To be able todo controlled shutdown/reboot of containers an
API to talk to init via /dev/initctl is required. Fortunately
this is quite straightforward to implement, and is supported
by both sysvinit and systemd. Upstart support for /dev/initctl
is unclear.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

When seeing a message

 virNetSASLContextCheckIdentity:146 : SASL client admin not allowed in whitelist

it isn't immediately obvious that 'admin' is the identity
being checked. Quote the string to make it more obvious

The default machine type must be stored in the first element of
the caps->machineTypes array. This was done for help output
parsing but not for QMP probing.

Added a helper function qemuSetDefaultMachine to apply the same
fix up for both probing methods.

Further, it was necessary to set caps->nmachineTypes after QMP
probing.
Signed-off-by: NViktor Mihajlovski <mihajlov@linux.vnet.ibm.com>

detecet by

	http://honk.sigxcpu.org:8001/job/libvirt-build/348/console

https://bugzilla.redhat.com/show_bug.cgi?id=872292

Libvirt should not attempt to call a QMP command that has not been
documented in qemu.git - if future qemu introduces a command by the
same name but with subtly different semantics, then libvirt will be
broken when trying to use that command.

We also had some code that could never be reached - some of our
commands have an alternate for new vs. old qemu HMP commands; but
if we are new enough to support QMP, we only need a fallback to
the new HMP counterpart, and don't need to try for a QMP counterpart
for the old HMP version.

See also this attempt to convert the three snapshot commands to QMP:
https://lists.gnu.org/archive/html/qemu-devel/2012-07/msg01597.html
although it looks like that will still not happen before qemu 1.3.
That thread eventually decided that qemu would use the name
'save-vm' rather than 'savevm', which mitigates the fact that
libvirt's attempt to use a QMP 'savevm' would be broken, but we
might not be as lucky on the other commands.

* src/qemu/qemu_monitor_json.c (qemuMonitorJSONSetCPU)
(qemuMonitorJSONAddDrive, qemuMonitorJSONDriveDel)
(qemuMonitorJSONCreateSnapshot, qemuMonitorJSONLoadSnapshot)
(qemuMonitorJSONDeleteSnapshot): Use only HMP fallback for now.
(qemuMonitorJSONAddHostNetwork, qemuMonitorJSONRemoveHostNetwork)
(qemuMonitorJSONAttachDrive, qemuMonitorJSONGetGuestDriveAddress):
Delete; QMP implies QEMU_CAPS_DEVICE, which prefers AddNetdev,
RemoveNetdev, and AddDrive anyways (qemu_hotplug.c has all callers).
* src/qemu/qemu_monitor.c (qemuMonitorAddHostNetwork)
(qemuMonitorRemoveHostNetwork, qemuMonitorAttachDrive): Reflect
deleted commands.
* src/qemu/qemu_monitor_json.h (qemuMonitorJSONAddHostNetwork)
(qemuMonitorJSONRemoveHostNetwork, qemuMonitorJSONAttachDrive):
Likewise.

https://bugzilla.redhat.com/show_bug.cgi?id=876828

Commit 38c4a9cc introduced a regression in hot unplugging of disks
from qemu, where cgroup device ACLs were no longer being revoked
(thankfully not a security hole: cgroup ACLs only prevent open()
of the disk; so reverting the ACL prevents future abuse but doesn't
stop abuse from an fd that was already opened before the ACL change).

Commit 1b2ebf95 overlooked that there were two spots affected.

* src/qemu/qemu_hotplug.c (qemuDomainDetachDiskDevice):
Transfer backing chain before deletion.
* src/qemu/qemu_driver.c (qemuDomainDetachDeviceDiskLive): Fix
spacing (partly to ensure a different-looking patch).

Also removed some unreachable code found by coverity:
libvirt-0.10.2/src/nwfilter/nwfilter_driver.c:259: unreachable: This
code cannot be reached: "nwfilterDriverUnlock(driver...".

On error, virStoragePoolGetAutostart would return -1 leaving autostart
untouched.

Removed the misleading debug message as well.

Error: CHECKED_RETURN (CWE-252):
libvirt-0.10.2/tools/virsh-pool.c:1386: unchecked_value: No check of the
    return value of "virStoragePoolGetAutostart(pool, &autostart)".

This patch adds two labels and gets rid of a ton of duplicated code.
This patch also fixes some error message and switches most of them to
proper error reporting functions.

This patch adds macros to help retrieve configuration values from qemu
driver's configuration. Some configuration options are grouped
together in the process.

This bug resolves CVE-2012-3411, which is described in the following
bugzilla report:

  https://bugzilla.redhat.com/show_bug.cgi?id=833033

The following report is specifically for libvirt on Fedora:

  https://bugzilla.redhat.com/show_bug.cgi?id=874702

In short, a dnsmasq instance run with the intention of listening for
DHCP/DNS requests only on a libvirt virtual network (which is
constructed using a Linux host bridge) would also answer queries sent
from outside the virtualization host.

