2013-11-26 14:10:15 +00:00
|
|
|
/*
|
|
|
|
* object_event.c: object event queue processing helpers
|
|
|
|
*
|
2014-01-02 14:16:49 +00:00
|
|
|
* Copyright (C) 2010-2014 Red Hat, Inc.
|
2013-11-26 14:10:15 +00:00
|
|
|
* Copyright (C) 2008 VirtualIron
|
|
|
|
* Copyright (C) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
|
|
|
*
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
|
|
* License along with this library. If not, see
|
|
|
|
* <http://www.gnu.org/licenses/>.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <config.h>
|
|
|
|
|
|
|
|
#include "domain_event.h"
|
2013-12-11 10:37:58 +00:00
|
|
|
#include "network_event.h"
|
2013-11-26 14:10:15 +00:00
|
|
|
#include "object_event.h"
|
|
|
|
#include "object_event_private.h"
|
|
|
|
#include "virlog.h"
|
|
|
|
#include "datatypes.h"
|
|
|
|
#include "viralloc.h"
|
|
|
|
#include "virerror.h"
|
2016-10-11 07:48:36 +00:00
|
|
|
#include "virobject.h"
|
2013-11-26 14:10:15 +00:00
|
|
|
#include "virstring.h"
|
|
|
|
|
|
|
|
#define VIR_FROM_THIS VIR_FROM_NONE
|
|
|
|
|
2014-02-28 12:16:17 +00:00
|
|
|
VIR_LOG_INIT("conf.object_event");
|
|
|
|
|
2016-06-23 15:29:50 +00:00
|
|
|
struct _virObjectEventCallback {
|
|
|
|
int callbackID;
|
|
|
|
virClassPtr klass;
|
|
|
|
int eventID;
|
|
|
|
virConnectPtr conn;
|
|
|
|
int remoteID;
|
2016-06-23 16:14:23 +00:00
|
|
|
bool key_filter;
|
|
|
|
char *key;
|
2016-06-23 15:29:50 +00:00
|
|
|
virObjectEventCallbackFilter filter;
|
|
|
|
void *filter_opaque;
|
|
|
|
virConnectObjectEventGenericCallback cb;
|
|
|
|
void *opaque;
|
|
|
|
virFreeCallback freecb;
|
|
|
|
bool deleted;
|
|
|
|
bool legacy; /* true if end user does not know callbackID */
|
|
|
|
};
|
|
|
|
typedef struct _virObjectEventCallback virObjectEventCallback;
|
|
|
|
typedef virObjectEventCallback *virObjectEventCallbackPtr;
|
|
|
|
|
2014-01-03 21:44:29 +00:00
|
|
|
struct _virObjectEventCallbackList {
|
|
|
|
unsigned int nextID;
|
|
|
|
size_t count;
|
|
|
|
virObjectEventCallbackPtr *callbacks;
|
|
|
|
};
|
|
|
|
|
2013-11-26 14:10:15 +00:00
|
|
|
struct _virObjectEventQueue {
|
2014-01-03 20:31:48 +00:00
|
|
|
size_t count;
|
2013-11-26 14:10:15 +00:00
|
|
|
virObjectEventPtr *events;
|
|
|
|
};
|
2014-01-03 21:44:29 +00:00
|
|
|
typedef struct _virObjectEventQueue virObjectEventQueue;
|
|
|
|
typedef virObjectEventQueue *virObjectEventQueuePtr;
|
|
|
|
|
|
|
|
struct _virObjectEventState {
|
2016-10-11 07:48:36 +00:00
|
|
|
virObjectLockable parent;
|
2014-01-03 21:44:29 +00:00
|
|
|
/* The list of domain event callbacks */
|
|
|
|
virObjectEventCallbackListPtr callbacks;
|
|
|
|
/* The queue of object events */
|
|
|
|
virObjectEventQueuePtr queue;
|
|
|
|
/* Timer for flushing events queue */
|
|
|
|
int timer;
|
|
|
|
/* Flag if we're in process of dispatching */
|
|
|
|
bool isDispatching;
|
|
|
|
};
|
|
|
|
|
2013-11-26 14:10:15 +00:00
|
|
|
static virClassPtr virObjectEventClass;
|
2016-10-11 07:48:36 +00:00
|
|
|
static virClassPtr virObjectEventStateClass;
|
2013-11-26 14:10:15 +00:00
|
|
|
|
|
|
|
static void virObjectEventDispose(void *obj);
|
2016-10-11 07:48:36 +00:00
|
|
|
static void virObjectEventStateDispose(void *obj);
|
2013-11-26 14:10:15 +00:00
|
|
|
|
2013-12-11 10:38:03 +00:00
|
|
|
static int
|
|
|
|
virObjectEventOnceInit(void)
|
2013-11-26 14:10:15 +00:00
|
|
|
{
|
2018-04-17 15:42:33 +00:00
|
|
|
if (!VIR_CLASS_NEW(virObjectEventState, virClassForObjectLockable()))
|
2016-10-11 07:48:36 +00:00
|
|
|
return -1;
|
|
|
|
|
2018-04-17 15:42:33 +00:00
|
|
|
if (!VIR_CLASS_NEW(virObjectEvent, virClassForObject()))
|
2013-11-26 14:10:15 +00:00
|
|
|
return -1;
|
2016-10-11 07:48:36 +00:00
|
|
|
|
2013-11-26 14:10:15 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2019-01-20 17:23:29 +00:00
|
|
|
VIR_ONCE_GLOBAL_INIT(virObjectEvent);
|
2013-11-26 14:10:15 +00:00
|
|
|
|
2014-01-02 14:16:49 +00:00
|
|
|
/**
|
|
|
|
* virClassForObjectEvent:
|
|
|
|
*
|
|
|
|
* Return the class object to be used as a parent when creating an
|
|
|
|
* event subclass.
|
|
|
|
*/
|
2013-12-11 10:38:03 +00:00
|
|
|
virClassPtr
|
|
|
|
virClassForObjectEvent(void)
|
2013-11-26 14:10:15 +00:00
|
|
|
{
|
|
|
|
if (virObjectEventInitialize() < 0)
|
|
|
|
return NULL;
|
|
|
|
return virObjectEventClass;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2013-12-11 10:38:03 +00:00
|
|
|
static void
|
|
|
|
virObjectEventDispose(void *obj)
|
2013-11-26 14:10:15 +00:00
|
|
|
{
|
|
|
|
virObjectEventPtr event = obj;
|
|
|
|
|
|
|
|
VIR_DEBUG("obj=%p", event);
|
|
|
|
|
|
|
|
VIR_FREE(event->meta.name);
|
2016-06-23 16:06:39 +00:00
|
|
|
VIR_FREE(event->meta.key);
|
2013-11-26 14:10:15 +00:00
|
|
|
}
|
|
|
|
|
2016-06-23 15:40:53 +00:00
|
|
|
/**
|
|
|
|
* virObjectEventCallbackFree:
|
|
|
|
* @list: event callback to free
|
|
|
|
*
|
|
|
|
* Free the memory in the domain event callback
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
virObjectEventCallbackFree(virObjectEventCallbackPtr cb)
|
|
|
|
{
|
|
|
|
if (!cb)
|
|
|
|
return;
|
|
|
|
|
|
|
|
virObjectUnref(cb->conn);
|
2016-06-23 16:14:23 +00:00
|
|
|
VIR_FREE(cb->key);
|
2016-06-23 15:40:53 +00:00
|
|
|
VIR_FREE(cb);
|
|
|
|
}
|
|
|
|
|
2013-11-26 14:10:15 +00:00
|
|
|
/**
|
|
|
|
* virObjectEventCallbackListFree:
|
|
|
|
* @list: event callback list head
|
|
|
|
*
|
|
|
|
* Free the memory in the domain event callback list
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
virObjectEventCallbackListFree(virObjectEventCallbackListPtr list)
|
|
|
|
{
|
|
|
|
size_t i;
|
|
|
|
if (!list)
|
|
|
|
return;
|
|
|
|
|
2014-01-03 20:31:48 +00:00
|
|
|
for (i = 0; i < list->count; i++) {
|
2013-11-26 14:10:15 +00:00
|
|
|
virFreeCallback freecb = list->callbacks[i]->freecb;
|
|
|
|
if (freecb)
|
|
|
|
(*freecb)(list->callbacks[i]->opaque);
|
|
|
|
VIR_FREE(list->callbacks[i]);
|
|
|
|
}
|
|
|
|
VIR_FREE(list->callbacks);
|
|
|
|
VIR_FREE(list);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
event: properly filter count of remaining events
On the surface, this sequence of API calls should succeed:
id1 = virConnectDomainEventRegisterAny(..., VIR_DOMAIN_EVENT_ID_LIFECYCLE,...);
id2 = virConnectDomainEventRegisterAny(..., VIR_DOMAIN_EVENT_ID_RTC_CHANGE,...);
virConnectDomainEventDeregisterAny(id1);
id1 = virConnectDomainEventRegisterAny(..., VIR_DOMAIN_EVENT_ID_LIFECYCLE,...);
And for test:///default, it does. But for qemu:///system, it fails:
libvirt: XML-RPC error : internal error: domain event 0 already registered
Looking closer, the bug is caused by miscommunication between
the object event engine and the client side of the remote driver.
In our implementation, we set up a single server-side event per
eventID, then the client side replicates that one event to all
callbacks that have been registered client side. To know when
to turn the server side eventID on or off, the client side must
track how many events for the same eventID have been registered.
But while our code was filtering by eventID on event registration,
it did not filter on event deregistration. So the above API calls
resulted in the deregister returning 1 instead of 0, so no RPC
deregister was issued, and the final register detects on the
server side that the server is already handling eventID 0.
Unfortunately, since the problem is only observable on remote
connections, it's not possible to enhance objecteventtest to
expose the semantics using only public API entry points.
* src/conf/object_event.c (virObjectEventCallbackListCount): New
function.
