- 26 8月, 2013 1 次提交
-
-
由 Jiri Denemark 提交于
-
- 22 8月, 2013 2 次提交
-
-
由 Guido Günther 提交于
and use it when available
-
由 Guido Günther 提交于
by adding it to AM_LDFLAGS instead of every linking rule and by avoiding a forked grep.
-
- 13 8月, 2013 1 次提交
-
-
由 Guido Günther 提交于
otherwise having a strict --no-copy-dt-needed-entries fails in several places like: CCLD virdbustest /usr/bin/ld: virdbustest-virdbustest.o: undefined reference to symbol 'dbus_message_unref' /lib/x86_64-linux-gnu/libdbus-1.so.3: error adding symbols: DSO missing from command line collect2: error: ld returned 1 exit status
-
- 10 8月, 2013 1 次提交
-
-
由 Daniel P. Berrange 提交于
This adds two new pages to the website, acl.html describing the general access control framework and permissions models, and aclpolkit.html describing the use of polkit as an access control driver. page.xsl is modified to support a new syntax <div id="include" filename="somefile.htmlinc"/> which will cause the XSL transform to replace that <div> with the contents of 'somefile.htmlinc'. We use this in the acl.html.in file, to pull the table of permissions for each libvirt object. This table is autogenerated from the enums in src/access/viraccessperms.h by the genaclperms.pl script. newapi.xsl is modified so that the list of permissions checks shown against each API will link to the description of the permissions in acl.html Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 09 8月, 2013 2 次提交
-
-
由 Daniel P. Berrange 提交于
The virtlockd daemon supports an /etc/libvirt/virtlockd.conf config file, but we never installed a default config, nor created any augeas scripts. This change addresses that omission. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Create a virtlockd.pod.in file containing the man page content for virtlockd. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 08 8月, 2013 1 次提交
-
-
由 Daniel P. Berrange 提交于
So that app developers / admins know what access control checks are performed for each API, this patch extends the API docs generator to include details of the ACLs for each. The gendispatch.pl script is extended so that it generates a simple XML describing ACL rules, eg. <aclinfo> ... <api name='virConnectNumOfDomains'> <check object='connect' perm='search_domains'/> <filter object='domain' perm='getattr'/> </api> <api name='virDomainAttachDeviceFlags'> <check object='domain' perm='write'/> <check object='domain' perm='save' flags='!VIR_DOMAIN_AFFECT_CONFIG|VIR_DOMAIN_AFFECT_LIVE'/> <check object='domain' perm='save' flags='VIR_DOMAIN_AFFECT_CONFIG'/> </api> ... </aclinfo> The newapi.xsl template loads the XML files containing the ACL rules and generates a short block of HTML for each API describing the parameter checks and return value filters (if any). Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 02 8月, 2013 1 次提交
-
-
由 Roman Bogorodskiy 提交于
* Move platform specific things (e.g. firewalling and route collision checks) into bridge_driver_platform * Create two platform specific implementations: - bridge_driver_linux: Linux implementation using iptables, it's actually the code moved from bridge_driver.c - bridge_driver_nop: dumb implementation that does nothing Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 29 7月, 2013 1 次提交
-
-
由 Eric Blake 提交于
A VPATH build 'make check' was failing with: GEN check-driverimpls Can't open ../../src/../../src/lxc/lxc_monitor_protocol.h: No such file or directory at ../../src/check-driverimpls.pl line 29, <> line 27153. Can't open ../../src/../../src/lxc/lxc_monitor_protocol.c: No such file or directory at ../../src/check-driverimpls.pl line 29, <> line 27153. ... GEN check-aclrules cannot read ../../src/../../src/remote/remote_protocol.x at ../../src/check-aclrules.pl line 128. because $(srcdir) was being prepended to file names that already included it. * src/Makefile.am (check-driverimpls): Don't add srcdir twice. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 23 7月, 2013 1 次提交
-
-
由 Laine Stump 提交于
util/virdbuspriv.h needed to be added to UTIL_SOURCES in the makefile.