This patch takes advantage of a new dnsmasq option "--bind-dynamic",
which will cause the listening socket to be setup such that it will
only receive those requests that actually come in via the bridge
interface. In order for this behavior to actually occur, not only must
"--bind-interfaces" be replaced with "--bind-dynamic", but also all
"--listen-address" options must be replaced with a single
"--interface" option. Fully:

   --bind-interfaces --except-interface lo --listen-address x.x.x.x ...

(with --listen-address possibly repeated) is replaced with:

   --bind-dynamic --interface virbrX

Of course libvirt can't use this new option if the host's dnsmasq
doesn't have it, but we still want libvirt to function (because the
great majority of libvirt installations, which only have mode='nat'
networks using RFC1918 private address ranges (e.g. 192.168.122.0/24),
are immune to this vulnerability from anywhere beyond the local subnet
of the host), so we use the new dnsmasqCaps API to check if dnsmasq
supports the new option and, if not, we use the "old" option style
instead. In order to assure that this permissiveness doesn't lead to a
vulnerable system, we do check for non-private addresses in this case,
and refuse to start the network if both a) we are using the old-style
options, and b) the network has a publicly routable IP
address. Hopefully this will provide the proper balance of not being
disruptive to those not practically affected, and making sure that
those who *are* affected get their dnsmasq upgraded.

(--bind-dynamic was added to dnsmasq in upstream commit
54dd393f3938fc0c19088fbd319b95e37d81a2b0, which was included in
dnsmasq-2.63)

This new function returns true if the given address is in the range of
any "private" or "local" networks as defined in RFC1918 (IPv4) or
RFC3484/RFC4193 (IPv6), otherwise they return false.

These ranges are:

   192.168.0.0/16
   172.16.0.0/16
   10.0.0.0/24
   FC00::/7
   FEC0::/10

In order to optionally take advantage of new features in dnsmasq when
the host's version of dnsmasq supports them, but still be able to run
on hosts that don't support the new features, we need to be able to
detect the version of dnsmasq running on the host, and possibly
determine from the help output what options are in this dnsmasq.

This patch implements a greatly simplified version of the capabilities
code we already have for qemu. A dnsmasqCaps device can be created and
populated either from running a program on disk, reading a file with
the concatenated output of "dnsmasq --version; dnsmasq --help", or
examining a buffer in memory that contains the concatenated output of
those two commands. Simple functions to retrieve capabilities flags,
the version number, and the path of the binary are also included.

bridge_driver.c creates a single dnsmasqCaps object at driver startup,
and disposes of it at driver shutdown. Any time it must be used, the
dnsmasqCapsRefresh method is called - it checks the mtime of the
binary, and re-runs the checks if the binary has changed.

networkxml2argvtest.c creates 2 "artificial" dnsmasqCaps objects at
startup - one "restricted" (doesn't support --bind-dynamic) and one
"full" (does support --bind-dynamic). Some of the test cases use one
and some the other, to make sure both code pathes are tested.

If allocation of names fails, list is uninitialized.

On OOM, xdr_destroy got called even though it wasn't created yet.

Found by coverity:
Error: UNINIT (CWE-457):
    libvirt-0.10.2/src/rpc/virnetmessage.c:214: var_decl: Declaring
    variable "xdr" without initializer.
    libvirt-0.10.2/src/rpc/virnetmessage.c:219: cond_true: Condition
    "virReallocN(&msg->buffer, 1UL /* sizeof (*msg->buffer) */,
    msg->bufferLength) < 0", taking true branch
    libvirt-0.10.2/src/rpc/virnetmessage.c:221: goto: Jumping to label
    "cleanup"
    libvirt-0.10.2/src/rpc/virnetmessage.c:257: label: Reached label
    "cleanup"
    libvirt-0.10.2/src/rpc/virnetmessage.c:258: uninit_use: Using
    uninitialized value "xdr.x_ops".

Time values were uninitialized if the connection wasn't usable.

Found by coverity:
Error: SIZEOF_MISMATCH (CWE-569):
    libvirt-0.10.2/tools/virsh-domain.c:4754: suspicious_sizeof: Passing
    argument "8UL /* sizeof (cpumap) */" to function
    "_vshCalloc(vshControl *, size_t, size_t, char const *, int)" and
    then casting the return value to "unsigned char *" is suspicious.

Error: SIZEOF_MISMATCH (CWE-569):
    libvirt-0.10.2/tools/virsh-domain.c:4942: suspicious_sizeof: Passing
    argument "8UL /* sizeof (cpumap) */" to function
    "_vshCalloc(vshControl *, size_t, size_t, char const *, int)" and
    then casting the return value to "unsigned char *" is suspicious.

