When the drivers acquire their pidfile lock we don't want to wait if the
lock is already held. We need the driver to immediately report error,
causing the daemon to exit.
Reviewed-by: NErik Skultety <eskultet@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

When we allow multiple instances of the driver for the same user
account, using a separate root directory, we need to ensure mutual
exclusion. Use a pidfile to guarantee this.

In privileged libvirtd this ends up locking

   /var/run/libvirt/interface/driver.pid

In unprivileged libvirtd this ends up locking

  /run/user/$UID/libvirt/interface/run/driver.pid

NB, the latter can vary depending on $XDG_RUNTIME_DIR
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

Instead of repetitive:
  s ? s : ""
use NULLSTR_EMPTY.
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NAndrea Bolognani <abologna@redhat.com>

Missing semicolon at the end of macros can confuse some analyzers
(like cppcheck <filename>). VIR_ONCE_GLOBAL_INIT is almost
exclusively called without an ending semicolon, but let's
standardize on using one like the other macros.

Add a dummy struct definition at the end of the macro, so
the compiler will require callers to add a semicolon.
Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
Signed-off-by: NCole Robinson <crobinso@redhat.com>

In many files there are header comments that contain an Author:
statement, supposedly reflecting who originally wrote the code.
In a large collaborative project like libvirt, any non-trivial
file will have been modified by a large number of different
contributors. IOW, the Author: comments are quickly out of date,
omitting people who have made significant contribitions.

In some places Author: lines have been added despite the person
merely being responsible for creating the file by moving existing
code out of another file. IOW, the Author: lines give an incorrect
record of authorship.

With this all in mind, the comments are useless as a means to identify
who to talk to about code in a particular file. Contributors will always
be better off using 'git log' and 'git blame' if they need to  find the
author of a particular bit of code.

This commit thus deletes all Author: comments from the source and adds
a rule to prevent them reappearing.

The Copyright headers are similarly misleading and inaccurate, however,
we cannot delete these as they have legal meaning, despite being largely
inaccurate. In addition only the copyright holder is permitted to change
their respective copyright statement.
Reviewed-by: NErik Skultety <eskultet@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

So far we are repeating the following lines over and over:

  if (!(virSomeObjectClass = virClassNew(virClassForObject(),
                             "virSomeObject",
                             sizeof(virSomeObject),
                             virSomeObjectDispose)))
      return -1;

While this works, it is impossible to do some checking. Firstly,
the class name (the 2nd argument) doesn't match the name in the
code in all cases (the 3rd argument). Secondly, the current style
is needlessly verbose. This commit turns example into following:

  if (!(VIR_CLASS_NEW(virSomeObject,
                      virClassForObject)))
      return -1;
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>

Ensuring that we don't call the virDrvConnectOpen method with a NULL URI
means that the drivers can drop various checks for NULL URIs. These were
not needed anymore since the probe functionality was split
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

Declare what URI schemes a driver supports in its virConnectDriver
struct. This allows us to skip trying to open the driver entirely
if the URI scheme doesn't match.
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

Add a localOnly flag to the virConnectDriver struct which allows a
driver to indicate whether it is local-only, or permits remote
connections. Stateful drivers running inside libvirtd are generally
local only. This allows us to remote the check for uri->server != NULL
from most drivers.
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

Allow the possibility of opening a connection to only the interface
driver, by defining interface:///system and interface:///session URIs
and registering a fake hypervisor driver that supports them.

The hypervisor drivers can now directly open a interface driver
connection at time of need, instead of having to pass around a
virConnectPtr through many functions. This will facilitate the later
change to support separate daemons for each driver.
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

On virGetInterface failure, call virInterfaceDefFree for the @def.

Move all the InterfaceObj API's into their own module virinterfaceobj
from the interface_conf

Purely code motion at this point.

If a system has a large number of active or active interfaces, it can
be a big waste of time to retrieve and qualify all interfaces if the
caller only wanted one subset. Since netcf has a simple flag for this,
translate the libvirt flag into a netcf flag and let netcf pre-filter.

Getting the MAC address of an interface is actually fairly expensive,
and we've already gotten it and stored it into def, so just keep def
around a bit longer and retrieve it from there.

This reduces the time for "virsh iface-list --all" from 28 to 23
seconds when there are 400 interfaces.

The spec for virConnectListAllInterfaces says that if the pointer that
is supposed to hold the list of interfaces is NULL, the function
should just return the count of interfaces that matched the filter,
but the code never increments the count if the list pointer is NULL.

For stateless, client side drivers, it is never correct to
probe for secondary drivers. It is only ever appropriate to
use the secondary driver that is associated with the
hypervisor in question. As a result the ESX & HyperV drivers
have both been forced to do hacks where they register no-op
drivers for the ones they don't implement.