(virObjectEventCallbackListAddID)
(virObjectEventCallbackListRemoveID)
(virObjectEventCallbackListMarkDeleteID): Use it.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-03 21:50:15 +00:00
|
|
|
/**
|
|
|
|
* virObjectEventCallbackListCount:
|
|
|
|
* @conn: pointer to the connection
|
|
|
|
* @cbList: the list
|
|
|
|
* @klass: the base event class
|
|
|
|
* @eventID: the event ID
|
2016-06-23 16:14:23 +00:00
|
|
|
* @key: optional key of per-object filtering
|
2014-01-06 12:32:55 +00:00
|
|
|
* @serverFilter: true if server supports object filtering
|
event: properly filter count of remaining events
On the surface, this sequence of API calls should succeed:
id1 = virConnectDomainEventRegisterAny(..., VIR_DOMAIN_EVENT_ID_LIFECYCLE,...);
id2 = virConnectDomainEventRegisterAny(..., VIR_DOMAIN_EVENT_ID_RTC_CHANGE,...);
virConnectDomainEventDeregisterAny(id1);
id1 = virConnectDomainEventRegisterAny(..., VIR_DOMAIN_EVENT_ID_LIFECYCLE,...);
And for test:///default, it does. But for qemu:///system, it fails:
libvirt: XML-RPC error : internal error: domain event 0 already registered
Looking closer, the bug is caused by miscommunication between
the object event engine and the client side of the remote driver.
In our implementation, we set up a single server-side event per
eventID, then the client side replicates that one event to all
callbacks that have been registered client side. To know when
to turn the server side eventID on or off, the client side must
track how many events for the same eventID have been registered.
But while our code was filtering by eventID on event registration,
it did not filter on event deregistration. So the above API calls
resulted in the deregister returning 1 instead of 0, so no RPC
deregister was issued, and the final register detects on the
server side that the server is already handling eventID 0.
Unfortunately, since the problem is only observable on remote
connections, it's not possible to enhance objecteventtest to
expose the semantics using only public API entry points.
* src/conf/object_event.c (virObjectEventCallbackListCount): New
function.
(virObjectEventCallbackListAddID)
(virObjectEventCallbackListRemoveID)
(virObjectEventCallbackListMarkDeleteID): Use it.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-03 21:50:15 +00:00
|
|
|
*
|
|
|
|
* Internal function to count how many callbacks remain registered for
|
2016-06-23 16:14:23 +00:00
|
|
|
* the given @eventID and @key; knowing this allows the client side
|
2014-01-06 12:32:55 +00:00
|
|
|
* of the remote driver know when it must send an RPC to adjust the
|
|
|
|
* callbacks on the server. When @serverFilter is false, this function
|
|
|
|
* returns a count that includes both global and per-object callbacks,
|
|
|
|
* since the remote side will use a single global event to feed both.
|
|
|
|
* When true, the count is limited to the callbacks with the same
|
2016-06-23 16:14:23 +00:00
|
|
|
* @key, and where a remoteID has already been set on the callback
|
2014-01-06 12:32:55 +00:00
|
|
|
* with virObjectEventStateSetRemote(). Note that this function
|
|
|
|
* intentionally ignores the legacy field, since RPC calls use only a
|
|
|
|
* single callback on the server to manage both legacy and modern
|
|
|
|
* global domain lifecycle events.
|
event: properly filter count of remaining events
On the surface, this sequence of API calls should succeed:
id1 = virConnectDomainEventRegisterAny(..., VIR_DOMAIN_EVENT_ID_LIFECYCLE,...);
id2 = virConnectDomainEventRegisterAny(..., VIR_DOMAIN_EVENT_ID_RTC_CHANGE,...);
virConnectDomainEventDeregisterAny(id1);
id1 = virConnectDomainEventRegisterAny(..., VIR_DOMAIN_EVENT_ID_LIFECYCLE,...);
And for test:///default, it does. But for qemu:///system, it fails:
libvirt: XML-RPC error : internal error: domain event 0 already registered
Looking closer, the bug is caused by miscommunication between
the object event engine and the client side of the remote driver.
In our implementation, we set up a single server-side event per
eventID, then the client side replicates that one event to all
callbacks that have been registered client side. To know when
to turn the server side eventID on or off, the client side must
track how many events for the same eventID have been registered.
But while our code was filtering by eventID on event registration,
it did not filter on event deregistration. So the above API calls
resulted in the deregister returning 1 instead of 0, so no RPC
deregister was issued, and the final register detects on the
server side that the server is already handling eventID 0.
Unfortunately, since the problem is only observable on remote
connections, it's not possible to enhance objecteventtest to
expose the semantics using only public API entry points.
* src/conf/object_event.c (virObjectEventCallbackListCount): New
function.
(virObjectEventCallbackListAddID)
(virObjectEventCallbackListRemoveID)
(virObjectEventCallbackListMarkDeleteID): Use it.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-03 21:50:15 +00:00
|
|
|
*/
|
|
|
|
static int
|
|
|
|
virObjectEventCallbackListCount(virConnectPtr conn,
|
|
|
|
virObjectEventCallbackListPtr cbList,
|
|
|
|
virClassPtr klass,
|
2014-01-06 12:32:55 +00:00
|
|
|
int eventID,
|
2016-06-23 16:14:23 +00:00
|
|
|
const char *key,
|
2014-01-06 12:32:55 +00:00
|
|
|
bool serverFilter)
|
event: properly filter count of remaining events
On the surface, this sequence of API calls should succeed:
id1 = virConnectDomainEventRegisterAny(..., VIR_DOMAIN_EVENT_ID_LIFECYCLE,...);
id2 = virConnectDomainEventRegisterAny(..., VIR_DOMAIN_EVENT_ID_RTC_CHANGE,...);
virConnectDomainEventDeregisterAny(id1);
id1 = virConnectDomainEventRegisterAny(..., VIR_DOMAIN_EVENT_ID_LIFECYCLE,...);
And for test:///default, it does. But for qemu:///system, it fails:
libvirt: XML-RPC error : internal error: domain event 0 already registered
Looking closer, the bug is caused by miscommunication between
the object event engine and the client side of the remote driver.
In our implementation, we set up a single server-side event per
eventID, then the client side replicates that one event to all
callbacks that have been registered client side. To know when
to turn the server side eventID on or off, the client side must
track how many events for the same eventID have been registered.
But while our code was filtering by eventID on event registration,
it did not filter on event deregistration. So the above API calls
resulted in the deregister returning 1 instead of 0, so no RPC
deregister was issued, and the final register detects on the
server side that the server is already handling eventID 0.
Unfortunately, since the problem is only observable on remote
connections, it's not possible to enhance objecteventtest to
expose the semantics using only public API entry points.
* src/conf/object_event.c (virObjectEventCallbackListCount): New
function.
(virObjectEventCallbackListAddID)
(virObjectEventCallbackListRemoveID)
(virObjectEventCallbackListMarkDeleteID): Use it.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-03 21:50:15 +00:00
|
|
|
{
|
|
|
|
size_t i;
|
|
|
|
int ret = 0;
|
|
|
|
|
|
|
|
for (i = 0; i < cbList->count; i++) {
|
|
|
|
virObjectEventCallbackPtr cb = cbList->callbacks[i];
|
|
|
|
|
qemu: enable monitor event filtering by name
Filtering monitor events by name requires tracking the name for
the duration of the filtering. In order to free the name, I
found it easiest to just piggyback on the user's freecb function,
which gets called when the event is deregistered.
For events without a name filter, we have the design of multiple
client registrations sharing a common server registration, because
the server side uses the same callback function and we reject
duplicate use of the same function. But with events in the mix,
we want to be able to allow the same function pointer to be used
with more than one event name. The solution is to tweak the
duplicate detection code to only act when there is no additional
filtering; if name filtering is in use, there is exactly one
client registration per server registration. Yes, this means
that there is no longer a bound on the number of server
registrations possible, so a malicious client could repeatedly
register for the same name event to exhaust server memory. On
the other hand, we already restricted monitor events to require
write access (compared to normal events only needing read access),
and separated it into the intentionally unsupported
libvirt-qemu.so, with documentation that using this function is
for debug purposes only; so it is not a security risk worth
worrying about a client trying to abuse multiple registrations.
* src/conf/domain_event.c (virDomainQemuMonitorEventData): New
struct.
(virDomainQemuMonitorEventFilter)
(virDomainQemuMonitorEventCleanup): New functions.
(virDomainQemuMonitorEventDispatchFunc)
(virDomainQemuMonitorEventStateRegisterID): Use new struct.
* src/conf/object_event.c (virObjectEventCallbackListCount)
(virObjectEventCallbackListAddID)
(virObjectEventCallbackListRemoveID)
(virObjectEventCallbackListMarkDeleteID): Drop duplicate detection
when filtering is in effect.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-31 14:02:25 +00:00
|
|
|
if (cb->filter)
|
|
|
|
continue;
|
event: properly filter count of remaining events
On the surface, this sequence of API calls should succeed:
id1 = virConnectDomainEventRegisterAny(..., VIR_DOMAIN_EVENT_ID_LIFECYCLE,...);
id2 = virConnectDomainEventRegisterAny(..., VIR_DOMAIN_EVENT_ID_RTC_CHANGE,...);
virConnectDomainEventDeregisterAny(id1);
id1 = virConnectDomainEventRegisterAny(..., VIR_DOMAIN_EVENT_ID_LIFECYCLE,...);
And for test:///default, it does. But for qemu:///system, it fails:
libvirt: XML-RPC error : internal error: domain event 0 already registered
Looking closer, the bug is caused by miscommunication between
the object event engine and the client side of the remote driver.
In our implementation, we set up a single server-side event per
eventID, then the client side replicates that one event to all
callbacks that have been registered client side. To know when
to turn the server side eventID on or off, the client side must
track how many events for the same eventID have been registered.
But while our code was filtering by eventID on event registration,
it did not filter on event deregistration. So the above API calls
resulted in the deregister returning 1 instead of 0, so no RPC
deregister was issued, and the final register detects on the
server side that the server is already handling eventID 0.
Unfortunately, since the problem is only observable on remote
connections, it's not possible to enhance objecteventtest to
expose the semantics using only public API entry points.
* src/conf/object_event.c (virObjectEventCallbackListCount): New
function.