Found by coverity:
Error: REVERSE_INULL (CWE-476):
    libvirt-0.10.2/src/util/processinfo.c:141: deref_ptr: Directly
    dereferencing pointer "map".
    libvirt-0.10.2/src/util/processinfo.c:142: check_after_deref:
    Null-checking "map" suggests that it may be null, but it has already
    been dereferenced on all paths leading to the check.

Found by coverity:
Error: REVERSE_INULL (CWE-476):
    libvirt-0.10.2/src/conf/netdev_bandwidth_conf.c:99: deref_ptr:
    Directly dereferencing pointer "node".
    libvirt-0.10.2/src/conf/netdev_bandwidth_conf.c:107:
    check_after_deref: Null-checking "node" suggests that it may be
    null, but it has already been dereferenced on all paths leading to
    the check.

The virStateInitialize method and several cgroups methods were
using an 'int privileged' parameter or similar for dual-state
values. These are better represented with the bool type.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

To allow actions to be performed in libvirtd when the host
shuts down, or user session exits, introduce a 'stop'
method to virDriverState. This will do things like saving
the VM state to a file.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Implement the new API for sending signals to processes in a guest
for the LXC driver. Only support sending signals to the init
process for now, because

 - The kernel does not appear to expose the mapping between
   container PID numbers and host PID numbers anywhere in the
   host OS namespace
 - There is no race-free way to validate whether a host PID
   corresponds to a process in a container.

* src/lxc/lxc_driver.c: Allow sending processes signals
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

* tools/virsh.c: Add send-process-signal
* tools/virsh.pod: Document new command
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

* src/remote/remote_protocol.x: message definition
* src/remote/remote_driver.c: Register driver function
* src/remote_protocol-structs: Test case
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Add an API for sending signals to arbitrary processes in the
guest OS. This is primarily useful for container based virt,
but can be used for machine virt too, if there is a suitable
guest agent,

* include/libvirt/libvirt.h.in: Add virDomainSendProcessSignal
  and virDomainProcessSignal enum
* src/driver.h: Driver entry point
* src/libvirt.c, src/libvirt_public.syms: Impl for new API
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

As of 1a50ba2c we fail to connect to the
monitor instead of getting an exit status != 0 from qemu itself.  This
breaks capabilities probing for the non QMP case.

The documentation to this API has some defects from
grammar and wording POV. These were raised after I've
pushed the patches, so they are in a separate commit.

The 3 options accept 0, and merely checking for non-zero values
would cause wrong results.

It makes no sense to fail the whole getting command if there is
a parameter unsupported by the kernel. This patch fixes it by
omitting the unsupported parameter for getMemoryParameters.

And for setMemoryParameters, this checks if there is an unsupported
parameter up front of the setting, and just returns failure if not
all parameters are supported.

Replace the following names

 * struct qemu_snap_remove  with virQEMUSnapRemovePtr
 * struct qemu_snap_reparent with virQEMUSnapReparentPtr
 * struct qemu_save_header with virQEMUSaveHeaderPtr
 * enum qemu_save_formats with virQEMUSaveFormat
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Remove the obsolete 'qemud' naming prefix and underscore
based type name. Introduce virQEMUDriverPtr as the replacement,
in common with LXC driver naming style

This resolves: https://bugzilla.redhat.com/show_bug.cgi?id=879473

The name attribute is required for portgroup elements (yes, the RNG
specifies that), and there is code in libvirt that assumes it is
non-null.  Unfortunately, the portgroup parsing function wasn't
checking for lack of portgroup. One adverse result of this was that
attempts to update a network by adding a portgroup with no name would
cause libvirtd to segfault. For example:

   virsh net-update default add portgroup "<portgroup default='yes'/>"

This patch causes virNetworkPortGroupParseXML to fail if no name is
specified, thus avoiding any later problems.

Throughout the code, we've always used VIR_DOMAIN_SHUTDOWN* flags
even for virDomainReboot() API and its implementation. Fortunately,
the appropriate macros has the same value. But if we want to keep
things consistent, we should be using the correct macros. This
patch doesn't break anything, luckily.

see commit 7e5aa78d

* src/interface/interface_backend_udev.c: Declare variable sooner.

Commit cb022152 went overboard and introduced a dead conditional
while trying to get rid of a potential NULL dereference.

* src/nwfilter/nwfilter_dhcpsnoop.c (virNWFilterSnoopReqNew):
Remove redundant conditional.

This reverts 8927c0ea qemu: fix a crash when save file can't be opened
and allows virFileWrapperFdCatchError to be called with NULL instead.

If it's negative, this might result in a request to allocate lots of
memory.

In a few places, the return value could get passed to VIR_ALLOC_N without
being checked, resulting in a request to allocate a lot of memory if the
return value was negative.