For stateful, server side drivers, we always just want to
use the same built-in shared driver. The exception is
virtualbox which is really a stateless driver and so wants
to use its own server side secondary drivers. To deal with
this virtualbox has to be built as 3 separate loadable
modules to allow registration to work in the right order.

This can all be simplified by introducing a new struct
recording the precise set of secondary drivers each
hypervisor driver wants

struct _virConnectDriver {
    virHypervisorDriverPtr hypervisorDriver;
    virInterfaceDriverPtr interfaceDriver;
    virNetworkDriverPtr networkDriver;
    virNodeDeviceDriverPtr nodeDeviceDriver;
    virNWFilterDriverPtr nwfilterDriver;
    virSecretDriverPtr secretDriver;
    virStorageDriverPtr storageDriver;
};

Instead of registering the hypervisor driver, we now
just register a virConnectDriver instead. This allows
us to remove all probing of secondary drivers. Once we
have chosen the primary driver, we immediately know the
correct secondary drivers to use.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Since virInterfaceFree will call virObjectUnref anyway, let's just use that
directly so as to avoid the possibility that we inadvertently clear out
a pending error message when using the public API.

The shared netcf driver is stateful and inside the daemon so
there is no need to use the networkPrivateData field to get the
driver handle. Just access the global driver handle directly.

C guarantees that static variables are zero-initialized.  Some older
compilers (and also gcc -fno-zero-initialized-in-bss) create larger
binaries if you explicitly zero-initialize a static variable.

* src/conf/nwfilter_conf.c: Fix initialization.
* src/cpu/cpu_x86.c: Likewise.
* src/interface/interface_backend_netcf.c: Likewise.
* src/locking/lock_daemon.c: Likewise.
* src/locking/lock_driver_lockd.c: Likewise.
* src/locking/lock_driver_sanlock.c: Likewise.
* src/network/bridge_driver.c: Likewise.
* src/node_device/node_device_udev.c: Likewise.
* src/nwfilter/nwfilter_learnipaddr.c: Likewise.
* src/rpc/virnetserver.c: Likewise.
* src/security/security_selinux.c
(virSecuritySELinuxGenSecurityLabel): Likewise.
Signed-off-by: NEric Blake <eblake@redhat.com>

Our style overwhelmingly uses hanging braces (the open brace
hangs at the end of the compound condition, rather than on
its own line), with the primary exception of the top level function
body.  Fix the few remaining outliers, before adding a syntax
check in a later patch.

* src/interface/interface_backend_netcf.c (netcfStateReload)
(netcfInterfaceClose, netcf_to_vir_err): Correct use of { in
compound statement.
* src/conf/domain_conf.c (virDomainHostdevDefFormatSubsys)
(virDomainHostdevDefFormatCaps): Likewise.
* src/network/bridge_driver.c (networkAllocateActualDevice):
Likewise.
* src/util/virfile.c (virBuildPathInternal): Likewise.
* src/util/virnetdev.c (virNetDevGetVirtualFunctions): Likewise.
* src/util/virnetdevmacvlan.c
(virNetDevMacVLanVPortProfileCallback): Likewise.
* src/util/virtypedparam.c (virTypedParameterAssign): Likewise.
* src/util/virutil.c (virGetWin32DirectoryRoot)
(virFileWaitForDevices): Likewise.
* src/vbox/vbox_common.c (vboxDumpNetwork): Likewise.
* tests/seclabeltest.c (main): Likewise.
Signed-off-by: NEric Blake <eblake@redhat.com>

Fix minor typos in source comments
Signed-off-by: NEric Blake <eblake@redhat.com>

Other drivers in libvirt (e.g. network, qemu) will automatically
return the "inactive" (persistent configuration) XML of an object when
that object is inactive. The netcf backend of the interface driver
would always try to return the live status XML of the interface, even
when it was down. Although netcf does return valid XML in that case,
for bond interfaces it is missing almost all of its content, including
the <bond> subelement itself, leading to this error message from
"virsh iface-dumpxml" of a bond interface that is inactive:

  error: XML error: bond interface misses the bond element

(this is because libvirt's validation of the XML returned by netcf
always requires a <bond> element be present).

This patch modifies the interface driver netcf backend to check if the
interface is inactive, and in that case always return the inactive XML
(which will always have a <bond> element, thus eliminating the error
message, as well as making operation more in line with other drivers.

This fixes the following bug:

  https://bugzilla.redhat.com/show_bug.cgi?id=878394

Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>

Any source file which calls the logging APIs now needs
to have a VIR_LOG_INIT("source.name") declaration at
the start of the file. This provides a static variable
of the virLogSource type.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Coverity found an issue in lxc_driver and uml_driver that we don't
check the return value of register functions.

I've also updated all other places and unify the way we check the
return value.
Signed-off-by: NPavel Hrdina <phrdina@redhat.com>

Some of these are leftovers from renaming the files, others
are just typos.