(virObjectEventCallbackListAddID)
(virObjectEventCallbackListRemoveID)
(virObjectEventCallbackListMarkDeleteID): Use it.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-03 21:50:15 +00:00
|
|
|
if (cb->klass == klass &&
|
|
|
|
cb->eventID == eventID &&
|
|
|
|
cb->conn == conn &&
|
2014-01-06 12:32:55 +00:00
|
|
|
!cb->deleted &&
|
|
|
|
(!serverFilter ||
|
|
|
|
(cb->remoteID >= 0 &&
|
2016-06-23 16:14:23 +00:00
|
|
|
((key && cb->key_filter && STREQ(cb->key, key)) ||
|
|
|
|
(!key && !cb->key_filter)))))
|
event: properly filter count of remaining events
On the surface, this sequence of API calls should succeed:
id1 = virConnectDomainEventRegisterAny(..., VIR_DOMAIN_EVENT_ID_LIFECYCLE,...);
id2 = virConnectDomainEventRegisterAny(..., VIR_DOMAIN_EVENT_ID_RTC_CHANGE,...);
virConnectDomainEventDeregisterAny(id1);
id1 = virConnectDomainEventRegisterAny(..., VIR_DOMAIN_EVENT_ID_LIFECYCLE,...);
And for test:///default, it does. But for qemu:///system, it fails:
libvirt: XML-RPC error : internal error: domain event 0 already registered
Looking closer, the bug is caused by miscommunication between
the object event engine and the client side of the remote driver.
In our implementation, we set up a single server-side event per
eventID, then the client side replicates that one event to all
callbacks that have been registered client side. To know when
to turn the server side eventID on or off, the client side must
track how many events for the same eventID have been registered.
But while our code was filtering by eventID on event registration,
it did not filter on event deregistration. So the above API calls
resulted in the deregister returning 1 instead of 0, so no RPC
deregister was issued, and the final register detects on the
server side that the server is already handling eventID 0.
Unfortunately, since the problem is only observable on remote
connections, it's not possible to enhance objecteventtest to
expose the semantics using only public API entry points.
* src/conf/object_event.c (virObjectEventCallbackListCount): New
function.
(virObjectEventCallbackListAddID)
(virObjectEventCallbackListRemoveID)
(virObjectEventCallbackListMarkDeleteID): Use it.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-03 21:50:15 +00:00
|
|
|
ret++;
|
|
|
|
}
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2013-11-26 14:10:15 +00:00
|
|
|
/**
|
|
|
|
* virObjectEventCallbackListRemoveID:
|
|
|
|
* @conn: pointer to the connection
|
|
|
|
* @cbList: the list
|
|
|
|
* @callback: the callback to remove
|
2017-06-14 11:32:15 +00:00
|
|
|
* @doFreeCb: Inhibit calling the freecb
|
2013-11-26 14:10:15 +00:00
|
|
|
*
|
|
|
|
* Internal function to remove a callback from a virObjectEventCallbackListPtr
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
virObjectEventCallbackListRemoveID(virConnectPtr conn,
|
|
|
|
virObjectEventCallbackListPtr cbList,
|
2017-06-14 11:32:15 +00:00
|
|
|
int callbackID,
|
|
|
|
bool doFreeCb)
|
2013-11-26 14:10:15 +00:00
|
|
|
{
|
|
|
|
size_t i;
|
|
|
|
|
2014-01-03 20:31:48 +00:00
|
|
|
for (i = 0; i < cbList->count; i++) {
|
|
|
|
virObjectEventCallbackPtr cb = cbList->callbacks[i];
|
|
|
|
|
|
|
|
if (cb->callbackID == callbackID && cb->conn == conn) {
|
2014-01-06 12:32:55 +00:00
|
|
|
int ret;
|
|
|
|
|
qemu: enable monitor event filtering by name
Filtering monitor events by name requires tracking the name for
the duration of the filtering. In order to free the name, I
found it easiest to just piggyback on the user's freecb function,
which gets called when the event is deregistered.
For events without a name filter, we have the design of multiple
client registrations sharing a common server registration, because
the server side uses the same callback function and we reject
duplicate use of the same function. But with events in the mix,
we want to be able to allow the same function pointer to be used
with more than one event name. The solution is to tweak the
duplicate detection code to only act when there is no additional
filtering; if name filtering is in use, there is exactly one
client registration per server registration. Yes, this means
that there is no longer a bound on the number of server
registrations possible, so a malicious client could repeatedly
register for the same name event to exhaust server memory. On
the other hand, we already restricted monitor events to require
write access (compared to normal events only needing read access),
and separated it into the intentionally unsupported
libvirt-qemu.so, with documentation that using this function is
for debug purposes only; so it is not a security risk worth
worrying about a client trying to abuse multiple registrations.
* src/conf/domain_event.c (virDomainQemuMonitorEventData): New
struct.
(virDomainQemuMonitorEventFilter)
(virDomainQemuMonitorEventCleanup): New functions.
(virDomainQemuMonitorEventDispatchFunc)
(virDomainQemuMonitorEventStateRegisterID): Use new struct.
* src/conf/object_event.c (virObjectEventCallbackListCount)
(virObjectEventCallbackListAddID)
(virObjectEventCallbackListRemoveID)
(virObjectEventCallbackListMarkDeleteID): Drop duplicate detection
when filtering is in effect.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-31 14:02:25 +00:00
|
|
|
ret = cb->filter ? 0 :
|
|
|
|
(virObjectEventCallbackListCount(conn, cbList, cb->klass,
|
|
|
|
cb->eventID,
|
2016-06-23 16:14:23 +00:00
|
|
|
cb->key_filter ? cb->key : NULL,
|
qemu: enable monitor event filtering by name
Filtering monitor events by name requires tracking the name for
the duration of the filtering. In order to free the name, I
found it easiest to just piggyback on the user's freecb function,
which gets called when the event is deregistered.
For events without a name filter, we have the design of multiple
client registrations sharing a common server registration, because
the server side uses the same callback function and we reject
duplicate use of the same function. But with events in the mix,
we want to be able to allow the same function pointer to be used
with more than one event name. The solution is to tweak the
duplicate detection code to only act when there is no additional
filtering; if name filtering is in use, there is exactly one
client registration per server registration. Yes, this means
that there is no longer a bound on the number of server
registrations possible, so a malicious client could repeatedly
register for the same name event to exhaust server memory. On
the other hand, we already restricted monitor events to require
write access (compared to normal events only needing read access),
and separated it into the intentionally unsupported
libvirt-qemu.so, with documentation that using this function is
for debug purposes only; so it is not a security risk worth
worrying about a client trying to abuse multiple registrations.
* src/conf/domain_event.c (virDomainQemuMonitorEventData): New
struct.
(virDomainQemuMonitorEventFilter)
(virDomainQemuMonitorEventCleanup): New functions.
(virDomainQemuMonitorEventDispatchFunc)
(virDomainQemuMonitorEventStateRegisterID): Use new struct.
* src/conf/object_event.c (virObjectEventCallbackListCount)
(virObjectEventCallbackListAddID)
(virObjectEventCallbackListRemoveID)
(virObjectEventCallbackListMarkDeleteID): Drop duplicate detection
when filtering is in effect.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-31 14:02:25 +00:00
|
|
|
cb->remoteID >= 0) - 1);
|
event: properly filter count of remaining events
On the surface, this sequence of API calls should succeed:
id1 = virConnectDomainEventRegisterAny(..., VIR_DOMAIN_EVENT_ID_LIFECYCLE,...);
id2 = virConnectDomainEventRegisterAny(..., VIR_DOMAIN_EVENT_ID_RTC_CHANGE,...);
virConnectDomainEventDeregisterAny(id1);
id1 = virConnectDomainEventRegisterAny(..., VIR_DOMAIN_EVENT_ID_LIFECYCLE,...);
And for test:///default, it does. But for qemu:///system, it fails:
libvirt: XML-RPC error : internal error: domain event 0 already registered
Looking closer, the bug is caused by miscommunication between
the object event engine and the client side of the remote driver.
In our implementation, we set up a single server-side event per
eventID, then the client side replicates that one event to all
callbacks that have been registered client side. To know when
to turn the server side eventID on or off, the client side must
track how many events for the same eventID have been registered.
But while our code was filtering by eventID on event registration,
it did not filter on event deregistration. So the above API calls
resulted in the deregister returning 1 instead of 0, so no RPC
deregister was issued, and the final register detects on the
server side that the server is already handling eventID 0.
Unfortunately, since the problem is only observable on remote
connections, it's not possible to enhance objecteventtest to
expose the semantics using only public API entry points.
* src/conf/object_event.c (virObjectEventCallbackListCount): New
function.
(virObjectEventCallbackListAddID)
(virObjectEventCallbackListRemoveID)
(virObjectEventCallbackListMarkDeleteID): Use it.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-03 21:50:15 +00:00
|
|
|
|
2017-06-14 11:32:15 +00:00
|
|
|
/* @doFreeCb inhibits calling @freecb from error paths in
|
|
|
|
* register functions to ensure the caller of a failed register
|
|
|
|
* function won't end up with a double free error */
|
|
|
|
if (doFreeCb && cb->freecb)
|
2014-01-03 20:31:48 +00:00
|
|
|
(*cb->freecb)(cb->opaque);
|
2016-06-23 15:40:53 +00:00
|
|
|
virObjectEventCallbackFree(cb);
|
2014-01-03 20:31:48 +00:00
|
|
|
VIR_DELETE_ELEMENT(cbList->callbacks, i, cbList->count);
|
2014-01-06 12:32:55 +00:00
|
|
|
return ret;
|
2013-11-26 14:10:15 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-01-08 17:10:49 +00:00
|
|
|
virReportError(VIR_ERR_INVALID_ARG,
|
|
|
|
_("could not find event callback %d for deletion"),
|
|
|
|
callbackID);
|
2013-11-26 14:10:15 +00:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
virObjectEventCallbackListMarkDeleteID(virConnectPtr conn,
|
|
|
|
virObjectEventCallbackListPtr cbList,
|
|
|
|
int callbackID)
|
|
|
|
{
|
|
|
|
size_t i;
|
2014-01-03 20:31:48 +00:00
|
|
|
|
2013-11-26 14:10:15 +00:00
|
|
|
for (i = 0; i < cbList->count; i++) {
|
event: properly filter count of remaining events
On the surface, this sequence of API calls should succeed:
id1 = virConnectDomainEventRegisterAny(..., VIR_DOMAIN_EVENT_ID_LIFECYCLE,...);
id2 = virConnectDomainEventRegisterAny(..., VIR_DOMAIN_EVENT_ID_RTC_CHANGE,...);
virConnectDomainEventDeregisterAny(id1);
id1 = virConnectDomainEventRegisterAny(..., VIR_DOMAIN_EVENT_ID_LIFECYCLE,...);
And for test:///default, it does. But for qemu:///system, it fails:
libvirt: XML-RPC error : internal error: domain event 0 already registered
Looking closer, the bug is caused by miscommunication between
the object event engine and the client side of the remote driver.
