In the mapped security model, VirtFS server intercepts and maps
the file object create and get/set attribute requests. Files on the fileserver
will be created with VirtFS servers (QEMU) user credentials and the
client-users credentials are stored in extended attributes. On the request
to get attributes, server extracts the client-users credentials
from extended attributes and sends them to the client.

On Host/Fileserver:
-rw-------. 2 virfsuid virtfsgid 0 2010-05-11 09:19 afile

On Guest/Client:
-rw-r--r-- 2 guestuser guestuser 0 2010-05-11 12:19 afile
Signed-off-by: NVenkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Signed-off-by: NVenkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

mapped model changes the owner in the extended attributes.
passthrough model does the change through lchown() as the
server don't need to follow the link and client will send the
actual filesystem object.
Signed-off-by: NVenkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Signed-off-by: NVenkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

This patch adds required infrastructure for the new security model.

- A new configure option for attr/xattr.
- if CONFIG_VIRTFS will be defined if both CONFIG_LINUX and CONFIG_ATTR defined.
- Defines routines related to both security models.
Signed-off-by: NVenkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

The new option is:

-fsdev fstype,id=myid,path=/share_path/,security_model=[mapped|passthrough]
-virtfs fstype,path=/share_path/,security_model=[mapped|passthrough],mnt_tag=tag

In the case of mapped security model, files are created with QEMU user
credentials and the client-user's credentials are saved in extended attributes.
Whereas in the case of passthrough security model, files on the
filesystem are directly created with client-user's credentials.
Signed-off-by: NVenkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

This patch rearranges the fileop structures by moving the structure definitions
from virtio-9p.c to virtio-9p.h file. No functional changes.
Signed-off-by: NVenkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

This patch fluesh the debug messages to the log file  at the end of each
debug message.

Changes from V1:
Used fflush instead fseek for the flush.
Signed-off-by: NVenkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

In net/tap-linux.c, when manipulation of /dev/net/tun fails, it prints
(with fprintf) something like this:

  warning: could not open /dev/net/tun: no virtual network emulation

this has 2 issues:
 1) it is not a warning really, it's a fatal error (kvm exits after
that),
 2) there's no indication as of what's actually wrong: printing errno there
    is helpful.

The patch below removes the "warning" prefix, uses %m (since it's linux,
%m is available as format modifier), and changes fprintf() to %qemu_error().
Now it prints something like this instead:

 could not configure /dev/net/tun: Device or resource busy

(there are 2 messages like that in the same function)

This fixes Debian bug #578154, see
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=578154Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru>
Signed-off-by: NLuiz Capitulino <lcapitulino@redhat.com>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

The code comes from
http://lists.gnu.org/archive/html/qemu-devel/2010-05/msg02788.html

Without this patch it is not possible to send at least 10 special
characters (\|'"`~:;[]{}) via the monitor sendkey command.
Signed-off-by: NBernhard M. Wiedemann <qemudevbmw@lsmod.de>
Signed-off-by: NAnthony Liguori <aliguori@us.ibm.com>

Trying to check them leads to a second error message which is more confusing
than helpful:

    Can't get refcount for cluster 0: Invalid argument
    ERROR cluster 0 refcount=-22 reference=1
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

With corrupted images, we can easily get an cluster index that exceeds the
array size of the temporary refcount table.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

Although it is really rare to get in to the while loop, the list
operation in the loop is obviously wrong.
Signed-off-by: NYoshiaki Tamura <tamura.yoshiaki@lab.ntt.co.jp>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

Some block drivers use an aio handler and do I/O completion routines
in it.  However, the handler is not invoked if we only do
aio_read/write, because registered fds are not checked at all.

This patch registers an aio handler of STDIO to checks whether we can
read a command without blocking, and calls qemu_aio_wait() in
command_loop().  Any other handlers can be invoked when user input is
idle.
Signed-off-by: NMORITA Kazutaka <morita.kazutaka@lab.ntt.co.jp>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

Use bdrv_(p)write_sync to ensure metadata integrity in case of a crash.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

Use bdrv_(p)write_sync to ensure metadata integrity in case of a crash.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

Use bdrv_(p)write_sync to ensure metadata integrity in case of a crash.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

Use bdrv_(p)write_sync to ensure metadata integrity in case of a crash.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

Use bdrv_(p)write_sync to ensure metadata integrity in case of a crash.
While at it, correct the wrong usage of errno.
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

Add new functions that write and flush the written data to disk immediately.
This is what needs to be used for image format metadata to maintain integrity
for cache=... modes that don't use O_DSYNC. (Actually, we only need barriers,
and therefore the functions are defined as such, but flushes is what is
implemented in this patch - we can try to change that later)
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

This changes the monitor eject_device() function to not check for
bdrv_is_inserted().

