xen driver is considered insecure until these are
fixed.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Insert calls to the ACL checking APIs in all secrets driver
entrypoints.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Insert calls to the ACL checking APIs in all nwfilter driver
entrypoints.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Insert calls to the ACL checking APIs in all node device
driver entrypoints.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Insert calls to the ACL checking APIs in all interface
driver entrypoints.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Insert calls to the ACL checking APIs in all network driver
entrypoints.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Insert calls to the ACL checking APIs in all storage driver
entrypoints.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Insert calls to the ACL checking APIs in all libxl driver
entrypoints.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Insert calls to the ACL checking APIs in all Xen driver
entrypoints.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Insert calls to the ACL checking APIs in all UML driver
entrypoints.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Insert calls to the ACL checking APIs in all LXC driver
entrypoints.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Insert calls to the ACL checking APIs in all QEMU driver
entrypoints.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Extend the 'gendispatch.pl' script to be able to generate
three new types of file.

- 'aclheader' - defines signatures of helper APIs for
  doing authorization checks. There is one helper API
  for each API requiring an auth check. Any @acl
  annotations result in a method being generated with
  a suffix of 'EnsureACL'. If the ACL check requires
  examination of flags, an extra 'flags' param will be
  present. Some examples

  extern int virConnectBaselineCPUEnsureACL(void);
  extern int virConnectDomainEventDeregisterEnsureACL(virDomainDefPtr domain);
  extern int virDomainAttachDeviceFlagsEnsureACL(virDomainDefPtr domain, unsigned int flags);

  Any @aclfilter annotations resuilt in a method being
  generated with a suffix of 'CheckACL'.

  extern int virConnectListAllDomainsCheckACL(virDomainDefPtr domain);

  These are used for filtering individual objects from APIs
  which return a list of objects

- 'aclbody' - defines the actual implementation of the
  methods described above. This calls into the access
  manager APIs. A complex example:

    /* Returns: -1 on error (denied==error), 0 on allowed */
    int virDomainAttachDeviceFlagsEnsureACL(virConnectPtr conn,
                                            virDomainDefPtr domain,
                                            unsigned int flags)
    {
        virAccessManagerPtr mgr;
        int rv;

        if (!(mgr = virAccessManagerGetDefault()))
            return -1;

        if ((rv = virAccessManagerCheckDomain(mgr,
                                              conn->driver->name,
                                              domain,
                                              VIR_ACCESS_PERM_DOMAIN_WRITE)) <= 0) {
            virObjectUnref(mgr);
            if (rv == 0)
                virReportError(VIR_ERR_ACCESS_DENIED, NULL);
            return -1;
        }
        if (((flags & (VIR_DOMAIN_AFFECT_CONFIG|VIR_DOMAIN_AFFECT_LIVE)) == 0) &&
            (rv = virAccessManagerCheckDomain(mgr,
                                              conn->driver->name,
                                              domain,
                                              VIR_ACCESS_PERM_DOMAIN_SAVE)) <= 0) {
            virObjectUnref(mgr);
            if (rv == 0)
                virReportError(VIR_ERR_ACCESS_DENIED, NULL);
            return -1;
        }
        if (((flags & (VIR_DOMAIN_AFFECT_CONFIG)) == (VIR_DOMAIN_AFFECT_CONFIG)) &&
            (rv = virAccessManagerCheckDomain(mgr,
                                              conn->driver->name,
                                              domain,
                                              VIR_ACCESS_PERM_DOMAIN_SAVE)) <= 0) {
            virObjectUnref(mgr);
            if (rv == 0)
                virReportError(VIR_ERR_ACCESS_DENIED, NULL);
            return -1;
        }
        virObjectUnref(mgr);
        return 0;
    }

- 'aclsyms' - generates a linker script to export the
   APIs to drivers. Some examples

  virConnectBaselineCPUEnsureACL;
  virConnectCompareCPUEnsureACL;
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Add an access control driver that uses the pkcheck command
to check authorization requests. This is fairly inefficient,
particularly for cases where an API returns a list of objects
and needs to check permission for each object.