In our implementation, we set up a single server-side event per
eventID, then the client side replicates that one event to all
callbacks that have been registered client side. To know when
to turn the server side eventID on or off, the client side must
track how many events for the same eventID have been registered.
But while our code was filtering by eventID on event registration,
it did not filter on event deregistration. So the above API calls
resulted in the deregister returning 1 instead of 0, so no RPC
deregister was issued, and the final register detects on the
server side that the server is already handling eventID 0.
Unfortunately, since the problem is only observable on remote
connections, it's not possible to enhance objecteventtest to
expose the semantics using only public API entry points.
* src/conf/object_event.c (virObjectEventCallbackListCount): New
function.
(virObjectEventCallbackListAddID)
(virObjectEventCallbackListRemoveID)
(virObjectEventCallbackListMarkDeleteID): Use it.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-03 21:50:15 +00:00
|
|
|
virObjectEventCallbackPtr cb = cbList->callbacks[i];
|
|
|
|
|
|
|
|
if (cb->callbackID == callbackID && cb->conn == conn) {
|
|
|
|
cb->deleted = true;
|
qemu: enable monitor event filtering by name
Filtering monitor events by name requires tracking the name for
the duration of the filtering. In order to free the name, I
found it easiest to just piggyback on the user's freecb function,
which gets called when the event is deregistered.
For events without a name filter, we have the design of multiple
client registrations sharing a common server registration, because
the server side uses the same callback function and we reject
duplicate use of the same function. But with events in the mix,
we want to be able to allow the same function pointer to be used
with more than one event name. The solution is to tweak the
duplicate detection code to only act when there is no additional
filtering; if name filtering is in use, there is exactly one
client registration per server registration. Yes, this means
that there is no longer a bound on the number of server
registrations possible, so a malicious client could repeatedly
register for the same name event to exhaust server memory. On
the other hand, we already restricted monitor events to require
write access (compared to normal events only needing read access),
and separated it into the intentionally unsupported
libvirt-qemu.so, with documentation that using this function is
for debug purposes only; so it is not a security risk worth
worrying about a client trying to abuse multiple registrations.
* src/conf/domain_event.c (virDomainQemuMonitorEventData): New
struct.
(virDomainQemuMonitorEventFilter)
(virDomainQemuMonitorEventCleanup): New functions.
(virDomainQemuMonitorEventDispatchFunc)
(virDomainQemuMonitorEventStateRegisterID): Use new struct.
* src/conf/object_event.c (virObjectEventCallbackListCount)
(virObjectEventCallbackListAddID)
(virObjectEventCallbackListRemoveID)
(virObjectEventCallbackListMarkDeleteID): Drop duplicate detection
when filtering is in effect.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-31 14:02:25 +00:00
|
|
|
return cb->filter ? 0 :
|
|
|
|
virObjectEventCallbackListCount(conn, cbList, cb->klass,
|
|
|
|
cb->eventID,
|
2016-06-23 16:14:23 +00:00
|
|
|
cb->key_filter ? cb->key : NULL,
|
qemu: enable monitor event filtering by name
Filtering monitor events by name requires tracking the name for
the duration of the filtering. In order to free the name, I
found it easiest to just piggyback on the user's freecb function,
which gets called when the event is deregistered.
For events without a name filter, we have the design of multiple
client registrations sharing a common server registration, because
the server side uses the same callback function and we reject
duplicate use of the same function. But with events in the mix,
we want to be able to allow the same function pointer to be used
with more than one event name. The solution is to tweak the
duplicate detection code to only act when there is no additional
filtering; if name filtering is in use, there is exactly one
client registration per server registration. Yes, this means
that there is no longer a bound on the number of server
registrations possible, so a malicious client could repeatedly
register for the same name event to exhaust server memory. On
the other hand, we already restricted monitor events to require
write access (compared to normal events only needing read access),
and separated it into the intentionally unsupported
libvirt-qemu.so, with documentation that using this function is
for debug purposes only; so it is not a security risk worth
worrying about a client trying to abuse multiple registrations.
* src/conf/domain_event.c (virDomainQemuMonitorEventData): New
struct.
(virDomainQemuMonitorEventFilter)
(virDomainQemuMonitorEventCleanup): New functions.
(virDomainQemuMonitorEventDispatchFunc)
(virDomainQemuMonitorEventStateRegisterID): Use new struct.
* src/conf/object_event.c (virObjectEventCallbackListCount)
(virObjectEventCallbackListAddID)
(virObjectEventCallbackListRemoveID)
(virObjectEventCallbackListMarkDeleteID): Drop duplicate detection
when filtering is in effect.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-31 14:02:25 +00:00
|
|
|
cb->remoteID >= 0);
|
2013-11-26 14:10:15 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-01-08 17:10:49 +00:00
|
|
|
virReportError(VIR_ERR_INVALID_ARG,
|
|
|
|
_("could not find event callback %d for deletion"),
|
|
|
|
callbackID);
|
2013-11-26 14:10:15 +00:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
virObjectEventCallbackListPurgeMarked(virObjectEventCallbackListPtr cbList)
|
|
|
|
{
|
2014-03-07 08:33:31 +00:00
|
|
|
size_t n;
|
2013-11-26 14:10:15 +00:00
|
|
|
for (n = 0; n < cbList->count; n++) {
|
|
|
|
if (cbList->callbacks[n]->deleted) {
|
|
|
|
virFreeCallback freecb = cbList->callbacks[n]->freecb;
|
|
|
|
if (freecb)
|
|
|
|
(*freecb)(cbList->callbacks[n]->opaque);
|
2016-06-23 15:40:53 +00:00
|
|
|
virObjectEventCallbackFree(cbList->callbacks[n]);
|
2013-11-26 14:10:15 +00:00
|
|
|
|
2014-03-07 08:33:31 +00:00
|
|
|
VIR_DELETE_ELEMENT(cbList->callbacks, n, cbList->count);
|
2013-11-26 14:10:15 +00:00
|
|
|
n--;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
event: don't let old-style events clobber per-domain events
Right now, the older virConnectDomainEventRegister (takes a
function pointer, returns 0 on success) and the newer
virConnectDomainEventRegisterID (takes an eventID, returns a
callbackID) share the underlying implementation (the older
API ends up consuming a callbackID for eventID 0 under the
hood). We implemented that by a lot of copy and pasted
code between object_event.c and domain_event.c, according to
whether we are dealing with a function pointer or an eventID.
However, our copy and paste is not symmetric. Consider this
sequence:
id1 = virConnectDomainEventRegisterAny(conn, dom,
VIR_DOMAIN_EVENT_ID_LIFECYCLE,
VIR_DOMAIN_EVENT_CALLBACK(callback), NULL, NULL);
virConnectDomainEventRegister(conn, callback, NULL, NULL);
virConnectDomainEventDeregister(conn, callback);
virConnectDomainEventDeregsiterAny(conn, id1);
the first three calls would succeed, but the third call ended
up nuking the id1 callbackID (the per-domain new-style handler),
then the fourth call failed with an error about an unknown
callbackID, leaving us with the global handler (old-style) still
live and receiving events. It required another old-style
deregister to clean up the mess. Root cause was that
virDomainEventCallbackList{Remove,MarkDelete} were only
checking for function pointer match, rather than also checking
for whether the registration was global.
Rather than playing with the guts of object_event ourselves
in domain_event, it is nicer to add a mapping function for the
internal callback id, then share common code for event removal.
For now, the function-to-id mapping is used only internally;
I thought about whether a new public API to let a user learn
the callback would be useful, but decided exposing this to the
user is probably a disservice, since we already publicly
document that they should avoid the old style, and since this
patch already demonstrates that older libvirt versions have
weird behavior when mixing old and new styles.
And like all good bug fix patches, I enhanced the testsuite,
validating that the changes in tests/ expose the failure
without the rest of the patch.
* src/conf/object_event.c (virObjectEventCallbackLookup)
(virObjectEventStateCallbackID): New functions.
(virObjectEventCallbackLookup): Use helper function.
* src/conf/object_event_private.h (virObjectEventStateCallbackID):
Declare new function.
* src/conf/domain_event.c (virDomainEventStateRegister)
(virDomainEventStateDeregister): Let common code handle the
complexity.
(virDomainEventCallbackListRemove)
(virDomainEventCallbackListMarkDelete)
(virDomainEventCallbackListAdd): Drop unused functions.
* tests/objecteventtest.c (testDomainCreateXMLMixed): New test.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-03 23:50:14 +00:00
|
|
|
/**
|
|
|
|
* virObjectEventCallbackLookup:
|
|
|
|
* @conn: pointer to the connection
|
|
|
|
* @cbList: the list
|
2016-06-23 16:14:23 +00:00
|
|
|
* @key: the key of the object to filter on
|
event: don't let old-style events clobber per-domain events
Right now, the older virConnectDomainEventRegister (takes a
function pointer, returns 0 on success) and the newer
virConnectDomainEventRegisterID (takes an eventID, returns a
callbackID) share the underlying implementation (the older
API ends up consuming a callbackID for eventID 0 under the
hood). We implemented that by a lot of copy and pasted
code between object_event.c and domain_event.c, according to
whether we are dealing with a function pointer or an eventID.
