- 30 6月, 2016 1 次提交
-
-
由 Jiri Denemark 提交于
CVE-2016-5008 Setting an empty graphics password is documented as a way to disable VNC/SPICE access, but QEMU does not always behaves like that. VNC would happily accept the empty password. Let's enforce the behavior by setting password expiration to "now". https://bugzilla.redhat.com/show_bug.cgi?id=1180092Signed-off-by: NJiri Denemark <jdenemar@redhat.com> (cherry picked from commit bb848fee) (cherry picked from commit d933f68e)
-
- 16 12月, 2015 2 次提交
-
-
由 Eric Blake 提交于
The libvirt file system storage driver determines what file to act on by concatenating the pool location with the volume name. If a user is able to pick names like "../../../etc/passwd", then they can escape the bounds of the pool. For that matter, virStoragePoolListVolumes() doesn't descend into subdirectories, so a user really shouldn't use a name with a slash. Normally, only privileged users can coerce libvirt into creating or opening existing files using the virStorageVol APIs; and such users already have full privilege to create any domain XML (so it is not an escalation of privilege). But in the case of fine-grained ACLs, it is feasible that a user can be granted storage_vol:create but not domain:write, and it violates assumptions if such a user can abuse libvirt to access files outside of the storage pool. Therefore, prevent all use of volume names that contain "/", whether or not such a name is actually attempting to escape the pool. This changes things from: $ virsh vol-create-as default ../../../../../../etc/haha --capacity 128 Vol ../../../../../../etc/haha created $ rm /etc/haha to: $ virsh vol-create-as default ../../../../../../etc/haha --capacity 128 error: Failed to create vol ../../../../../../etc/haha error: Requested operation is not valid: volume name '../../../../../../etc/haha' cannot contain '/' Signed-off-by: NEric Blake <eblake@redhat.com> (cherry picked from commit 034e47c3) Conflicts: src/storage/storage_backend_fs.c - trivial copyright date collision
-
由 Martin Kletzander 提交于
Since commit 8eb55d782a2b9afacc7938694891cc6fad7b42a5 libxml2 removes two slashes from the URI when there is no server part. This is fixed with beb7281055dbf0ed4d041022a67c6c5cfd126f25, but only if the calling application calls xmlSaveUri() on URI that xmlURIParse() parsed. And that is not the case in virURIFormat(). virURIFormat() accepts virURIPtr that can be created without parsing it and we do that when we format network storage paths for gluster for example. Even though virStorageSourceParseBackingURI() uses virURIParse(), it throws that data structure right away. Since we want to format URIs as URIs and not absolute URIs or opaque URIs (see RFC 3986), we can specify that with a special hack thanks to commit beb7281055dbf0ed4d041022a67c6c5cfd126f25, by setting port to -1. This fixes qemuxml2argvtest test where the disk-drive-network-gluster case was failing. Signed-off-by: NMartin Kletzander <mkletzan@redhat.com> (cherry picked from commit 8f17d0ea)
-
- 28 4月, 2015 4 次提交
-
-
由 Daniel P. Berrange 提交于
In systemd >= 218, the udev_set_log_fn method has been marked deprecated and turned into a no-op. Nothing in the udev client library will print to stderr by default anymore, so we can just stop installing a logging hook for new enough udev. (cherry picked from commit a93a3b97)
-
由 Dario Faggioli 提交于
libxl interface for vcpu pinning is changing in Xen 4.5. Basically, libxl_set_vcpuaffinity() now wants one more parameter. That is representative of 'VCPU soft affinity', which libvirt does not use. To mark such change, the macro LIBXL_HAVE_VCPUINFO_SOFT_AFFINITY is defined. Use it as a gate and, if present, re-#define the calls from the old to the new interface, to avoid breaking the build. Signed-off-by: NDario Faggioli <dario.faggioli@citrix.com> Cc: Jim Fehlig <jfehlig@suse.com> Cc: Ian Campbell <Ian.Campbell@citrix.com> Cc: Ian Jackson <Ian.Jackson@eu.citrix.com> (cherry picked from commit bfc72e99)
-
由 Cole Robinson 提交于
