This API can be used to execute arbitrary emulators.
Forbid it on read-only connections.

Fixes: CVE-2019-10167
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 8afa68ba)
Signed-off-by: NJán Tomko <jtomko@redhat.com>

The virDomainSaveImageGetXMLDesc API is taking a path parameter,
which can point to any path on the system. This file will then be
read and parsed by libvirtd running with root privileges.

Forbid it on read-only connections.

Fixes: CVE-2019-10161
Reported-by: NMatthias Gerstner <mgerstner@suse.de>
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit aed6a032)
Signed-off-by: NJán Tomko <jtomko@redhat.com>

Conflicts:
  src/libvirt-domain.c
  src/remote/remote_protocol.x

Upstream commit 12a51f37 which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE
alias for VIR_DOMAIN_XML_SECURE is not backported.
Just skip the commit since we now disallow the whole API on read-only
connections, regardless of the flag.
Signed-off-by: NJán Tomko <jtomko@redhat.com>

Commit 839a0608 tied the lifecycle of virtlogd more
closely to that of libvirtd. Unfortunately, while starting
virtlogd when libvirtd is started is definitely a good idea,
restarting virtlogd or shutting it down at any time outside
of system poweroff is not.

Revert part of that commit by removing the PartOf= lines,
meaning that only startup requests will be propagated from
libvirtd to virtlogd.

Resolves: https://bugzilla.redhat.com/1372576
(cherry picked from commit f496ce1d)

We already guarantee that virtlogd.socket is enabled/disabled
along with libvirtd.service, but if libvirtd.service has just
been installed and is started before rebooting, then
virtlogd.socket will not be running and guest startup will
fail.

Add Requires=virtlogd.socket to libvirtd.service to make sure
virtlogd.socket is always started along with libvirtd.service,
and add Before=libvirtd.service to both virtlogd.socket and
virtlogd.service so that virtlogd never disappears before
libvirtd has exited.

Also add PartOf=libvirtd.service to both virtlogd.socket and
virtlogd.service, so that virtlogd can be shut down when not
needed.

Resolves: https://bugzilla.redhat.com/1372576
(cherry picked from commit 839a0608)

https://bugzilla.redhat.com/show_bug.cgi?id=1353296

On UNIX like systems there are no constraints on what characters
can be in file/dir names (except for NULL, obviously). Moreover,
some values that we think of as paths (e.g. disk source) are not
necessarily paths at all. For instance, some hypervisors take
that as an arbitrary identifier and corresponding file is then
looked up by hypervisor in its table. Instead of trying to fix
our regular expressions (and forgetting to include yet another
character there), lets drop the validation completely.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
(cherry picked from commit c4b92f1a)

Fix the regex for excluding files for this syntax-rule.  The rule "include/"
will not work, because we are matching the whole line like this
"^(...|include/|...)$ so we need to use "include/libvirt/libvirt.+".  The second
issue is that we are using only one '$' but there should be two of those at the
end.  The last small adjustment is to escape dots '.' so it match only dot.
Signed-off-by: NPavel Hrdina <phrdina@redhat.com>
(cherry picked from commit a94efa50)

Before the variable 'bits' was initialized with 0 (commit
3470cd86), the following bug was
possible.

A function call with an empty bitmap leads to undefined
behavior. Because if 'bitmap->map_len == 0' 'unusedBits' will be <= 0
and 'sz == 1'. So the non global and non static variable 'bits' would
have never been set. Consequently the check 'bits == 0' results in
undefined behavior.