However, our copy and paste is not symmetric. Consider this
sequence:
id1 = virConnectDomainEventRegisterAny(conn, dom,
VIR_DOMAIN_EVENT_ID_LIFECYCLE,
VIR_DOMAIN_EVENT_CALLBACK(callback), NULL, NULL);
virConnectDomainEventRegister(conn, callback, NULL, NULL);
virConnectDomainEventDeregister(conn, callback);
virConnectDomainEventDeregsiterAny(conn, id1);
the first three calls would succeed, but the third call ended
up nuking the id1 callbackID (the per-domain new-style handler),
then the fourth call failed with an error about an unknown
callbackID, leaving us with the global handler (old-style) still
live and receiving events. It required another old-style
deregister to clean up the mess. Root cause was that
virDomainEventCallbackList{Remove,MarkDelete} were only
checking for function pointer match, rather than also checking
for whether the registration was global.
Rather than playing with the guts of object_event ourselves
in domain_event, it is nicer to add a mapping function for the
internal callback id, then share common code for event removal.
For now, the function-to-id mapping is used only internally;
I thought about whether a new public API to let a user learn
the callback would be useful, but decided exposing this to the
user is probably a disservice, since we already publicly
document that they should avoid the old style, and since this
patch already demonstrates that older libvirt versions have
weird behavior when mixing old and new styles.
And like all good bug fix patches, I enhanced the testsuite,
validating that the changes in tests/ expose the failure
without the rest of the patch.
* src/conf/object_event.c (virObjectEventCallbackLookup)
(virObjectEventStateCallbackID): New functions.
(virObjectEventCallbackLookup): Use helper function.
* src/conf/object_event_private.h (virObjectEventStateCallbackID):
Declare new function.
* src/conf/domain_event.c (virDomainEventStateRegister)
(virDomainEventStateDeregister): Let common code handle the
complexity.
(virDomainEventCallbackListRemove)
(virDomainEventCallbackListMarkDelete)
(virDomainEventCallbackListAdd): Drop unused functions.
* tests/objecteventtest.c (testDomainCreateXMLMixed): New test.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-03 23:50:14 +00:00
|
|
|
* @klass: the base event class
|
|
|
|
* @eventID: the event ID
|
|
|
|
* @callback: the callback to locate
|
event: don't allow mix of old- and new-style registration
Consider these two calls, in either order:
id1 = virConnectDomainEventRegisterAny(conn, NULL,
VIR_DOMAIN_EVENT_ID_LIFECYCLE,
VIR_DOMAIN_EVENT_CALLBACK(callback), NULL, NULL);
virConnectDomainEventRegister(conn, callback, NULL, NULL);
Right now, the second call fails, because under the hood, the
old-style function registration is tightly coupled to the
new style lifecycle eventID, and the two calls both try
to register the same global eventID callback representation.
We've alreay documented that users should avoid old-style
registration and deregistration, so anyone heeding the advice
won't run into this situation. But it would be even nicer if
we pretend the two interfaces are completely separate, and
disallow any cross-linking. That is, a call to old-style
deregister should never remove a new-style callback even if it
is the same function pointer, and a call to new-style callback
using only callbackIDs obtained legitimately should never
remove an old-style callback (of course, since our callback
IDs are sequential, and there is still coupling under the
hood, you can easily guess the callbackID of an old style
registration and use new-style deregistration to nuke it - but
that starts to be blatantly bad coding on your part rather
than a surprising result on what looks like reasonable
stand-alone API).
With this patch, you can now register a global lifecycle event
handler twice, by using both old and new APIs; if such an event
occurs, your callback will be entered twice. But that is not a
problem in practice, since it is already possible to use the
new API to register both a global and per-domain event handler
using the same function, which will likewise fire your callback
twice for that domain. Duplicates are still prevented when
using the same API with same parameters twice (old-style twice,
new-style global twice, or new-style per-domain with same domain
twice), and things are still bounded (it is not possible to
register a single function pointer more than N+2 times per event
id, where N is the number of domains available on the connection).
Besides, it has always been possible to register as many
separate function pointers on the same event id as desired,
through either old or new style API, where the bound there is
the physical limitation of writing a program with enough
distinct function pointers.
Adding another event registration in the testsuite is sufficient
to cover this, where the test fails without the rest of the patch.
* src/conf/object_event.c (_virObjectEventCallback): Add field.
(virObjectEventCallbackLookup): Add argument.
(virObjectEventCallbackListAddID, virObjectEventStateCallbackID):
Adjust callers.
* tests/objecteventtest.c (testDomainCreateXMLMixed): Enhance test.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-04 12:55:55 +00:00
|
|
|
* @legacy: true if callback is tracked by function instead of callbackID
|
2014-01-06 12:32:55 +00:00
|
|
|
* @remoteID: optionally return a known remoteID
|
event: don't let old-style events clobber per-domain events
Right now, the older virConnectDomainEventRegister (takes a
function pointer, returns 0 on success) and the newer
virConnectDomainEventRegisterID (takes an eventID, returns a
callbackID) share the underlying implementation (the older
API ends up consuming a callbackID for eventID 0 under the
hood). We implemented that by a lot of copy and pasted
code between object_event.c and domain_event.c, according to
whether we are dealing with a function pointer or an eventID.
However, our copy and paste is not symmetric. Consider this
sequence:
id1 = virConnectDomainEventRegisterAny(conn, dom,
VIR_DOMAIN_EVENT_ID_LIFECYCLE,
VIR_DOMAIN_EVENT_CALLBACK(callback), NULL, NULL);
virConnectDomainEventRegister(conn, callback, NULL, NULL);
virConnectDomainEventDeregister(conn, callback);
virConnectDomainEventDeregsiterAny(conn, id1);
the first three calls would succeed, but the third call ended
up nuking the id1 callbackID (the per-domain new-style handler),
then the fourth call failed with an error about an unknown
callbackID, leaving us with the global handler (old-style) still
live and receiving events. It required another old-style
deregister to clean up the mess. Root cause was that
virDomainEventCallbackList{Remove,MarkDelete} were only
checking for function pointer match, rather than also checking
for whether the registration was global.
Rather than playing with the guts of object_event ourselves
in domain_event, it is nicer to add a mapping function for the
internal callback id, then share common code for event removal.
For now, the function-to-id mapping is used only internally;
I thought about whether a new public API to let a user learn
the callback would be useful, but decided exposing this to the
user is probably a disservice, since we already publicly
document that they should avoid the old style, and since this
patch already demonstrates that older libvirt versions have
weird behavior when mixing old and new styles.
And like all good bug fix patches, I enhanced the testsuite,
validating that the changes in tests/ expose the failure
without the rest of the patch.
* src/conf/object_event.c (virObjectEventCallbackLookup)
(virObjectEventStateCallbackID): New functions.
(virObjectEventCallbackLookup): Use helper function.
* src/conf/object_event_private.h (virObjectEventStateCallbackID):
Declare new function.
* src/conf/domain_event.c (virDomainEventStateRegister)
(virDomainEventStateDeregister): Let common code handle the
complexity.
(virDomainEventCallbackListRemove)
(virDomainEventCallbackListMarkDelete)
(virDomainEventCallbackListAdd): Drop unused functions.
* tests/objecteventtest.c (testDomainCreateXMLMixed): New test.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-03 23:50:14 +00:00
|
|
|
*
|
|
|
|
* Internal function to determine if @callback already has a
|
2014-01-06 12:32:55 +00:00
|
|
|
* callbackID in @cbList for the given @conn and other filters. If
|
|
|
|
* @remoteID is non-NULL, and another callback exists that can be
|
|
|
|
* serviced by the same remote event, then set it to that remote ID.
|
|
|
|
*
|
event: don't let old-style events clobber per-domain events
Right now, the older virConnectDomainEventRegister (takes a
function pointer, returns 0 on success) and the newer
virConnectDomainEventRegisterID (takes an eventID, returns a
callbackID) share the underlying implementation (the older
API ends up consuming a callbackID for eventID 0 under the
hood). We implemented that by a lot of copy and pasted
code between object_event.c and domain_event.c, according to
whether we are dealing with a function pointer or an eventID.
However, our copy and paste is not symmetric. Consider this
sequence:
id1 = virConnectDomainEventRegisterAny(conn, dom,
VIR_DOMAIN_EVENT_ID_LIFECYCLE,
VIR_DOMAIN_EVENT_CALLBACK(callback), NULL, NULL);
virConnectDomainEventRegister(conn, callback, NULL, NULL);
virConnectDomainEventDeregister(conn, callback);
virConnectDomainEventDeregsiterAny(conn, id1);
the first three calls would succeed, but the third call ended
up nuking the id1 callbackID (the per-domain new-style handler),
then the fourth call failed with an error about an unknown
callbackID, leaving us with the global handler (old-style) still
live and receiving events. It required another old-style
deregister to clean up the mess. Root cause was that
virDomainEventCallbackList{Remove,MarkDelete} were only
checking for function pointer match, rather than also checking
for whether the registration was global.
Rather than playing with the guts of object_event ourselves
in domain_event, it is nicer to add a mapping function for the
internal callback id, then share common code for event removal.
For now, the function-to-id mapping is used only internally;
I thought about whether a new public API to let a user learn
the callback would be useful, but decided exposing this to the
user is probably a disservice, since we already publicly
document that they should avoid the old style, and since this
patch already demonstrates that older libvirt versions have
weird behavior when mixing old and new styles.
And like all good bug fix patches, I enhanced the testsuite,
validating that the changes in tests/ expose the failure
without the rest of the patch.
* src/conf/object_event.c (virObjectEventCallbackLookup)
(virObjectEventStateCallbackID): New functions.
(virObjectEventCallbackLookup): Use helper function.
* src/conf/object_event_private.h (virObjectEventStateCallbackID):
Declare new function.
* src/conf/domain_event.c (virDomainEventStateRegister)
(virDomainEventStateDeregister): Let common code handle the
complexity.
(virDomainEventCallbackListRemove)
(virDomainEventCallbackListMarkDelete)
(virDomainEventCallbackListAdd): Drop unused functions.