Also introduce an ugly awk script to enforce this.

https://bugzilla.redhat.com/show_bug.cgi?id=956994

Currently, it is possible to start an interface that is already running:

 # virsh iface-start eth2
 Interface eth2 started

 # echo $?
 0

 # virsh iface-start eth2
 Interface eth2 started

 # echo $?
 0

 # virsh iface-start eth2
 Interface eth2 started

 # echo $?
 0

Same applies for destroying a dead interface. We should not allow such
state transitions.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

This function barely wraps ncf_if_status() and error handling code.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

netcfStateInitialize() initializes the driverState variable,
and when netcfStateCleanup is called, it will call virReportError()
if driverState is NULL.
This is not consistent with what other state objects are doing,
they return -1 without reporting an error in such cases.

See also
https://www.redhat.com/archives/libvir-list/2013-October/msg00809.html:

On Thu, Oct 17, 2013 at 01:40:19PM +0100, Daniel P. Berrange wrote:
> We don't want virStateCleanup to skip execution if virStateInitialize
> has failed though - every callback in virStateCleanup should be written
> to be safe if its corresponding init function hasn't run.

This resolves: https://bugzilla.redhat.com/show_bug.cgi?id=983026

The netcf interface driver previously had no state driver associated
with it - as a connection was opened, it would create a new netcf
instance just for that connection, and close it when it was
finished. the problem with this is that each connection to libvirt
used up a netlink socket, and there is a per process maximum of ~1000
netlink sockets.

The solution is to create a state driver to go along with the netcf
driver. The state driver will opens a netcf instance, then all
connections share that same netcf instance, thus only a single
netlink socket will be used no matter how many connections are mde to
libvirtd.

This was rather simple to do - a new virObjectLockable class is
created for the single driverState object, which is created in
netcfStateInitialize and contains the single netcf handle; instead of
creating a new object for each client connection, netcfInterfaceOpen
now just increments the driverState object's reference count and puts
a pointer to it into the connection's privateData. Similarly,
netcfInterfaceClose() just un-refs the driverState object (as does
netcfStateCleanup()), and virNetcfInterfaceDriverStateDispose()
handles closing the netcf instance. Since all the functions already
have locking around them, the static lock functions used by all
functions just needed to be changed to call virObjectLock() and
virObjectUnlock() instead of directly calling the virMutex* functions.

This better fits the modern naming scheme in libvirt, and anticipates
an upcoming change where a single instance of this state will be
maintained by a separate state driver, and every instance of the netcf
driver will share the same state.

Convert the type of loop iterators named 'i', 'j', k',
'ii', 'jj', 'kk', to be 'size_t' instead of 'int' or
'unsigned int', also santizing 'ii', 'jj', 'kk' to use
the normal 'i', 'j', 'k' naming
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Ensure that all APIs which list interface objects filter
them against the access control system.

This makes the APIs for listing names and counting devices
slightly less efficient, since we can't use the direct
netcf APIs for these tasks. Instead we have to ask netcf
for the full list of objects & iterate over the list
filtering them out.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

On Thu, Jun 27, 2013 at 03:56:42PM +0100, Daniel P. Berrange wrote:
> Hi Security Team,
>
> I've discovered a way for an unprivileged user with a readonly connection
> to libvirtd, to crash the daemon.

Ok, the final patch for this is issue will be the simpler variant that
Eric suggested

The embargo can be considered to be lifted on Monday July 1st, at
0900 UTC

The following is the GIT change that DV or myself will apply to libvirt
GIT master immediately before the 1.1.0 release:

>From 177b4165c531a4b3ba7f6ab6aa41dca9ceb0b8cf Mon Sep 17 00:00:00 2001
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Fri, 28 Jun 2013 10:48:37 +0100
Subject: [PATCH] CVE-2013-2218: Fix crash listing network interfaces with
 filters

The virConnectListAllInterfaces method has a double-free of the
'struct netcf_if' object when any of the filtering flags cause
an interface to be skipped over. For example when running the
command 'virsh iface-list --inactive'

This is a regression introduced in release 1.0.6 by

  commit 7ac2c4fe
  Author: Guannan Ren <gren@redhat.com>
  Date:   Tue May 21 21:29:38 2013 +0800

    interface: list all interfaces with flags == 0
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Insert calls to the ACL checking APIs in all interface
driver entrypoints.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

virConnectListAllInterfaces should support to list all of
interfaces when the value of flags is 0. The behaviour is
consistent with other virConnectListAll* APIs

Ensure that all drivers implementing public APIs use a
naming convention for their implementation that matches
the public API name.

eg for the public API   virDomainCreate make sure QEMU
uses qemuDomainCreate and not qemuDomainStart
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>