This patch clarifies the current version of the function by handling the
empty bitmap explicitly. Also, for an empty bitmap there is obviously no
bit set so we can just return -1 (indicating no bit set) right away. The
explicit check for 'bits == 0' after the loop is unnecessary because we
only get to this point if no set bit was found.
Reviewed-by: NBoris Fiuczynski <fiuczy@linux.vnet.ibm.com>
Reviewed-by: NSascha Silbe <silbe@linux.vnet.ibm.com>
Reviewed-by: NBjoern Walk <bwalk@linux.vnet.ibm.com>
Signed-off-by: NMarc Hartmayer <mhartmay@linux.vnet.ibm.com>
(cherry picked from commit 7cd01a24)

When building using -Og, gcc sees that some variables can be used
uninitialized  It can be debatable whether it is possible with our
codeflow, but functions should be self-contained and initializations are
always good.  The return instead of goto is due to actualType being used
in the cleanup.
Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
(cherry picked from commit 3470cd86)

If this reminds you of a commit message from around a year ago, it's
41c2aa72 and yes, we're dealing with
"the same thing" again.  Or f309db1f and
it's similar.

There is a logic in place that if there is no real need for
memory-backend-file, qemuBuildMemoryBackendStr() returns 0.  However
that wasn't the case with hugepage backing.  The reason for that was
that we abused the 'pagesize' variable for storing that information, but
we should rather have a separate one that specifies whether we really
need the new object for hugepage backing.  And that variable should be
set only if this particular NUMA cell needs special treatment WRT
hugepages.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1372153Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
(cherry picked from commit 4372a7845acbc6974f6027ef68e7dd3eeb47f425)

Commit ffc49e57 broke syntax-check:

  cppi: libvirt.spec.in: line 622: not properly indented
  cppi: libvirt.spec.in: line 624: not properly indented
  cppi: libvirt.spec.in: line 640: not properly indented
  cppi: libvirt.spec.in: line 642: not properly indented
  maint.mk: incorrect preprocessor indentation
  cfg.mk:697: recipe for target 'sc_spec_indentation' failed

Indent the new conditionals properly.

(cherry picked from commit 55d8daa0)

Disallowing them broke a use case of testing multipath configurations
for storage. Originally this was added as it was impossible to
use certain /dev/disk-by... links but the disks worked properly.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1349895
(cherry picked from commit 5da28cc3)

The systemd-machined tools libvirt uses were split into a
systemd-container RPM. Without depending on this, libvirt
may silently fallback to the non-systemd cgroup impl which
is not desirable.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
(cherry picked from commit ffc49e57)

Ensure that the given controller and all controllers with a smaller
index exist; there must not be any missing index in between.
Reviewed-by: NBoris Fiuczynski <fiuczy@linux.vnet.ibm.com>
Reviewed-by: NBjoern Walk <bwalk@linux.vnet.ibm.com>
Signed-off-by: NMarc Hartmayer <mhartmay@linux.vnet.ibm.com>
(cherry picked from commit 12ec22b6)

 Conflicts:
	src/qemu/qemu_hotplug.c: - context of the first hunk changed

The commit "qemu: hot-plug: Assume support for -device in
qemuDomainAttachSCSIDisk" dropped the code for the automatic SCSI
controller creation used in SCSI disk hot-plugging. If we are
hot-plugging a SCSI disk to a domain and there is no proper SCSI
controller defined, it results in an "error: internal error: Could not
find scsi controller with index X required for device" error.

For that reason reverting a hunk of the commit
d4d32005.

This patch also adds an extra comment to the code to clarify the
loop.
Reviewed-by: NBoris Fiuczynski <fiuczy@linux.vnet.ibm.com>
Reviewed-by: NBjoern Walk <bwalk@linux.vnet.ibm.com>
Signed-off-by: NMarc Hartmayer <mhartmay@linux.vnet.ibm.com>
(cherry picked from commit 58d07db9)

CVE-2016-5008

Setting an empty graphics password is documented as a way to disable
VNC/SPICE access, but QEMU does not always behaves like that. VNC would
happily accept the empty password. Let's enforce the behavior by setting
password expiration to "now".

https://bugzilla.redhat.com/show_bug.cgi?id=1180092Signed-off-by: NJiri Denemark <jdenemar@redhat.com>
(cherry picked from commit bb848fee)