- Remove all qemu emulators - Restart libvirtd - Install qemu emulators - Call 'virsh version' -> errors The only thing that will force the qemu driver to refresh it's cached capablities info is an explict API call to GetCapabilities. However in the case when the initial caps lookup at driver connect didn't find a single qemu emulator to poll, the driver is effectively useless and really can't do anything until it's populated some qemu capabilities info. With the above steps, the user would have to either know about the magic refresh capabilities call, or restart libvirtd to pick up the changes. Instead, this patch changes things so that every time a part of th driver requests access to capabilities info, check to see if we've previously seen any emulators. If not, force a refresh. In the case of 'still no emulators found', this is still very quick, so I can't think of a downside. https://bugzilla.redhat.com/show_bug.cgi?id=1000116 (cherry picked from commit 95546c43)
- 26 4月, 2015 1 次提交
-
-
由 Michal Privoznik 提交于
https://bugzilla.redhat.com/show_bug.cgi?id=996543 When starting up a domain, the SELinux labeling is done depending on current configuration. If the labeling fails we check for possible causes, as not all labeling failures are fatal. For example, if the labeled file is on NFS which lacks SELinux support, the file can still be readable to qemu process. These cases are distinguished by the errno code: NFS without SELinux support returns EOPNOTSUPP. However, we were missing one scenario. In case there's a read-only disk on a read-only NFS (and possibly any FS) and the labeling is just optional (not explicitly requested in the XML) there's no need to make the labeling error fatal. In other words, read-only file on read-only NFS can fail to be labeled, but be readable at the same time. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> (cherry picked from commit d1fdecb6)
-
- 26 2月, 2015 2 次提交
-
-
由 Luyao Huang 提交于
https://bugzilla.redhat.com/show_bug.cgi?id=1196503 We already check whether the host id is valid or not, add a jump to forbid invalid host id. Signed-off-by: NLuyao Huang <lhuang@redhat.com> Signed-off-by: NJán Tomko <jtomko@redhat.com> (cherry picked from commit 719cd218)
- 08 2月, 2015 1 次提交
-
-
由 Cole Robinson 提交于
-
- 23 1月, 2015 2 次提交
-
-
由 Peter Krempa 提交于
The ACL check didn't check the VIR_DOMAIN_XML_SECURE flag and the appropriate permission for it. Found via code inspection while fixing permissions for save images. (cherry picked from commit b347c0c2)
-
由 Peter Krempa 提交于
The ACL check didn't check the VIR_DOMAIN_XML_SECURE flag and the appropriate permission for it. (cherry picked from commit 03c3c0c8)
-
- 24 12月, 2014 1 次提交
-
-
由 Peter Krempa 提交于
Avoid leaving the domain locked on a failed ACL check in qemuDomainMigratePerform() and qemuDomainMigrateFinish2(). Introduced in commit abf75aea (Add ACL checks into the QEMU driver). (cherry picked from commit 2bdcd29c)
-
- 16 11月, 2014 3 次提交
-
-
由 Cole Robinson 提交于
-
由 Cole Robinson 提交于
The e5120a6e backport used an undefined make variable. Not sure why I didn't hit it at first...
-
由 Cole Robinson 提交于
-
- 08 11月, 2014 1 次提交
-
-
由 Eric Blake 提交于
Commit 28f8dfdc (v1.0.0) introduced a security hole: in at least the qemu implementation of virDomainGetXMLDesc, the use of the flag VIR_DOMAIN_XML_MIGRATABLE (which is usable from a read-only connection) triggers the implicit use of VIR_DOMAIN_XML_SECURE prior to calling qemuDomainFormatXML. However, the use of VIR_DOMAIN_XML_SECURE is supposed to be restricted to read-write clients only. This patch treats the migratable flag as requiring the same permissions, rather than analyzing what might break if migratable xml no longer includes secret information. Fortunately, the information leak is low-risk: all that is gated by the VIR_DOMAIN_XML_SECURE flag is the VNC connection password; but VNC passwords are already weak (FIPS forbids their use, and on a non-FIPS machine, anyone stupid enough to trust a max-8-byte password sent in plaintext over the network deserves what they get). SPICE offers better security than VNC, and all other secrets are properly protected by use of virSecret associations rather than direct output in domain XML. * src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_GET_XML_DESC): Tighten rules on use of migratable flag. * src/libvirt-domain.c (virDomainGetXMLDesc): Likewise. Signed-off-by: NEric Blake <eblake@redhat.com> (cherry picked from commit b1674ad5) Conflicts: src/libvirt-domain.c - file split from older src/libvirt.c; context with older virLibConnError Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 30 10月, 2014 3 次提交
-
-
由 Lubomir Rintel 提交于
The manufacurer and product from USB device itself are usually not particularly useful -- they tend to be missing, or ugly (all-uppercase, padded with spaces, etc.). Prefer what's in the usb id database and fall back to descriptors only if the device is too new to be in database. https://bugzilla.redhat.com/show_bug.cgi?id=1138887 (cherry picked from commit 3ef77a54)