* tests/objecteventtest.c (testDomainCreateXMLMixed): New test.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-03 23:50:14 +00:00
|
|
|
* Return the id if found, or -1 with no error issued if not present.
|
|
|
|
*/
|
|
|
|
static int ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2)
|
|
|
|
virObjectEventCallbackLookup(virConnectPtr conn,
|
|
|
|
virObjectEventCallbackListPtr cbList,
|
2016-06-23 16:14:23 +00:00
|
|
|
const char *key,
|
event: don't let old-style events clobber per-domain events
Right now, the older virConnectDomainEventRegister (takes a
function pointer, returns 0 on success) and the newer
virConnectDomainEventRegisterID (takes an eventID, returns a
callbackID) share the underlying implementation (the older
API ends up consuming a callbackID for eventID 0 under the
hood). We implemented that by a lot of copy and pasted
code between object_event.c and domain_event.c, according to
whether we are dealing with a function pointer or an eventID.
However, our copy and paste is not symmetric. Consider this
sequence:
id1 = virConnectDomainEventRegisterAny(conn, dom,
VIR_DOMAIN_EVENT_ID_LIFECYCLE,
VIR_DOMAIN_EVENT_CALLBACK(callback), NULL, NULL);
virConnectDomainEventRegister(conn, callback, NULL, NULL);
virConnectDomainEventDeregister(conn, callback);
virConnectDomainEventDeregsiterAny(conn, id1);
the first three calls would succeed, but the third call ended
up nuking the id1 callbackID (the per-domain new-style handler),
then the fourth call failed with an error about an unknown
callbackID, leaving us with the global handler (old-style) still
live and receiving events. It required another old-style
deregister to clean up the mess. Root cause was that
virDomainEventCallbackList{Remove,MarkDelete} were only
checking for function pointer match, rather than also checking
for whether the registration was global.
Rather than playing with the guts of object_event ourselves
in domain_event, it is nicer to add a mapping function for the
internal callback id, then share common code for event removal.
For now, the function-to-id mapping is used only internally;
I thought about whether a new public API to let a user learn
the callback would be useful, but decided exposing this to the
user is probably a disservice, since we already publicly
document that they should avoid the old style, and since this
patch already demonstrates that older libvirt versions have
weird behavior when mixing old and new styles.
And like all good bug fix patches, I enhanced the testsuite,
validating that the changes in tests/ expose the failure
without the rest of the patch.
* src/conf/object_event.c (virObjectEventCallbackLookup)
(virObjectEventStateCallbackID): New functions.
(virObjectEventCallbackLookup): Use helper function.
* src/conf/object_event_private.h (virObjectEventStateCallbackID):
Declare new function.
* src/conf/domain_event.c (virDomainEventStateRegister)
(virDomainEventStateDeregister): Let common code handle the
complexity.
(virDomainEventCallbackListRemove)
(virDomainEventCallbackListMarkDelete)
(virDomainEventCallbackListAdd): Drop unused functions.
* tests/objecteventtest.c (testDomainCreateXMLMixed): New test.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-03 23:50:14 +00:00
|
|
|
virClassPtr klass,
|
|
|
|
int eventID,
|
event: don't allow mix of old- and new-style registration
Consider these two calls, in either order:
id1 = virConnectDomainEventRegisterAny(conn, NULL,
VIR_DOMAIN_EVENT_ID_LIFECYCLE,
VIR_DOMAIN_EVENT_CALLBACK(callback), NULL, NULL);
virConnectDomainEventRegister(conn, callback, NULL, NULL);
Right now, the second call fails, because under the hood, the
old-style function registration is tightly coupled to the
new style lifecycle eventID, and the two calls both try
to register the same global eventID callback representation.
We've alreay documented that users should avoid old-style
registration and deregistration, so anyone heeding the advice
won't run into this situation. But it would be even nicer if
we pretend the two interfaces are completely separate, and
disallow any cross-linking. That is, a call to old-style
deregister should never remove a new-style callback even if it
is the same function pointer, and a call to new-style callback
using only callbackIDs obtained legitimately should never
remove an old-style callback (of course, since our callback
IDs are sequential, and there is still coupling under the
hood, you can easily guess the callbackID of an old style
registration and use new-style deregistration to nuke it - but
that starts to be blatantly bad coding on your part rather
than a surprising result on what looks like reasonable
stand-alone API).
With this patch, you can now register a global lifecycle event
handler twice, by using both old and new APIs; if such an event
occurs, your callback will be entered twice. But that is not a
problem in practice, since it is already possible to use the
new API to register both a global and per-domain event handler
using the same function, which will likewise fire your callback
twice for that domain. Duplicates are still prevented when
using the same API with same parameters twice (old-style twice,
new-style global twice, or new-style per-domain with same domain
twice), and things are still bounded (it is not possible to
register a single function pointer more than N+2 times per event
id, where N is the number of domains available on the connection).
Besides, it has always been possible to register as many
separate function pointers on the same event id as desired,
through either old or new style API, where the bound there is
the physical limitation of writing a program with enough
distinct function pointers.
Adding another event registration in the testsuite is sufficient
to cover this, where the test fails without the rest of the patch.
* src/conf/object_event.c (_virObjectEventCallback): Add field.
(virObjectEventCallbackLookup): Add argument.
(virObjectEventCallbackListAddID, virObjectEventStateCallbackID):
Adjust callers.
* tests/objecteventtest.c (testDomainCreateXMLMixed): Enhance test.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-04 12:55:55 +00:00
|
|
|
virConnectObjectEventGenericCallback callback,
|
2014-01-06 12:32:55 +00:00
|
|
|
bool legacy,
|
|
|
|
int *remoteID)
|
event: don't let old-style events clobber per-domain events
Right now, the older virConnectDomainEventRegister (takes a
function pointer, returns 0 on success) and the newer
virConnectDomainEventRegisterID (takes an eventID, returns a
callbackID) share the underlying implementation (the older
API ends up consuming a callbackID for eventID 0 under the
hood). We implemented that by a lot of copy and pasted
code between object_event.c and domain_event.c, according to
whether we are dealing with a function pointer or an eventID.
However, our copy and paste is not symmetric. Consider this
sequence:
id1 = virConnectDomainEventRegisterAny(conn, dom,
VIR_DOMAIN_EVENT_ID_LIFECYCLE,
VIR_DOMAIN_EVENT_CALLBACK(callback), NULL, NULL);
virConnectDomainEventRegister(conn, callback, NULL, NULL);
virConnectDomainEventDeregister(conn, callback);
virConnectDomainEventDeregsiterAny(conn, id1);
the first three calls would succeed, but the third call ended
up nuking the id1 callbackID (the per-domain new-style handler),
then the fourth call failed with an error about an unknown
callbackID, leaving us with the global handler (old-style) still
live and receiving events. It required another old-style
deregister to clean up the mess. Root cause was that
virDomainEventCallbackList{Remove,MarkDelete} were only
checking for function pointer match, rather than also checking
for whether the registration was global.
Rather than playing with the guts of object_event ourselves
in domain_event, it is nicer to add a mapping function for the
internal callback id, then share common code for event removal.
For now, the function-to-id mapping is used only internally;
I thought about whether a new public API to let a user learn
the callback would be useful, but decided exposing this to the
user is probably a disservice, since we already publicly
document that they should avoid the old style, and since this
patch already demonstrates that older libvirt versions have
weird behavior when mixing old and new styles.
And like all good bug fix patches, I enhanced the testsuite,
validating that the changes in tests/ expose the failure
without the rest of the patch.
* src/conf/object_event.c (virObjectEventCallbackLookup)
(virObjectEventStateCallbackID): New functions.
(virObjectEventCallbackLookup): Use helper function.
* src/conf/object_event_private.h (virObjectEventStateCallbackID):
Declare new function.
* src/conf/domain_event.c (virDomainEventStateRegister)
(virDomainEventStateDeregister): Let common code handle the
complexity.
(virDomainEventCallbackListRemove)
(virDomainEventCallbackListMarkDelete)
(virDomainEventCallbackListAdd): Drop unused functions.
* tests/objecteventtest.c (testDomainCreateXMLMixed): New test.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-03 23:50:14 +00:00
|
|
|
{
|
|
|
|
size_t i;
|
|
|
|
|
2014-01-06 12:32:55 +00:00
|
|
|
if (remoteID)
|
|
|
|
*remoteID = -1;
|
|
|
|
|
event: don't let old-style events clobber per-domain events
Right now, the older virConnectDomainEventRegister (takes a
function pointer, returns 0 on success) and the newer
virConnectDomainEventRegisterID (takes an eventID, returns a
callbackID) share the underlying implementation (the older
API ends up consuming a callbackID for eventID 0 under the
hood). We implemented that by a lot of copy and pasted
code between object_event.c and domain_event.c, according to
whether we are dealing with a function pointer or an eventID.
However, our copy and paste is not symmetric. Consider this
sequence:
id1 = virConnectDomainEventRegisterAny(conn, dom,
VIR_DOMAIN_EVENT_ID_LIFECYCLE,
VIR_DOMAIN_EVENT_CALLBACK(callback), NULL, NULL);
virConnectDomainEventRegister(conn, callback, NULL, NULL);
virConnectDomainEventDeregister(conn, callback);
virConnectDomainEventDeregsiterAny(conn, id1);
the first three calls would succeed, but the third call ended
up nuking the id1 callbackID (the per-domain new-style handler),
then the fourth call failed with an error about an unknown
callbackID, leaving us with the global handler (old-style) still
live and receiving events. It required another old-style
deregister to clean up the mess. Root cause was that
virDomainEventCallbackList{Remove,MarkDelete} were only
checking for function pointer match, rather than also checking
for whether the registration was global.
Rather than playing with the guts of object_event ourselves
in domain_event, it is nicer to add a mapping function for the
internal callback id, then share common code for event removal.
For now, the function-to-id mapping is used only internally;
I thought about whether a new public API to let a user learn
the callback would be useful, but decided exposing this to the
user is probably a disservice, since we already publicly
document that they should avoid the old style, and since this
patch already demonstrates that older libvirt versions have
weird behavior when mixing old and new styles.
