1. 03 4月, 2013 2 次提交
    • D
      Enable full RELRO mode · fc8c1787
      Daniel P. Berrange 提交于
      By passing the flags -z relro -z now to the linker, we can force
      it to resolve all library symbols at startup, instead of on-demand.
      This allows it to then make the global offset table (GOT) read-only,
      which makes some security attacks harder.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      fc8c1787
    • D
      Build all binaries with PIE · 1150999c
      Daniel P. Berrange 提交于
      PIE (position independent executable) adds security to executables
      by composing them entirely of position-independent code (PIC. The
      .so libraries already build with -fPIC. This adds -fPIE which is
      the equivalent to -fPIC, but for executables. This for allows Exec
      Shield to use address space layout randomization to prevent attackers
      from knowing where existing executable code is during a security
      attack using exploits that rely on knowing the offset of the
      executable code in the binary, such as return-to-libc attacks.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      1150999c
  2. 21 3月, 2013 1 次提交
    • D
      Fix linkage of virt-aa-helper with numa library · e053561e
      Daniel P. Berrange 提交于
      The recent commit moved some of the use of libnuma out of the
      driver code, and into src/util/. It did not, however, update
      libvirt_util.la to link against libnuma. This caused linkage
      failure with virt-aa-helper, since nothing else caused libnuma
      to be pulled onto the linker command line.
      
      The fix removes all reference to NUMACTL_LIBS/CFLAGS from the
      various modules in src/Makefile.am and just adds them to the
      libvirt_util.la module, which everything else depends on.
      
      Technically a build-breaker fix, but wanted to wait for feedback
      on this
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      e053561e
  3. 20 3月, 2013 2 次提交
  4. 19 3月, 2013 1 次提交
  5. 14 3月, 2013 2 次提交
    • D
      Fix deps for generating RPC dispatch code · 0946c5f5
      Daniel P. Berrange 提交于
      The src/lxc/lxc_*_dispatch.h files only had deps on the
      RPC generator script & the XDR definition file. So when
      the Makefile.am args passed to the generator were change,
      the disaptch code was not re-generated. This caused a
      build failure
      
        CC       libvirt_lxc-lxc_controller.o
      lxc/lxc_controller.c: In function 'virLXCControllerSetupServer':
      lxc/lxc_controller.c:718:47: error: 'virLXCMonitorProcs' undeclared (first use in this function)
      lxc/lxc_controller.c:718:47: note: each undeclared identifier is reported only once for each function it appears in
      lxc/lxc_controller.c:719:47: error: 'virLXCMonitorNProcs' undeclared (first use in this function)
      make[3]: *** [libvirt_lxc-lxc_controller.o] Error 1
      
      For added fun, the generated files were not listed in
      CLEANFILES, so only a 'git clean -f' would fix the build
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      0946c5f5
    • D
      Fix generation of systemtap probes for RPC protocols · 403594eb
      Daniel P. Berrange 提交于
      The naming used in the RPC protocols for the LXC monitor and
      lock daemon confused the script used to generate systemtap
      helper functions. Rename the LXC monitor protocol symbols to
      reduce confusion. Adapt the gensystemtap.pl script to cope
      with the LXC monitor / lock daemon naming conversions.
      
      This has no functional impact on RPC wire protocol, since
      names are only used in the C layer
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      403594eb
  6. 13 3月, 2013 2 次提交
    • D
      Use separate symbol file for GNUTLS symbols · 83d7e4e4
      Daniel P. Berrange 提交于
      A number of symbols are only present when GNUTLS is enabled.
      Thus we must use a separate libvirt_gnutls.syms file for them
      instead of libvirt_private.syms
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      83d7e4e4
    • P
      virCaps: conf: start splitting out irrelevat data · 27cf98e2
      Peter Krempa 提交于
      The virCaps structure gathered a ton of irrelevant data over time that.
      The original reason is that it was propagated to the XML parser
      functions.
      
      This patch aims to create a new data structure virDomainXMLConf that
      will contain immutable data that are used by the XML parser. This will
      allow two things we need:
      
      1) Get rid of the stuff from virCaps
      
      2) Allow us to add callbacks to check and add driver specific stuff
      after domain XML is parsed.
      
