This API can be used to execute arbitrary emulators.
Forbid it on read-only connections.

Fixes: CVE-2019-10167
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 8afa68ba)
Signed-off-by: NJán Tomko <jtomko@redhat.com>

The virDomainSaveImageGetXMLDesc API is taking a path parameter,
which can point to any path on the system. This file will then be
read and parsed by libvirtd running with root privileges.

Forbid it on read-only connections.

Fixes: CVE-2019-10161
Reported-by: NMatthias Gerstner <mgerstner@suse.de>
Signed-off-by: NJán Tomko <jtomko@redhat.com>
Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit aed6a032)
Signed-off-by: NJán Tomko <jtomko@redhat.com>

Conflicts:
  src/libvirt-domain.c
  src/remote/remote_protocol.x

Upstream commit 12a51f37 which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE
alias for VIR_DOMAIN_XML_SECURE is not backported.
Just skip the commit since we now disallow the whole API on read-only
connections, regardless of the flag.
Signed-off-by: NJán Tomko <jtomko@redhat.com>

Fixed in master by multiple commits.  This merely makes sure
syntax-check works with cppi installed.
Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>

Fix the regex for excluding files for this syntax-rule.  The rule "include/"
will not work, because we are matching the whole line like this
"^(...|include/|...)$ so we need to use "include/libvirt/libvirt.+".  The second
issue is that we are using only one '$' but there should be two of those at the
end.  The last small adjustment is to escape dots '.' so it match only dot.
Signed-off-by: NPavel Hrdina <phrdina@redhat.com>
(cherry picked from commit a94efa50)

Before the variable 'bits' was initialized with 0 (commit
3470cd86), the following bug was
possible.

A function call with an empty bitmap leads to undefined
behavior. Because if 'bitmap->map_len == 0' 'unusedBits' will be <= 0
and 'sz == 1'. So the non global and non static variable 'bits' would
have never been set. Consequently the check 'bits == 0' results in
undefined behavior.

This patch clarifies the current version of the function by handling the
empty bitmap explicitly. Also, for an empty bitmap there is obviously no
bit set so we can just return -1 (indicating no bit set) right away. The
explicit check for 'bits == 0' after the loop is unnecessary because we
only get to this point if no set bit was found.
Reviewed-by: NBoris Fiuczynski <fiuczy@linux.vnet.ibm.com>
Reviewed-by: NSascha Silbe <silbe@linux.vnet.ibm.com>
Reviewed-by: NBjoern Walk <bwalk@linux.vnet.ibm.com>
Signed-off-by: NMarc Hartmayer <mhartmay@linux.vnet.ibm.com>
(cherry picked from commit 7cd01a24)

When building using -Og, gcc sees that some variables can be used
uninitialized  It can be debatable whether it is possible with our
codeflow, but functions should be self-contained and initializations are
always good.  The return instead of goto is due to actualType being used
in the cleanup.
Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
(cherry picked from commit 3470cd86)

If this reminds you of a commit message from around a year ago, it's
41c2aa72 and yes, we're dealing with
"the same thing" again.  Or f309db1f and
it's similar.

There is a logic in place that if there is no real need for
memory-backend-file, qemuBuildMemoryBackendStr() returns 0.  However
that wasn't the case with hugepage backing.  The reason for that was
that we abused the 'pagesize' variable for storing that information, but
we should rather have a separate one that specifies whether we really
need the new object for hugepage backing.  And that variable should be
set only if this particular NUMA cell needs special treatment WRT
hugepages.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1372153Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
(cherry picked from commit 4372a7845acbc6974f6027ef68e7dd3eeb47f425)

The systemd-machined tools libvirt uses were split into a
systemd-container RPM. Without depending on this, libvirt
may silently fallback to the non-systemd cgroup impl which
is not desirable.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
(cherry picked from commit ffc49e57)

CVE-2016-5008

Setting an empty graphics password is documented as a way to disable
VNC/SPICE access, but QEMU does not always behaves like that. VNC would
happily accept the empty password. Let's enforce the behavior by setting
password expiration to "now".

https://bugzilla.redhat.com/show_bug.cgi?id=1180092Signed-off-by: NJiri Denemark <jdenemar@redhat.com>
(cherry picked from commit bb848fee)

* docs/news.html.in libvirt.spec.in: update for release
* po/*.po* : regenerated

Signed-off-by: NYuri Chornoivan <yurchor@ukr.net>

This reverts commit 6e244c65, which
added support to qemu for the "peer" attribute in domain interface <ip>
elements.

It's being removed temporarily for the release of libvirt 1.3.4
because the feature doesn't work, and there are concerns that it may
need to be modified in an externally visible manner which could create
backward compatibility problems.

 Conflicts:
   tests/qemuxml2argvmock.c - a mock of virNetDevSetOnline() was added
   which may be assumed by other tests added since the original commit,
   so it isn't being reverted.

This reverts commit afee47d0, which
added support to lxc for the "peer" attribute in domain interface <ip>
elements.

It's being removed temporarily for the release of libvirt 1.3.4
because the feature doesn't work, and there are concerns that it may
need to be modified in an externally visible manner which could create
backward compatibility problems.

This reverts commit 690969af, which
added the domain config parts to support a "peer" attribute in domain
interface <ip> elements.

It's being removed temporarily for the release of libvirt 1.3.4
because the feature doesn't work, and there are concerns that it may
need to be modified in an externally visible manner which could create
backward compatibility problems.

FD passing APIs like CreateXMLWithFiles or OpenGraphicsFD will leak
file descriptors. The user passes in an fd, which is dup()'d in
virNetClientProgramCall. The new fd is what is transfered to the
server virNetClientIOWriteMessage.

Once all the fds have been written though, the parent msg->fds list
is immediately free'd, so the individual fds are never closed.