And like all good bug fix patches, I enhanced the testsuite,
validating that the changes in tests/ expose the failure
without the rest of the patch.
* src/conf/object_event.c (virObjectEventCallbackLookup)
(virObjectEventStateCallbackID): New functions.
(virObjectEventCallbackLookup): Use helper function.
* src/conf/object_event_private.h (virObjectEventStateCallbackID):
Declare new function.
* src/conf/domain_event.c (virDomainEventStateRegister)
(virDomainEventStateDeregister): Let common code handle the
complexity.
(virDomainEventCallbackListRemove)
(virDomainEventCallbackListMarkDelete)
(virDomainEventCallbackListAdd): Drop unused functions.
* tests/objecteventtest.c (testDomainCreateXMLMixed): New test.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-03 23:50:14 +00:00
|
|
|
for (i = 0; i < cbList->count; i++) {
|
|
|
|
virObjectEventCallbackPtr cb = cbList->callbacks[i];
|
|
|
|
|
|
|
|
if (cb->deleted)
|
|
|
|
continue;
|
2014-01-06 12:32:55 +00:00
|
|
|
if (cb->klass == klass &&
|
event: don't let old-style events clobber per-domain events
Right now, the older virConnectDomainEventRegister (takes a
function pointer, returns 0 on success) and the newer
virConnectDomainEventRegisterID (takes an eventID, returns a
callbackID) share the underlying implementation (the older
API ends up consuming a callbackID for eventID 0 under the
hood). We implemented that by a lot of copy and pasted
code between object_event.c and domain_event.c, according to
whether we are dealing with a function pointer or an eventID.
However, our copy and paste is not symmetric. Consider this
sequence:
id1 = virConnectDomainEventRegisterAny(conn, dom,
VIR_DOMAIN_EVENT_ID_LIFECYCLE,
VIR_DOMAIN_EVENT_CALLBACK(callback), NULL, NULL);
virConnectDomainEventRegister(conn, callback, NULL, NULL);
virConnectDomainEventDeregister(conn, callback);
virConnectDomainEventDeregsiterAny(conn, id1);
the first three calls would succeed, but the third call ended
up nuking the id1 callbackID (the per-domain new-style handler),
then the fourth call failed with an error about an unknown
callbackID, leaving us with the global handler (old-style) still
live and receiving events. It required another old-style
deregister to clean up the mess. Root cause was that
virDomainEventCallbackList{Remove,MarkDelete} were only
checking for function pointer match, rather than also checking
for whether the registration was global.
Rather than playing with the guts of object_event ourselves
in domain_event, it is nicer to add a mapping function for the
internal callback id, then share common code for event removal.
For now, the function-to-id mapping is used only internally;
I thought about whether a new public API to let a user learn
the callback would be useful, but decided exposing this to the
user is probably a disservice, since we already publicly
document that they should avoid the old style, and since this
patch already demonstrates that older libvirt versions have
weird behavior when mixing old and new styles.
And like all good bug fix patches, I enhanced the testsuite,
validating that the changes in tests/ expose the failure
without the rest of the patch.
* src/conf/object_event.c (virObjectEventCallbackLookup)
(virObjectEventStateCallbackID): New functions.
(virObjectEventCallbackLookup): Use helper function.
* src/conf/object_event_private.h (virObjectEventStateCallbackID):
Declare new function.
* src/conf/domain_event.c (virDomainEventStateRegister)
(virDomainEventStateDeregister): Let common code handle the
complexity.
(virDomainEventCallbackListRemove)
(virDomainEventCallbackListMarkDelete)
(virDomainEventCallbackListAdd): Drop unused functions.
* tests/objecteventtest.c (testDomainCreateXMLMixed): New test.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-03 23:50:14 +00:00
|
|
|
cb->eventID == eventID &&
|
|
|
|
cb->conn == conn &&
|
2016-06-23 16:14:23 +00:00
|
|
|
((key && cb->key_filter && STREQ(cb->key, key)) ||
|
|
|
|
(!key && !cb->key_filter))) {
|
2014-01-06 12:32:55 +00:00
|
|
|
if (remoteID)
|
|
|
|
*remoteID = cb->remoteID;
|
2014-01-08 04:00:54 +00:00
|
|
|
if (cb->legacy == legacy &&
|
|
|
|
cb->cb == callback)
|
2014-01-06 12:32:55 +00:00
|
|
|
return cb->callbackID;
|
event: don't let old-style events clobber per-domain events
Right now, the older virConnectDomainEventRegister (takes a
function pointer, returns 0 on success) and the newer
virConnectDomainEventRegisterID (takes an eventID, returns a
callbackID) share the underlying implementation (the older
API ends up consuming a callbackID for eventID 0 under the
hood). We implemented that by a lot of copy and pasted
code between object_event.c and domain_event.c, according to
whether we are dealing with a function pointer or an eventID.
However, our copy and paste is not symmetric. Consider this
sequence:
id1 = virConnectDomainEventRegisterAny(conn, dom,
VIR_DOMAIN_EVENT_ID_LIFECYCLE,
VIR_DOMAIN_EVENT_CALLBACK(callback), NULL, NULL);
virConnectDomainEventRegister(conn, callback, NULL, NULL);
virConnectDomainEventDeregister(conn, callback);
virConnectDomainEventDeregsiterAny(conn, id1);
the first three calls would succeed, but the third call ended
up nuking the id1 callbackID (the per-domain new-style handler),
then the fourth call failed with an error about an unknown
callbackID, leaving us with the global handler (old-style) still
live and receiving events. It required another old-style
deregister to clean up the mess. Root cause was that
virDomainEventCallbackList{Remove,MarkDelete} were only
checking for function pointer match, rather than also checking
for whether the registration was global.
Rather than playing with the guts of object_event ourselves
in domain_event, it is nicer to add a mapping function for the
internal callback id, then share common code for event removal.
For now, the function-to-id mapping is used only internally;
I thought about whether a new public API to let a user learn
the callback would be useful, but decided exposing this to the
user is probably a disservice, since we already publicly
document that they should avoid the old style, and since this
patch already demonstrates that older libvirt versions have
weird behavior when mixing old and new styles.
And like all good bug fix patches, I enhanced the testsuite,
validating that the changes in tests/ expose the failure
without the rest of the patch.
* src/conf/object_event.c (virObjectEventCallbackLookup)
(virObjectEventStateCallbackID): New functions.
(virObjectEventCallbackLookup): Use helper function.
* src/conf/object_event_private.h (virObjectEventStateCallbackID):
Declare new function.
* src/conf/domain_event.c (virDomainEventStateRegister)
(virDomainEventStateDeregister): Let common code handle the
complexity.
(virDomainEventCallbackListRemove)
(virDomainEventCallbackListMarkDelete)
(virDomainEventCallbackListAdd): Drop unused functions.
* tests/objecteventtest.c (testDomainCreateXMLMixed): New test.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-03 23:50:14 +00:00
|
|
|
}
|
|
|
|
}
|
2014-01-06 12:32:55 +00:00
|
|
|
return -1;
|
event: don't let old-style events clobber per-domain events
Right now, the older virConnectDomainEventRegister (takes a
function pointer, returns 0 on success) and the newer
virConnectDomainEventRegisterID (takes an eventID, returns a
callbackID) share the underlying implementation (the older
API ends up consuming a callbackID for eventID 0 under the
hood). We implemented that by a lot of copy and pasted
code between object_event.c and domain_event.c, according to
whether we are dealing with a function pointer or an eventID.
However, our copy and paste is not symmetric. Consider this
sequence:
id1 = virConnectDomainEventRegisterAny(conn, dom,
VIR_DOMAIN_EVENT_ID_LIFECYCLE,
VIR_DOMAIN_EVENT_CALLBACK(callback), NULL, NULL);
virConnectDomainEventRegister(conn, callback, NULL, NULL);
virConnectDomainEventDeregister(conn, callback);
virConnectDomainEventDeregsiterAny(conn, id1);
the first three calls would succeed, but the third call ended
up nuking the id1 callbackID (the per-domain new-style handler),
then the fourth call failed with an error about an unknown
callbackID, leaving us with the global handler (old-style) still
live and receiving events. It required another old-style
deregister to clean up the mess. Root cause was that
virDomainEventCallbackList{Remove,MarkDelete} were only
checking for function pointer match, rather than also checking
for whether the registration was global.
Rather than playing with the guts of object_event ourselves
in domain_event, it is nicer to add a mapping function for the
internal callback id, then share common code for event removal.
For now, the function-to-id mapping is used only internally;
I thought about whether a new public API to let a user learn
the callback would be useful, but decided exposing this to the
user is probably a disservice, since we already publicly
document that they should avoid the old style, and since this
patch already demonstrates that older libvirt versions have
weird behavior when mixing old and new styles.
And like all good bug fix patches, I enhanced the testsuite,
validating that the changes in tests/ expose the failure
without the rest of the patch.
* src/conf/object_event.c (virObjectEventCallbackLookup)
(virObjectEventStateCallbackID): New functions.
(virObjectEventCallbackLookup): Use helper function.
* src/conf/object_event_private.h (virObjectEventStateCallbackID):
Declare new function.
* src/conf/domain_event.c (virDomainEventStateRegister)
(virDomainEventStateDeregister): Let common code handle the
complexity.
(virDomainEventCallbackListRemove)
(virDomainEventCallbackListMarkDelete)
(virDomainEventCallbackListAdd): Drop unused functions.
* tests/objecteventtest.c (testDomainCreateXMLMixed): New test.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-03 23:50:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2013-11-26 14:10:15 +00:00
|
|
|
/**
|
|
|
|
* virObjectEventCallbackListAddID:
|
|
|
|
* @conn: pointer to the connection
|
|
|
|
* @cbList: the list
|
2016-06-23 16:14:23 +00:00
|
|
|
* @key: the optional key of the object to filter on
|
event: filter global events by domain:getattr ACL [CVE-2014-0028]
Ever since ACL filtering was added in commit 7639736 (v1.1.1), a
user could still use event registration to obtain access to a
domain that they could not normally access via virDomainLookup*
or virConnectListAllDomains and friends. We already have the
framework in the RPC generator for creating the filter, and
previous cleanup patches got us to the point that we can now
wire the filter through the entire object event stack.