It would be desirable to use the polkit API but this links
to glib with abort-on-OOM behaviour, so can't be used. The
other alternative is to speak to dbus directly
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

This patch introduces the virAccessManagerPtr class as the
interface between virtualization drivers and the access
control drivers. The viraccessperm.h file defines the
various permissions that will be used for each type of object
libvirt manages
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

A few things have changed in the VirtualBox API - some small
(capitalizations of things in function names like Ip to IP
and Dhcp to DHCP) and some much larger (FindMedium is superceded
by OpenMedium). The biggest change for the sake of this patch
is the signature of CreateMachine is quite a bit different. Using
the Oracle source as a guide, to spin up a VM with a given UUID,
it looks like a text flag has to be passed in a new argument to
CreateMachine. This flag is built in the VirtualBox 4.2 specific
ifdefs and is kind of ugly but works. Additionally, there is now
(unused) VM groups support in CreateMachine and the previous
'osTypeId' arg is currently set to nsnull as in the Oracle code.

The FindMedium to OpenMedium changes were more straightforward
and are pretty clear. The rest of the vbox template changes are
basically spelling/capitalization changes from the looks of things.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Commit d671121d was incomplete; I hit another compile fail on
cygwin not finding the correct rpc/rpc.h.

* src/Makefile.am (virtlockd_CFLAGS): Add XDR_CFLAGS.
Signed-off-by: NEric Blake <eblake@redhat.com>

On cygwin, the build failed with:

In file included from ./rpc/virnetmessage.h:24:0,
                 from ./rpc/virnetclient.h:29,
                 from locking/lock_driver_lockd.c:31:
./rpc/virnetprotocol.h:9:21: fatal error: rpc/rpc.h: No such file or directory

* src/Makefile.am (lockd_la_CFLAGS): Add XDR_CFLAGS.
Signed-off-by: NEric Blake <eblake@redhat.com>

Several files called out COPYING or COPYING.LIB instead of using
the normal boilerplate.  It's especially important that we don't
call out COPYING from an LGPL file, since COPYING is traditionally
used for the GPL.  A few files were lacking copyright altogether.

* src/rpc/gendispatch.pl: Add missing copyright.
* Makefile.nonreentrant: Likewise.
* src/check-symfile.pl: Likewise.
* src/check-symsorting.pl: Likewise.
* src/driver.h: Likewise.
* src/internal.h: Likewise.
* tools/libvirt-guests.sh.in: Likewise.
* tools/virt-pki-validate.in: Mention copyright in comment, not just code.
* tools/virt-sanlock-cleanup.in: Likewise.
* src/rpc/genprotocol.pl: Spell out license terms.
* src/xen/xend_internal.h: Likewise.
* src/xen/xend_internal.c: Likewise.
* Makefile.am: Likewise.
* daemon/Makefile.am: Likewise.
* docs/Makefile.am: Likewise.
* docs/schemas/Makefile.am: Likewise.
* examples/apparmor/Makefile.am: Likewise.
* examples/domain-events/events-c/Makefile.am: Likewise.
* examples/dominfo/Makefile.am: Likewise.
* examples/domsuspend/Makefile.am: Likewise.
* examples/hellolibvirt/Makefile.am: Likewise.
* examples/openauth/Makefile.am: Likewise.
* examples/python/Makefile.am: Likewise.
* examples/systemtap/Makefile.am: Likewise.
* examples/xml/nwfilter/Makefile.am: Likewise.
* gnulib/lib/Makefile.am: Likewise.
* gnulib/tests/Makefile.am: Likewise.
* include/Makefile.am: Likewise.
* include/libvirt/Makefile.am: Likewise.
* python/Makefile.am: Likewise.
* python/tests/Makefile.am: Likewise.
* src/Makefile.am: Likewise.
* tests/Makefile.am: Likewise.
* tools/Makefile.am: Likewise.
* configure.ac: Likewise.
Signed-off-by: NEric Blake <eblake@redhat.com>

Change the build process & driver initialization so that the
VirtualBox driver is built into libvirtd, instead of libvirt.so
This change avoids the VirtualBox GPLv2-only license causing
compatibility problems with libvirt.so which is under the
GPLv2-or-later license.

NB this change prevents use of the VirtualBox driver on the
Windows platform, until such time as libvirtd can be made
to work there.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

DRIVER_SOURCE_FILES mixes files with absolute path (inherited from
REMOTE_DRIVER_GENERATED) with file paths that are relative to srcdir but
check-driverimpls.pl needs full paths.