-
- 22 7月, 2013 1 次提交
-
-
由 Daniel P. Berrange 提交于
To register virtual machines and containers with systemd-machined, and thus have cgroups auto-created, we need to talk over DBus. This is somewhat tedious code, so introduce a dedicated function to isolate the DBus call in one place. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 19 7月, 2013 1 次提交
-
-
由 Eric Blake 提交于
Makefiles are another easy file to enforce line limits. Mostly straightforward; interesting tricks worth noting: src/Makefile.am: $(confdir) was already defined, use it in more places tests/Makefile.am: path_add and VG required some interesting compression * cfg.mk (sc_prohibit_long_lines): Add another test. * Makefile.am: Fix offenders. * daemon/Makefile.am: Likewise. * docs/Makefile.am: Likewise. * python/Makefile.am: Likewise. * src/Makefile.am: Likewise. * tests/Makefile.am: Likewise. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 18 7月, 2013 1 次提交
-
-
由 Michal Privoznik 提交于
-
- 03 7月, 2013 2 次提交
-
-
由 Daniel P. Berrange 提交于
The 'check-aclrules' test case validates that there are ACL checks in each method. This extends it so that it can also validate that methods which return info about lists of objects, will filter their returned info throw an ACL check. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Eric Blake 提交于
On a mingw VPATH build (such as done by ./autobuild.sh), the tarball created by 'make dist' was including generated files. The VPATH rules were then seeing that the tarball files were up-to-date, and not regenerating files locally, leading to this failure: GEN libvirt.syms cat: libvirt_access.syms: No such file or directory cat: libvirt_access_qemu.syms: No such file or directory cat: libvirt_access_lxc.syms: No such file or directory make: *** [libvirt.syms] Error 1 We already have a category for generated sym files, which are intentionally not part of the tarball; stick the access sym files in that category. The rearrange the declarations a bit to make it harder to repeat the problem, dropping things that are now redundant (for example, BUILT_FILES already includes GENERATED_SYM_FILES, so it does not also need to call out ACCESS_DRIVER_SYM_FILES). * src/Makefile.am (USED_SYM_FILES): Don't include generated files. (GENERATED_SYM_FILES): Access syms files are generated. (libvirt.syms): Include access syms files here. (ACCESS_DRIVER_SYMFILES): Rename... (ACCESS_DRIVER_SYM_FILES): ...for consistency. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 02 7月, 2013 1 次提交
-
-
由 Eric Blake 提交于
On mingw, configure sets the name of the lxc symfile to libvirt_lxc.defs rather than libvirt_lxc.syms. But tarballs must be arch-independent, regardless of the configure options used for the tree where we ran 'make dist'. This led to the following failure in autobuild.sh: CCLD libvirt-lxc.la CCLD libvirt-qemu.la /usr/lib64/gcc/i686-w64-mingw32/4.7.2/../../../../i686-w64-mingw32/bin/ld: cannot find libvirt_lxc.def: No such file or directory collect2: error: ld returned 1 exit status make[3]: *** [libvirt-lxc.la] Error 1 make[3]: *** Waiting for unfinished jobs.... We were already doing the right thing with libvirt_qemu.syms. * src/Makefile.am (EXTRA_DIST): Don't ship a built file which depends on configure for its final name. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 28 6月, 2013 1 次提交
-
-
由 Viktor Mihajlovski 提交于
VPATH build failed for the generated access driver files. Signed-off-by: NViktor Mihajlovski <mihajlov@linux.vnet.ibm.com>
-
- 25 6月, 2013 1 次提交
-
-
由 Jiri Denemark 提交于
-
- 24 6月, 2013 15 次提交
-
-
由 Daniel P. Berrange 提交于