This closes each FD as its send to the server, so all fds have been
closed by the time msg->fds is free'd.

https://bugzilla.redhat.com/show_bug.cgi?id=1159766

If we want to delete all disks for container or vm
we should make a loop from 0 to NumberOfDisks and always
use zero index in PrlVmCfg_GetHardDisk to get disk handle.
When we delete first disk after that numbers of other disks
will be changed, start from 0 to NumberOfDisks-1.
That's why we should always use zero index.

Add ULL suffix to all related operands of << or shift will give
all zeros instead of correct mask.
Signed-off-by: NNikolay Shirokovskiy <nshirokovskiy@virtuozzo.com>

Similarly to what commit 71408079 did with some internal paths,
clear vnc socket paths that were generated by us.  Having such path in
the definition can cause trouble when restoring the domain.  The path is
generated to the per-domain directory that contains the domain ID.
However, that ID will be different upon restoration, so qemu won't be
able to create that socket because the directory will not be prepared.

To be able to migrate to older libvirt, skip formatting the socket path
in migratable XML if it was autogenerated.  And mark it as autogenerated
if it already exists and we're parsing live XML.

Best viewed with '-C'.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1326270Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>

When the domain definition describes a machine with NUMA, setting the
maximum vCPU count via the API might lead to an invalid config.

Add a check that will forbid this until we add more advanced cpu config
capabilities.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1327499

Instead of setting the default qemu stdio logging approach in
virQEMUDriverConfigLoadFile set it in virQEMUDriverConfigNew so that
it's properly set even when the config is not present.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1325075

If the domain name is long enough, the timestamp can prolong the
filename for automatic coredump to more than the filesystem's limit.
Simply shorten it like we do in other places.  The timestamp helps with
the unification, but having the ID in the name won't hurt.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1289363Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>

Add virDomainObjGetShortName() and use it.  For now that's used in one
place, but we should expose it so that future patches can use it.
Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>

Introduced by commit 15ad2ecf.
Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>

Currently we only allow /dev/random and /dev/hwrng as host input
for <rng><backend model='random'/> device. This was added after
various upstream discussions in commit 4932ef45

However this restriction has generated quite a few complaints over
the years, so a new discussion was initiated:

http://www.redhat.com/archives/libvir-list/2016-April/msg00987.html

Several people suggested removing the restriction, and nobody really
spoke up to defend it. So this patch drops the path restriction
entirely

https://bugzilla.redhat.com/show_bug.cgi?id=1074464

If you compile a client --without-polkit, and connect to a URI that needs
polkit auth, the connection will fail with:

$ ./tools/virsh --connect qemu+ssh://crobinso@machine/system
error: failed to connect to the hypervisor
error: authentication failed: unsupported authentication type 2

This is because the client side portion of the polkit handling is
compiled out. However, nothing polkit specific is actually required
of the client.

Fix that error by unconditionally compiling the basic polkit client
handling.

https://bugzilla.redhat.com/show_bug.cgi?id=635529

Commit 1d440008 added some code that was not indented properly
and broke syntax-check. Fix it.

If libvirt-daemon-config-network is installed while libvirtd is already
running, the daemon doesn't notice the network. Users then have to
manually restart libvirtd (or reboot) to pick up the network.

Instead let's trigger a daemon restart when the package is first installed.
Then the default network is available immediately if libvirtd was already
running.

https://bugzilla.redhat.com/show_bug.cgi?id=867546

The hex range already tried to allow for it, but it wasn't using
the correct XML hex syntax. Fix it, and test it

Since commit 9b77ce63 we create a .in file while building all
man pages, including those in the tools/ directory; update the
ignore patterns to take this change into account.

The new ignore patterns are generic enough that we can get rid of
a few existing ones as well.

All top-level functions have been moved to this class.

On top of that, the app.warning() method has been defined,
so that calls to it - already present in rebuild() - can
actually succeed.

This method is used in eg. index.merge(), but is not defined
anywhere. The implementation has been copied from docBuilder.

Since commit d195cffa, both $(srcdir) and $(abs_builddir)
are passed to the apibuild.py script; however, since the
former is a relative path and the latter an absolute one, the
script might not be able to detect whether they point to the
same location.

Pass both as relative paths to avoid the issue.

Change 'ephemeral' to 'isephemeral' and 'private' to 'isprivate' since
both are bools.

Introduce the final accessor's to _virSecretObject data and move the
structure from virsecretobj.h to virsecretobj.c

The virSecretObjSetValue logic will handle setting both the secret
value and the value_size. Some slight adjustments to the error path
over what was in secretSetValue were made.

Additionally, a slight logic change in secretGetValue where we'll
check for the internalFlags and error out before checking for
and erroring out for a NULL secret->value. That way, it won't be
obvious to anyone that the secret value wasn't set rather they'll
just know they cannot get the secret value since it's private.

Introduce fetch and set accessor to the secretObj->def field for usage
by the driver to avoid the driver needing to know the format of virSecretObj

Move and rename the secretRewriteFile, secretSaveDef, and secretSaveValue
from secret_driver to virsecretobj

Need to make some slight adjustments since the secretSave* functions
called secretEnsureDirectory, but otherwise mostly just a move of code.

Move and rename secretDeleteSaved from secret_driver into virsecretobj and
split it up into two parts since there is error path code that looks to
just delete the secret data file

Move to secret_conf.c and rename to virSecretLoadAllConfigs. Also includes
moving/renaming the supporting virSecretLoad, virSecretLoadValue, and
virSecretLoadValidateUUID.

This patch replaces most of the guts of secret_driver.c with recently
added secret_conf.c APIs in order manage secret lists and objects
using the hashed virSecretObjList* lookup API's.