-
由 Martin Kletzander 提交于
gnutls-3.3.0 and newer leaves 2 FDs open in order to be backwards compatible when it comes to chrooted binaries [1]. Linking commandhelper with gnutls then leaves these two FDs open and commandtest fails thanks to that. This patch does not link commandhelper with libvirt.la, but rather only the utilities making the test pass. Based on suggestion from Daniel [2]. [1] http://lists.gnutls.org/pipermail/gnutls-help/2014-April/003429.html [2] https://www.redhat.com/archives/libvir-list/2014-April/msg01119.htmlSigned-off-by: NMartin Kletzander <mkletzan@redhat.com> (cherry picked from commit 4cbc15d0)
-
由 Cédric Bosdonnat 提交于
D-bus introduced some changes in its locking code. Overriding the init function skips the new locking init and thus crashes later in libvirt test. Removing the function makes the test pass again. (cherry picked from commit 5e397d9c)
-
- 02 10月, 2014 1 次提交
-
-
由 Pavel Hrdina 提交于
If you use public api virConnectListAllDomains() with second parameter set to NULL to get only the number of domains you will lock out all other operations with domains. Introduced by commit 2c680804. Signed-off-by: NPavel Hrdina <phrdina@redhat.com> (cherry picked from commit fc22b2e7)
-
- 18 9月, 2014 1 次提交
-
-
由 Peter Krempa 提交于
Live definition was used to look up the disk index while persistent one was indexed leading to a crash in qemuDomainGetBlockIoTune. Use the correct def and report a nice error. Unfortunately it's accessible via read-only connection, though it can only crash libvirtd in the cases where the guest is hot-plugging disks without reflecting those changes to the persistent definition. So avoiding hotplug, or doing hotplug where persistent is always modified alongside live definition, will avoid the out-of-bounds access. Introduced in: eca96694a (v0.9.8) Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1140724Reported-by: NLuyao Huang <lhuang@redhat.com> Signed-off-by: NPeter Krempa <pkrempa@redhat.com> (cherry picked from commit 3e745e8f)
-
- 09 9月, 2014 10 次提交
-
-
由 Cole Robinson 提交于
-
由 Bamvor Jian Zhang 提交于
in recently xen commit: 7051d5c8, there is a api changes in libxl_domain_create_restore. Author: Andrew Cooper <andrew.cooper3@citrix.com> Date: Thu Oct 10 12:23:10 2013 +0100 tools/migrate: Fix regression when migrating from older version of Xen use the macro LIBXL_HAVE_DOMAIN_CREATE_RESTORE_PARAMS in libxl.h in order to make libvirt could compile with old and new xen. the params checkpointed_stream is useful if libvirt libxl driver support migration. for new, set it as zero. Signed-off-by: NBamvor Jian Zhang <bjzhang@suse.com> (cherry picked from commit a52fa556)
-
由 Eric Blake 提交于
Use correct variable name. * m4/virt-selinux.m4: Fix one last variable name. (cherry picked from commit 5fa10f32)
-
由 Jim Fehlig 提交于
Commit 292d3f2d fixed the build with libselinux 2.3, but missed some suggestions by eblake https://www.redhat.com/archives/libvir-list/2014-May/msg00977.html This patch changes the macro introduced in 292d3f2d to either be empty in the case of newer libselinux, or contain 'const' in the case of older libselinux. The macro is then used directly in tests/securityselinuxhelper.c. (cherry picked from commit b109c097)
-
由 Cédric Bosdonnat 提交于
Several function signatures changed in libselinux 2.3, now taking a 'const char *' instead of 'security_context_t'. The latter is defined in selinux/selinux.h as typedef char *security_context_t; Signed-off-by: NEric Blake <eblake@redhat.com> (cherry picked from commit 292d3f2d)
-
由 Cole Robinson 提交于
(cherry picked from commit 3e8699d3)
-
由 Cole Robinson 提交于
Currently VolOpen notifies the user of a potentially non-fatal failure by returning -2 and logging a VIR_WARN or VIR_INFO. Unfortunately most callers treat -2 as fatal but don't actually report any message with the error APIs. Rename the VOL_OPEN_ERROR flag to VOL_OPEN_NOERROR. If NOERROR is specified, we preserve the current behavior of returning -2 (there's only one caller that wants this). However in the default case, only return -1, and actually use the error APIs. Fix up a couple callers as a result. (cherry picked from commit 138e65c3) Conflicts: src/storage/storage_backend.c src/storage/storage_backend_fs.c
-
由 Cole Robinson 提交于
Remove the original VolOpen implementation, which is now only used in one spot. (cherry picked from commit fa5b5549)