Add a script which parses the driver API code and validates that every API registered in a virNNNDriverPtr table contains an ACL check matching the API name. NB this currently whitelists a few xen driver functions which are temporarily lacking in access control checks. The xen driver is considered insecure until these are fixed. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Insert calls to the ACL checking APIs in all secrets driver entrypoints. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Insert calls to the ACL checking APIs in all nwfilter driver entrypoints. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Insert calls to the ACL checking APIs in all node device driver entrypoints. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Insert calls to the ACL checking APIs in all interface driver entrypoints. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Insert calls to the ACL checking APIs in all network driver entrypoints. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Insert calls to the ACL checking APIs in all storage driver entrypoints. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Insert calls to the ACL checking APIs in all libxl driver entrypoints. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Insert calls to the ACL checking APIs in all Xen driver entrypoints. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Insert calls to the ACL checking APIs in all UML driver entrypoints. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Insert calls to the ACL checking APIs in all LXC driver entrypoints. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Insert calls to the ACL checking APIs in all QEMU driver entrypoints. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Extend the 'gendispatch.pl' script to be able to generate three new types of file. - 'aclheader' - defines signatures of helper APIs for doing authorization checks. There is one helper API for each API requiring an auth check. Any @acl annotations result in a method being generated with a suffix of 'EnsureACL'. If the ACL check requires examination of flags, an extra 'flags' param will be present. Some examples extern int virConnectBaselineCPUEnsureACL(void); extern int virConnectDomainEventDeregisterEnsureACL(virDomainDefPtr domain); extern int virDomainAttachDeviceFlagsEnsureACL(virDomainDefPtr domain, unsigned int flags); Any @aclfilter annotations resuilt in a method being generated with a suffix of 'CheckACL'. extern int virConnectListAllDomainsCheckACL(virDomainDefPtr domain); These are used for filtering individual objects from APIs which return a list of objects - 'aclbody' - defines the actual implementation of the methods described above. This calls into the access manager APIs. A complex example: /* Returns: -1 on error (denied==error), 0 on allowed */ int virDomainAttachDeviceFlagsEnsureACL(virConnectPtr conn, virDomainDefPtr domain, unsigned int flags) { virAccessManagerPtr mgr; int rv; if (!(mgr = virAccessManagerGetDefault())) return -1; if ((rv = virAccessManagerCheckDomain(mgr, conn->driver->name, domain, VIR_ACCESS_PERM_DOMAIN_WRITE)) <= 0) { virObjectUnref(mgr); if (rv == 0) virReportError(VIR_ERR_ACCESS_DENIED, NULL); return -1; } if (((flags & (VIR_DOMAIN_AFFECT_CONFIG|VIR_DOMAIN_AFFECT_LIVE)) == 0) && (rv = virAccessManagerCheckDomain(mgr, conn->driver->name, domain, VIR_ACCESS_PERM_DOMAIN_SAVE)) <= 0) { virObjectUnref(mgr); if (rv == 0) virReportError(VIR_ERR_ACCESS_DENIED, NULL); return -1; } if (((flags & (VIR_DOMAIN_AFFECT_CONFIG)) == (VIR_DOMAIN_AFFECT_CONFIG)) && (rv = virAccessManagerCheckDomain(mgr, conn->driver->name, domain, VIR_ACCESS_PERM_DOMAIN_SAVE)) <= 0) { virObjectUnref(mgr); if (rv == 0) virReportError(VIR_ERR_ACCESS_DENIED, NULL); return -1; } virObjectUnref(mgr); return 0; } - 'aclsyms' - generates a linker script to export the APIs to drivers. Some examples virConnectBaselineCPUEnsureACL; virConnectCompareCPUEnsureACL; Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Add an access control driver that uses the pkcheck command to check authorization requests. This is fairly inefficient, particularly for cases where an API returns a list of objects and needs to check permission for each object. It would be desirable to use the polkit API but this links to glib with abort-on-OOM behaviour, so can't be used. The other alternative is to speak to dbus directly Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
This patch introduces the virAccessManagerPtr class as the interface between virtualization drivers and the access control drivers. The viraccessperm.h file defines the various permissions that will be used for each type of object libvirt manages Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 07 6月, 2013 1 次提交