Example run where the bug manifests itself:

(output of 'info block' is stripped to include only the CD-ROM device)

  (qemu) info block
  ide1-cd0: type=cdrom removable=1 locked=0 [not inserted]
  (qemu) change ide1-cd0 /dev/cdrom host_cdrom
  (qemu) info block
  ide1-cd0: type=cdrom removable=1 locked=0 file=/dev/cdrom ro=1 drv=host_cdrom encrypted=0
  (qemu) eject ide1-cd0
  (qemu) info block
  ide1-cd0: type=cdrom removable=1 locked=0 file=/dev/cdrom ro=1 drv=host_cdrom encrypted=0

  # at this point, a disk was inserted on the host CD-ROM drive

  (qemu) info block
  ide1-cd0: type=cdrom removable=1 locked=0 file=/dev/cdrom ro=1 drv=host_cdrom encrypted=0
  (qemu) eject ide1-cd0
  (qemu) info block
  ide1-cd0: type=cdrom removable=1 locked=0 [not inserted]
  (qemu)

The first eject command didn't work because the is_inserted() check
failed.

I have no clue why the code had the is_inserted() check, as it doesn't matter
if there is a disk present at the host drive, when the user wants the virtual
device to be disconnected from the host device.

The is_inserted() check has another side effect: a memory leak if the "change"
command is used multiple times, as do_change() calls eject_device() before
re-opening the block device, but bdrv_close() is never called.
Signed-off-by: NEduardo Habkost <ehabkost@redhat.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

Both SCSI and virtio expect the physical block size relative to the
logical block size.  So get the factor first before calculating the
log2.
Reported-by: NMike Cao <bcao@redhat.com>
Signed-off-by: NChristoph Hellwig <hch@lst.de>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

This patch updates hw/scsi-bus.c to add MAINTENANCE_IN and MAINTENANCE_OUT case in
scsi_req_length() for TYPE_ROM with MMC commands.  It also adds the MAINTENANCE_OUT
case in scsi_req_xfer_mode() to set SCSI_XFER_TO_DEV for outgoing write data.
Signed-off-by: NNicholas A. Bellinger <nab@linux-iscsi.org>
Acked-by: NGerd Hoffmann <kraxel@redhat.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

This patch updates hw/scsi-bus.c to add the PERSISTENT_RESERVE_OUT cdb
case in scsi_req_xfer_mode() to set SCSI_XFER_TO_DEV for outgoing WRITE data.
Signed-off-by: NNicholas A. Bellinger <nab@linux-iscsi.org>
Acked-by: NGerd Hoffmann <kraxel@redhat.com>
Signed-off-by: NKevin Wolf <kwolf@redhat.com>

Update PPC, Sparc32 and Sparc64 OpenBIOS images to R795.
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Make APICState completely private to apic.c by using DeviceState
in external APIs.

Move apic_init() to pc.c.
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Convert to qdev.

Use an opaque CPUState pointer because of missing VMState
implementation for CPUState.
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Move the actual CPUState contents handling to cpu.h and cpuid.c.

Handle CPU reset and set env->halted in pc.c.

Add a function to get the local APIC state of the current
CPU for the MMIO.
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Pass only APICState when accessing APIC from CPU code.
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Pass only APICState from pc.c.
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

Convert to qdev.
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

There's no need to use ioapic_set_irq() outside of ioapic.c, so
make it static.
Signed-off-by: NBlue Swirl <blauwirbel@gmail.com>

When loading a shared library that requires an executable stack,
glibc uses the mprotext PROT_GROWSDOWN flag to achieve this.
We don't support PROT_GROWSDOWN.
Add a special case to handle changing the stack permissions in this way.
Signed-off-by: NPaul Brook <paul@codesourcery.com>

Teach strace code about linux specific mprotect flags.
Signed-off-by: NPaul Brook <paul@codesourcery.com>

Report exit status to GDB when a semihosted application exits.
Signed-off-by: NPaul Brook <paul@codesourcery.com>

Move it in preparation for further changes.
No functional change.
Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@axis.com>

Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@gmail.com>

Prepare to return error from the individual decoders.
Signed-off-by: NEdgar E. Iglesias <edgar.iglesias@axis.com>

Some hosts (amd64, ia64) have an ABI that ignores the high bits
of the 64-bit register when passing 32-bit arguments.  Others
require the value to be properly sign-extended for the type.
I.e. "int32_t" must be sign-extended and "uint32_t" must be
zero-extended to 64-bits.

To effect this, extend the "sizemask" parameter to tcg_gen_callN
to include the signedness of the type of each parameter.  If the
tcg target requires it, extend each 32-bit argument into a 64-bit
temp and pass that to the function call.

This ABI feature is required by sparc64, ppc64 and s390x.
Signed-off-by: NRichard Henderson <rth@twiddle.net>
Signed-off-by: NAurelien Jarno <aurelien@aurel32.net>

Comparing an 8 bit value with ~0 does not work as expected.
Replace ~0 by UINT8_MAX in comparison and also in assignment
(and fix coding style, too).

Cc: Gleb Natapov <gleb@redhat.com>
Cc: Anthony Liguori <aliguori@us.ibm.com>
Signed-off-by: NStefan Weil <weil@mail.berlios.de>
Signed-off-by: Nmalc <av1474@comtv.ru>