-
由 Cole Robinson 提交于
(cherry picked from commit 847a9eb1) Conflicts: src/storage/storage_backend.h src/storage/storage_backend_mpath.c src/storage/storage_backend_scsi.c
-
由 Cole Robinson 提交于
And drop the original UpdateVolInfo. Makes it a bit easier to follow the function usage. And change the int parameter to an explicit bool. (cherry picked from commit 16d75d19) Conflicts: src/storage/storage_backend.h
-
- 08 9月, 2014 3 次提交
-
-
由 Gao feng 提交于
After kernel commit 5ff9d8a65ce80efb509ce4e8051394e9ed2cd942 vfs: Lock in place mounts from more privileged users, unprivileged user has no rights to move the mounts that inherited from parent mountns. we use this feature to move the /stateDir/domain-name.{dev, devpts} to the /dev/ and /dev/pts directroy of container. this commit breaks libvirt lxc. this patch changes the behavior to bind these mounts when user namespace is enabled and move these mounts when user namespace is disabled. Signed-off-by: NGao feng <gaofeng@cn.fujitsu.com> (cherry picked from commit 46f2d16f)
-
由 Daniel P. Berrange 提交于
Recent discussions around naming of 'pci' vs 'pci.0' for PPC made me go back and look at the PPC emulator in every historical version of QEMU since 1.0. The results were worse than I imagined. This patch adds the logic required to make libvirt work with PPC correctly with naming variations across all versions & machine types. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit 27b2b987)
-
由 Stefan Bader 提交于
As soon as any guest mounts xenfs to /proc/xen, there is a capabilities file in that directory. However it returns nothing when reading from it. Change the test to actually check the contents of the file. BugLink: http://bugs.launchpad.net/bugs/1248025Signed-off-by: NStefan Bader <stefan.bader@canonical.com> (cherry picked from commit 8c869ad9)
-
- 02 9月, 2014 1 次提交
-
-
由 Ján Tomko 提交于
https://bugzilla.redhat.com/show_bug.cgi?id=1135388 (cherry picked from commit 628c2255)
-
- 27 8月, 2014 1 次提交
-
-
由 Daniel P. Berrange 提交于
The libvirt.pc file we install is ending up polluted with a load of compiler flags that should be private to the libvirt build. eg Libs: -L${libdir} -lvirt -ldl -O2 -g -pipe -Wall \ -Wp,-D_FORTIFY_SOURCE=2 -fexceptions \ -fstack-protector-strong --param=ssp-buffer-size=4 \ -grecord-gcc-switches -m64 -mtune=generic this is caused by including @libs@ in the Libs: line of the pkgconfig.pc.in file. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com> (cherry picked from commit 1167751f)
-
- 03 7月, 2014 2 次提交
-
-
由 Peter Krempa 提交于
We have the following matrix of possible arguments handled by the logic statement touched by this patch: | flags & _REUSE_EXT | !(flags & _REUSE_EXT) -------+--------------------+---------------------- format| (1) | (2) -------+--------------------+---------------------- !format| (3) | (4) -------+--------------------+---------------------- In cases 1 and 2 the user provided a format, in cases 3 and 4 not. The user requests to use a pre-existing image in 1 and 3 and libvirt will create a new image in 2 and 4. The difference between cases 3 and 4 is that for 3 the format is probed from the user-provided image, whereas in 4 we just use the existing disk format. The current code would treat cases 1,3 and 4 correctly but in case 2 the format provided by the user would be ignored. The particular piece of code was broken in commit 35c7701c but since it was introduced a few commits before that it was never released as working. (cherry picked from commit 42619ed0) Signed-off-by: NEric Blake <eblake@redhat.com> Conflicts: src/qemu/qemu_driver.c - no refactoring of commits 7b7bf001, 4f202266
-
由 Eric Blake 提交于
Newer git doesn't like the maint.mk rule 'public-submodule-commit' run during 'make check', as inherited from our checkout of gnulib. I tracked down that libvirt commit 8531301d picked up a gnulib fix that makes git happy. Rather than try and do a full .gnulib submodule update to gnulib.git d18d1b802 (as used in that libvirt commit), it was easier to just backport the fixed maint.mk from gnulib on top of our existing submodule level. I did it as follows, where these steps will have to be repeated when cherry-picking this commit to any other maintenance branch: mkdir -p gnulib/local/top cd .gnulib git checkout d18d1b802 top/maint.mk git diff HEAD > ../gnulib/local/top/maint.mk.diff git reset --hard cd .. git add gnulib/local/top Signed-off-by: NEric Blake <eblake@redhat.com>
-