      This first attempt removes pointers to private data allocation functions
      to this new structure and update all callers and function that require
      them.
      27cf98e2
  7. 23 2月, 2013 1 次提交
    • E
      maint: check all symfiles for sorting · 91ffb42c
      Eric Blake 提交于
      On FreeBSD, I got a 'make check' failure:
        GEN    check-symsorting
      Symbol block at ./libvirt_atomic.syms:4: viratomic.h not found
      
      * src/Makefile.am (SYM_FILES): New define.
      (check-symsorting): Check on all symfiles, even when not used.
      * src/libvirt_atomic.syms: Fix offender.
      91ffb42c
  8. 20 2月, 2013 1 次提交
    • E
      maint: enforce private symbol section sorting · 6ea7b3e8
      Eric Blake 提交于
      Automating a sorting check is the only way to ensure we don't
      regress.  Suggested by Dan Berrange.
      
      * src/check-symsorting.pl (check_sorting): Add a parameter,
      validate that groups are in order, and that files exist.
      * src/Makefile.am (check-symsorting): Adjust caller.
      * src/libvirt_private.syms: Fix typo.
      * src/libvirt_linux.syms: Fix file name.
      * src/libvirt_vmx.syms: Likewise.
      * src/libvirt_xenxs.syms: Likewise.
      * src/libvirt_sasl.syms: Likewise.
      * src/libvirt_libssh2.syms: Likewise.
      * src/libvirt_esx.syms: Mention file name.
      * src/libvirt_openvz.syms: Likewise.
      6ea7b3e8
  9. 16 2月, 2013 1 次提交
    • E
      build: more mingw fixes · c51c3e45
      Eric Blake 提交于
      More mingw build failures:
      
        CCLD     libvirt-lxc.la
      /usr/lib64/gcc/i686-w64-mingw32/4.7.2/../../../../i686-w64-mingw32/bin/ld: cannot find libvirt_lxc.def: No such file or directory
      
        CC       virportallocatortest-virportallocatortest.o
      ../../tests/virportallocatortest.c: In function 'main':
      ../../tests/virportallocatortest.c:195:1: error: implicit declaration of function 'setenv' [-Werror=implicit-function-declaration]
      
      * src/Makefile.am (GENERATED_SYM_FILES): Also generate
      libvirt_lxc.def.
      * bootstrap.conf (gnulib_modules): Import setenv.
      c51c3e45
  10. 14 2月, 2013 2 次提交
    • L
      util: add security label setting to virCommand · 6c3f3d0d
      Laine Stump 提交于
      virCommand gets two new APIs: virCommandSetSELinuxLabel() and
      virCommandSetAppArmorProfile(), which both save a copy of a
      null-terminated string in the virCommand. During virCommandRun, if the
      string is non-NULL and we've been compiled with AppArmor and/or
      SELinux security driver support, the appropriate security library
      function is called for the child process, using the string that was
      previously set. In the case of SELinux, setexeccon_raw() is called,
      and for AppArmor, aa_change_profile() is called.
      
      This functionality has been added so that users of virCommand can use
      the upcoming virSecurityManagerSetChildProcessLabel() prior to running
      a child process, rather than needing to setup a hook function to be
      called (and in turn call virSecurityManagerSetProcessLabel()) *during*
      the setup of the child process.
      6c3f3d0d
    • L
      build: define SECDRIVER_LIBS in Makefile.am · 4a56e80f
      Laine Stump 提交于
      This makes it simpler to include the necessary system security driver
      libraries for a particular system. For this patch, several existing
      conditional sections from the Makfile were replaced; I'll later be
      adding SECDRIVER_LIBS to libvirt_util_la_LIBADD, because vircommand.c
      will be calling a function from $securitylib.
      4a56e80f
  11. 13 2月, 2013 1 次提交
    • E
      util: add virendian.h macros · c6f1060c
      Eric Blake 提交于
      We have several cases where we need to read endian-dependent
      data regardless of host endianness; rather than open-coding
      these call sites, it will be nicer to funnel things through
      a macro.
      
      The virendian.h file can be expanded to add writer functions,
      and/or 16-bit access patterns, if needed.  Also, if we need
      to turn things into a function to avoid multiple evaluations
      of buf, that can be done later.  But for now, a macro worked.
      