Fron c3bd0019 on instead of creating the following path for
cgroups:

  /sys/fs/cgroupX/$name.libvirt-$driver

we generate rather more verbose one:

  /sys/fs/cgroupX/$driver-$id-$name.libvirt-$driver

where $name is optional and included iff contains allowed chars.
See original commit for more reasoning. Now, problem with the
original commit is that we are unable to start any LXC domain
after it. Because when starting LXC container, the CGroup layout
is created by our lxc_controller process and then detected and
validated by libvirtd. The validation is done by trying to match
detected layout against all the possible patterns for cgroup
paths that we've ever had. And the commit in question forgot to
update this part of the code.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
(cherry picked from commit fb377701)

Fedora now ships edk2 firmware in its official repos, so adapt
the nvram path list to match. Eventually we can remove the nightly
links as well once some integration kinks have been worked out,
and documentation updated.

Move the macro building into the %build target, which lets us
build up a shell variable and make things a bit more readable

https://bugzilla.redhat.com/show_bug.cgi?id=1335395
(cherry picked from commit e9ef4dfa)

Use the detected tray presence flag to trigger the tray waiting code
only if the given storage device in qemu reports to have a tray.

This is necessary as the floppy device lost it's tray as of qemu commit:

commit abb3e55b5b718d6392441f56ba0729a62105ac56
Author: Max Reitz <mreitz@redhat.com>
Date:   Fri Jan 29 20:49:12 2016 +0100

    Revert "hw/block/fdc: Implement tray status"

(cherry picked from commit 72a7ff6b)

Commit 1fad65d4 used a really big hammer
and overwrote the error message that might be reported by qemu if the
tray is locked. Fix it by reporting the error only if no error is
currently set.

Error after commit mentioned above:
error: internal error: timed out waiting for disk tray status update

New error:
error: internal error: unable to execute QEMU command 'eject': Tray of
device 'drive-ide0-0-0' is not open

(cherry picked from commit 2e75da42)

The code grew rather convoluted. Extract it to a separate function.

(cherry picked from commit 0aa19f35)

If we exceed the timeout waiting for the tray status to change,
we don't report an error. Fix it

(cherry picked from commit 1fad65d4)

If qemu doesn't support DEVICE_TRAY_MOVED event the code that attempts
to change media would attempt to re-eject the tray even if it wouldn't
be notified when the tray opened. Add a capability bit and skip retrying
for old qemus.

(cherry picked from commit 833ae6b4)

Extract information for all disks and update tray state and source only
for removable drives. Additionally store whether a drive is removable
and whether it has a tray.

(cherry picked from commit 894dc85f)

Move it to a more sane place since it's refreshing data about disks.

(cherry picked from commit d9bee413)

Extract whether a given drive has a tray and whether there is no image
inserted.

Negative logic for the image insertion is chosen so that the flag is set
only if we are certain of the fact.

(cherry picked from commit f1690dc3)

(cherry picked from commit 5f963d89)

Empty floppy drives start with tray in "open" state and libvirt did not
refresh it after startup. The code that inserts media into the tray then
waited until the tray was open before inserting the media and thus
floppies could not be inserted.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1326660
(cherry picked from commit a34faf33)

No longer necessary to have it, so remove it.

(cherry picked from commit 027986f5)

https://bugzilla.redhat.com/show_bug.cgi?id=1331552

Instead of disabling auto-login of all scsi targets (even those
that do not "belong" to libvirt), use iscsiadm's "--op nonpersistent"
during discovery of iSCSI targets (e.g. "iscsiadm --mode discovery
--type sendtargets") in order to avoid the node database being altered
which led to the need for the "large hammer" approach taken by
commit id '3c12b654'.

This commit removes the virISCSITargetAutologin adjustment (eg. the setting
of node.startup to "manual"). The iscsiadm command has supported this mode
of operation as of commit id 'ad873767' to open-iscsi.