-
-
由 ryan woodsmall 提交于
A few things have changed in the VirtualBox API - some small (capitalizations of things in function names like Ip to IP and Dhcp to DHCP) and some much larger (FindMedium is superceded by OpenMedium). The biggest change for the sake of this patch is the signature of CreateMachine is quite a bit different. Using the Oracle source as a guide, to spin up a VM with a given UUID, it looks like a text flag has to be passed in a new argument to CreateMachine. This flag is built in the VirtualBox 4.2 specific ifdefs and is kind of ugly but works. Additionally, there is now (unused) VM groups support in CreateMachine and the previous 'osTypeId' arg is currently set to nsnull as in the Oracle code. The FindMedium to OpenMedium changes were more straightforward and are pretty clear. The rest of the vbox template changes are basically spelling/capitalization changes from the looks of things. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 31 5月, 2013 1 次提交
-
-
由 Eric Blake 提交于
Commit d671121d was incomplete; I hit another compile fail on cygwin not finding the correct rpc/rpc.h. * src/Makefile.am (virtlockd_CFLAGS): Add XDR_CFLAGS. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 30 5月, 2013 1 次提交
-
-
由 Eric Blake 提交于
On cygwin, the build failed with: In file included from ./rpc/virnetmessage.h:24:0, from ./rpc/virnetclient.h:29, from locking/lock_driver_lockd.c:31: ./rpc/virnetprotocol.h:9:21: fatal error: rpc/rpc.h: No such file or directory * src/Makefile.am (lockd_la_CFLAGS): Add XDR_CFLAGS. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 21 5月, 2013 1 次提交
-
-
由 Eric Blake 提交于
Several files called out COPYING or COPYING.LIB instead of using the normal boilerplate. It's especially important that we don't call out COPYING from an LGPL file, since COPYING is traditionally used for the GPL. A few files were lacking copyright altogether. * src/rpc/gendispatch.pl: Add missing copyright. * Makefile.nonreentrant: Likewise. * src/check-symfile.pl: Likewise. * src/check-symsorting.pl: Likewise. * src/driver.h: Likewise. * src/internal.h: Likewise. * tools/libvirt-guests.sh.in: Likewise. * tools/virt-pki-validate.in: Mention copyright in comment, not just code. * tools/virt-sanlock-cleanup.in: Likewise. * src/rpc/genprotocol.pl: Spell out license terms. * src/xen/xend_internal.h: Likewise. * src/xen/xend_internal.c: Likewise. * Makefile.am: Likewise. * daemon/Makefile.am: Likewise. * docs/Makefile.am: Likewise. * docs/schemas/Makefile.am: Likewise. * examples/apparmor/Makefile.am: Likewise. * examples/domain-events/events-c/Makefile.am: Likewise. * examples/dominfo/Makefile.am: Likewise. * examples/domsuspend/Makefile.am: Likewise. * examples/hellolibvirt/Makefile.am: Likewise. * examples/openauth/Makefile.am: Likewise. * examples/python/Makefile.am: Likewise. * examples/systemtap/Makefile.am: Likewise. * examples/xml/nwfilter/Makefile.am: Likewise. * gnulib/lib/Makefile.am: Likewise. * gnulib/tests/Makefile.am: Likewise. * include/Makefile.am: Likewise. * include/libvirt/Makefile.am: Likewise. * python/Makefile.am: Likewise. * python/tests/Makefile.am: Likewise. * src/Makefile.am: Likewise. * tests/Makefile.am: Likewise. * tools/Makefile.am: Likewise. * configure.ac: Likewise. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 16 5月, 2013 2 次提交
-
-
由 Daniel P. Berrange 提交于
Change the build process & driver initialization so that the VirtualBox driver is built into libvirtd, instead of libvirt.so This change avoids the VirtualBox GPLv2-only license causing compatibility problems with libvirt.so which is under the GPLv2-or-later license. NB this change prevents use of the VirtualBox driver on the Windows platform, until such time as libvirtd can be made to work there. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Jiri Denemark 提交于
DRIVER_SOURCE_FILES mixes files with absolute path (inherited from REMOTE_DRIVER_GENERATED) with file paths that are relative to srcdir but check-driverimpls.pl needs full paths.
-