      * src/util/virendian.h: New file.
      * src/Makefile.am (UTIL_SOURCES): Ship it.
      * tests/virendiantest.c: New test.
      * tests/Makefile.am (test_programs, virendiantest_SOURCES): Run
      the test.
      * .gitignore: Ignore built file.
      c6f1060c
  12. 05 2月, 2013 1 次提交
    • J
      build: Add libcurl dependency to libvirt_driver.la · 514b9306
      Jiri Denemark 提交于
      libvirt.c calls curl_global_init() if WITH_CURL is defined and thus it
      should be linked with libcurl. This fixes link failure in case neither
      xenapi nor esx driver is enabled (they are the only users of libcurl).
      514b9306
  13. 16 1月, 2013 2 次提交
  14. 15 1月, 2013 1 次提交
  15. 14 1月, 2013 7 次提交
  16. 11 1月, 2013 3 次提交
    • D
      Convert HAVE_SASL to WITH_SASL · 321a7d53
      Daniel P. Berrange 提交于
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      321a7d53
    • D
      Convert HAVE_SANLOCK to WITH_SANLOCK · 4da3000c
      Daniel P. Berrange 提交于
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      4da3000c
    • E
      maint: don't distribute generated .def files · daa886b6
      Eric Blake 提交于
      I ran 'make dist' in the directory left over from ./autobuild.sh
      (which was configured for a mingw cross build); the resulting
      tarball had more files than 'make dist' on a normal Linux build.
      I traced it to the fact that we were distributing a generated
      file, but only when configure said the end user had to generate
      the file in the first place.  In the process, I noticed that
      we had some difference in symbol file names; I added a comment
      explaining why the difference exists (after first trying to
      normalize the names and hitting VPATH build failures).
      
      * configure.ac (LIBVIRT_QEMU_SYMBOL_FILE): Add some comments.
      * src/Makefile.am (EXTRA_DIST): No need to ship a generated file;
      particularly since which file is built depends on configure results.
      daa886b6
  17. 09 1月, 2013 1 次提交
  18. 08 1月, 2013 1 次提交
  19. 07 1月, 2013 3 次提交
    • E
      build: .service files don't need to be executable · 5ec4b22b
      Eric Blake 提交于
      See also commit 66ff2ddc, where we avoided installing these files
      as executables.
      
      * daemon/Makefile.am (libvirtd.service): Drop chmod.
      * tools/Makefile.am (libvirt-guests.service): Likewise.
      * src/Makefile.am (virtlockd.service, virtlockd.socket):
      Likewise.
      5ec4b22b
    • E
      build: properly substitute virtlockd.socket · cb854b8f
      Eric Blake 提交于
      virtlockd.service could be installed to a configurable root,
      but virtlockd.socket was hardcoded to installation into a
      distro.
      
      * src/Makefile.am (virtlockd.service, virtlockd.socket): Drop
      unused substitutions.
      * src/locking/virtlockd.socket.in (ListenStream): Don't hard-code
      /var.
      cb854b8f
    • E
      build: use common .in replacement mechanism · 462a6962
      Eric Blake 提交于
      We had several different styles of .in conversion in our Makefiles:
      ALLCAPS, @ALLCAPS@, @lower@, ::lower::
      Canonicalize on one form, to make it easier to copy and paste
      between .in files.
      
      Also, we were using some non-portable sed constructs: \@ is an
      undefined escape sequence (it happens to be @ itself in GNU sed,
      but POSIX allows it to mean something else), as well as risky
      behavior (failure to consistently quote things means a space
      in $(sysconfdir) could throw things off; also, Autoconf recommends
      using | rather than , or ! in the s||| operator, because | has to
      be quoted in shell and is therefore less likely to appear in file
      names than , or !).
      
      Fix all of these uses to follow the same syntax.
      
      * daemon/libvirtd.8.in: Switch to @var@.
      * tools/virt-xml-validate.in: Likewise.
      * tools/virt-pki-validate.in: Likewise.
      * src/locking/virtlockd.init.in: Likewise.
      * daemon/Makefile.am: Prefer | over ! in sed.
      (libvirtd.8): Prefer consistent substitution.
      (libvirtd.init, libvirtd.service): Avoid non-portable sed.
      * tools/Makefile.am (libvirt-guests.sh, libvirt-guests.init)
      (libvirt-guests.service): Likewise.
      (virt-xml-validate, virt-pki-validate, virt-sanlock-cleanup):
      Prefer consistent capitalization.
      * src/Makefile.am (virtlockd.init, virtlockd.service)
      (virtlockd.socket): Prefer consistent substitution.
      462a6962
  20. 05 1月, 2013 2 次提交
  21. 04 1月, 2013 1 次提交
  22. 21 12月, 2012 2 次提交