(cherry picked from commit 56057900)

Utilize the exit status parameter for virCommandRunRegex in order to
check the return error from the 'iscsiadm --mode session' command.
Without this enabled, if there are no sessions running then virCommandRun
would have displayed an error such as:

    2016-05-13 15:17:15.165+0000: 10920: error : virCommandWait:2553 :
               internal error: Child process (iscsiadm --mode session)
               unexpected exit status 21: iscsiadm: No active sessions.

It is possible that for certain paths (when probe is true) we only care
whether it's running or not to make certain decisions.  Spitting out
the error for those paths is unnecessary.

If we do have a situation where probe = false and there's an error,
then display the error from iscsiadm if it's there.

(cherry picked from commit 8f54e0d6)

Rather than have virCommandRun just spit out the error, allow callers
to decide to pass the exitstatus so the caller can make intelligent
decisions based on the error.

(cherry picked from commit 8b104947)

Some of the test configuration files in tests/xlconfigdata
use the old qemu-dm as the emulator. Many of the configuration
features tested (spice, rbd, multi-usb) are not even usable with
the old qemu. Change these files to use the new qemu-xen (also
known as qemu upstream) emulator.

Note: This change fixes xlconfigtest failures when the old
qemu is actually installed on the system. During device post
parse, the libxl driver attempts to invoke the emulator to
determine if it is the old or new qemu so it can properly set
video RAM defaults. With the old qemu installed, the default
video RAM was set differently than the expected value.
Changing all the test data files to use qemu-xen ensures
predictable results wrt default video RAM size.
Signed-off-by: NJim Fehlig <jfehlig@suse.com>
(cherry picked from commit b90c4b5f)

When probing the <emulator> with '-help' to determine if
it is the old qemu, errors are reported if the emulator
doesn't exist

libvirt:  error : internal error: Child process
(/usr/lib/xen/bin/qemu-dm -help) unexpected exit status 127:
libvirt:  error : cannot execute binary /usr/lib/xen/bin/qemu-dm:
No such file or directory

Avoid the probe if the specified emulator doesn't exist,
squelching the error. There is no behavior change since
libxlDomainGetEmulatorType() would return
LIBXL_DEVICE_MODEL_VERSION_QEMU_XEN if the probe failed
via virCommandRun().
Signed-off-by: NJim Fehlig <jfehlig@suse.com>
(cherry picked from commit 400e716d)

My commit 3e428670 started filling out the video size in post-parse,
but did not adjust the tests.

(cherry picked from commit 96b21fb0)

Move filling out the default video (v)ram to DeviceDefPostParse.

This means it can be removed from virDomainVideoDefParseXML
and qemuParseCommandLine. Also, we no longer need to special case
VIR_DOMAIN_VIRT_XEN, since the per-driver callback gets called
before the generic one.

(cherry picked from commit 538012c8)

Commit 6879be48 moved adding of an implicit video device after XML
parsing. As a result, libxlDomainDeviceDefPostParse() is no longer
called to set the default vram when adding an implicit device.
Commit 6879be48 assumes virDomainVideoDefaultRAM() will set the
default vram, but it returns 0 if the domain virtType is
VIR_DOMAIN_VIRT_XEN. Attempting to start an HVM domain with vram=0
results in

error: unsupported configuration: videoram must be at least 4MB for CIRRUS

The default vram setting for Xen HVM domains depends on the device
model used (qemu-xen vs qemu-traditional), hence setting the
default is deferred to libxlDomainDeviceDefPostParse().

Call the device post-parse callback even for implicit video,
to fill out the default vram even for VIR_DOMAIN_VIRT_XEN.

https://bugzilla.redhat.com/show_bug.cgi?id=1334557Most-of-commit-message-by: NJim Fehlig <jfehlig@suse.com>
(cherry picked from commit 3e428670)

Future commit will call DeviceDefPostParse on a device auto-added
in DomainDefPostParse.

(cherry picked from commit e4d131b8)

(cherry picked from commit 12786889)