Furthermore, whether or not domain:getattr is honored, use of
global events is a form of obtaining a list of networks, which
is covered by connect:search_domains added in a93cd08 (v1.1.0).
Ideally, we'd have a way to enforce connect:search_domains when
doing global registrations while omitting that check on a
per-domain registration. But this patch just unconditionally
requires connect:search_domains, even when no list could be
obtained, based on the following observations:
1. Administrators are unlikely to grant domain:getattr for one
or all domains while still denying connect:search_domains - a
user that is able to manage domains will want to be able to
manage them efficiently, but efficient management includes being
able to list the domains they can access. The idea of denying
connect:search_domains while still granting access to individual
domains is therefore not adding any real security, but just
serves as a layer of obscurity to annoy the end user.
2. In the current implementation, domain events are filtered
on the client; the server has no idea if a domain filter was
requested, and must therefore assume that all domain event
requests are global. Even if we fix the RPC protocol to
allow for server-side filtering for newer client/server combos,
making the connect:serach_domains ACL check conditional on
whether the domain argument was NULL won't benefit older clients.
Therefore, we choose to document that connect:search_domains
is a pre-requisite to any domain event management.
Network events need the same treatment, with the obvious
change of using connect:search_networks and network:getattr.
* src/access/viraccessperm.h
(VIR_ACCESS_PERM_CONNECT_SEARCH_DOMAINS)
(VIR_ACCESS_PERM_CONNECT_SEARCH_NETWORKS): Document additional
effect of the permission.
* src/conf/domain_event.h (virDomainEventStateRegister)
(virDomainEventStateRegisterID): Add new parameter.
* src/conf/network_event.h (virNetworkEventStateRegisterID):
Likewise.
* src/conf/object_event_private.h (virObjectEventStateRegisterID):
Likewise.
* src/conf/object_event.c (_virObjectEventCallback): Track a filter.
(virObjectEventDispatchMatchCallback): Use filter.
(virObjectEventCallbackListAddID): Register filter.
* src/conf/domain_event.c (virDomainEventFilter): New function.
(virDomainEventStateRegister, virDomainEventStateRegisterID):
Adjust callers.
* src/conf/network_event.c (virNetworkEventFilter): New function.
(virNetworkEventStateRegisterID): Adjust caller.
* src/remote/remote_protocol.x
(REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER)
(REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER_ANY)
(REMOTE_PROC_CONNECT_NETWORK_EVENT_REGISTER_ANY): Generate a
filter, and require connect:search_domains instead of weaker
connect:read.
* src/test/test_driver.c (testConnectDomainEventRegister)
(testConnectDomainEventRegisterAny)
(testConnectNetworkEventRegisterAny): Update callers.
* src/remote/remote_driver.c (remoteConnectDomainEventRegister)
(remoteConnectDomainEventRegisterAny): Likewise.
* src/xen/xen_driver.c (xenUnifiedConnectDomainEventRegister)
(xenUnifiedConnectDomainEventRegisterAny): Likewise.
* src/vbox/vbox_tmpl.c (vboxDomainGetXMLDesc): Likewise.
* src/libxl/libxl_driver.c (libxlConnectDomainEventRegister)
(libxlConnectDomainEventRegisterAny): Likewise.
* src/qemu/qemu_driver.c (qemuConnectDomainEventRegister)
(qemuConnectDomainEventRegisterAny): Likewise.
* src/uml/uml_driver.c (umlConnectDomainEventRegister)
(umlConnectDomainEventRegisterAny): Likewise.
* src/network/bridge_driver.c
(networkConnectNetworkEventRegisterAny): Likewise.
* src/lxc/lxc_driver.c (lxcConnectDomainEventRegister)
(lxcConnectDomainEventRegisterAny): Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-08 20:34:48 +00:00
|
|
|
* @filter: optional last-ditch filter callback
|
|
|
|
* @filter_opaque: opaque data to pass to @filter
|
2013-12-11 14:10:34 +00:00
|
|
|
* @klass: the base event class
|
2013-11-26 14:10:15 +00:00
|
|
|
* @eventID: the event ID
|
|
|
|
* @callback: the callback to add
|
2014-01-02 14:16:49 +00:00
|
|
|
* @opaque: opaque data to pass to @callback
|
|
|
|
* @freecb: callback to free @opaque
|
2014-01-08 04:00:54 +00:00
|
|
|
* @legacy: true if callback is tracked by function instead of callbackID
|
2013-11-26 14:10:15 +00:00
|
|
|
* @callbackID: filled with callback ID
|
2014-01-06 12:32:55 +00:00
|
|
|
* @serverFilter: true if server supports object filtering
|
2013-11-26 14:10:15 +00:00
|
|
|
*
|
|
|
|
* Internal function to add a callback from a virObjectEventCallbackListPtr
|
|
|
|
*/
|
2014-01-03 21:44:29 +00:00
|
|
|
static int
|
2013-11-26 14:10:15 +00:00
|
|
|
virObjectEventCallbackListAddID(virConnectPtr conn,
|
|
|
|
virObjectEventCallbackListPtr cbList,
|
2016-06-23 16:14:23 +00:00
|
|
|
const char *key,
|
event: filter global events by domain:getattr ACL [CVE-2014-0028]
Ever since ACL filtering was added in commit 7639736 (v1.1.1), a
user could still use event registration to obtain access to a
domain that they could not normally access via virDomainLookup*
or virConnectListAllDomains and friends. We already have the
framework in the RPC generator for creating the filter, and
previous cleanup patches got us to the point that we can now
wire the filter through the entire object event stack.
Furthermore, whether or not domain:getattr is honored, use of
global events is a form of obtaining a list of networks, which
is covered by connect:search_domains added in a93cd08 (v1.1.0).
Ideally, we'd have a way to enforce connect:search_domains when
doing global registrations while omitting that check on a
per-domain registration. But this patch just unconditionally
requires connect:search_domains, even when no list could be
obtained, based on the following observations:
1. Administrators are unlikely to grant domain:getattr for one
or all domains while still denying connect:search_domains - a
user that is able to manage domains will want to be able to
manage them efficiently, but efficient management includes being
able to list the domains they can access. The idea of denying
connect:search_domains while still granting access to individual
domains is therefore not adding any real security, but just
serves as a layer of obscurity to annoy the end user.
2. In the current implementation, domain events are filtered
on the client; the server has no idea if a domain filter was
requested, and must therefore assume that all domain event
requests are global. Even if we fix the RPC protocol to
allow for server-side filtering for newer client/server combos,
making the connect:serach_domains ACL check conditional on
whether the domain argument was NULL won't benefit older clients.
Therefore, we choose to document that connect:search_domains
is a pre-requisite to any domain event management.
Network events need the same treatment, with the obvious
change of using connect:search_networks and network:getattr.
* src/access/viraccessperm.h
(VIR_ACCESS_PERM_CONNECT_SEARCH_DOMAINS)
(VIR_ACCESS_PERM_CONNECT_SEARCH_NETWORKS): Document additional
effect of the permission.
* src/conf/domain_event.h (virDomainEventStateRegister)
(virDomainEventStateRegisterID): Add new parameter.
* src/conf/network_event.h (virNetworkEventStateRegisterID):
Likewise.
* src/conf/object_event_private.h (virObjectEventStateRegisterID):
Likewise.
* src/conf/object_event.c (_virObjectEventCallback): Track a filter.
(virObjectEventDispatchMatchCallback): Use filter.
(virObjectEventCallbackListAddID): Register filter.
* src/conf/domain_event.c (virDomainEventFilter): New function.
(virDomainEventStateRegister, virDomainEventStateRegisterID):
Adjust callers.
* src/conf/network_event.c (virNetworkEventFilter): New function.
(virNetworkEventStateRegisterID): Adjust caller.
* src/remote/remote_protocol.x
(REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER)
(REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER_ANY)
(REMOTE_PROC_CONNECT_NETWORK_EVENT_REGISTER_ANY): Generate a
filter, and require connect:search_domains instead of weaker
connect:read.
* src/test/test_driver.c (testConnectDomainEventRegister)
(testConnectDomainEventRegisterAny)
(testConnectNetworkEventRegisterAny): Update callers.
* src/remote/remote_driver.c (remoteConnectDomainEventRegister)
(remoteConnectDomainEventRegisterAny): Likewise.
* src/xen/xen_driver.c (xenUnifiedConnectDomainEventRegister)
(xenUnifiedConnectDomainEventRegisterAny): Likewise.
* src/vbox/vbox_tmpl.c (vboxDomainGetXMLDesc): Likewise.
* src/libxl/libxl_driver.c (libxlConnectDomainEventRegister)
(libxlConnectDomainEventRegisterAny): Likewise.
* src/qemu/qemu_driver.c (qemuConnectDomainEventRegister)
(qemuConnectDomainEventRegisterAny): Likewise.
* src/uml/uml_driver.c (umlConnectDomainEventRegister)
(umlConnectDomainEventRegisterAny): Likewise.
* src/network/bridge_driver.c
(networkConnectNetworkEventRegisterAny): Likewise.
* src/lxc/lxc_driver.c (lxcConnectDomainEventRegister)
(lxcConnectDomainEventRegisterAny): Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-08 20:34:48 +00:00
|
|
|
virObjectEventCallbackFilter filter,
|
|
|
|
void *filter_opaque,
|
2013-12-11 14:10:34 +00:00
|
|
|
virClassPtr klass,
|
2013-11-26 14:10:15 +00:00
|
|
|
int eventID,
|
|
|
|
virConnectObjectEventGenericCallback callback,
|
|
|
|
void *opaque,
|
|
|
|
virFreeCallback freecb,
|
2014-01-08 04:00:54 +00:00
|
|
|
bool legacy,
|
2014-01-06 12:32:55 +00:00
|
|
|
int *callbackID,
|
|
|
|
bool serverFilter)
|
2013-11-26 14:10:15 +00:00
|
|
|
{
|
2016-06-23 15:43:24 +00:00
|
|
|
virObjectEventCallbackPtr cb;
|
2014-01-03 20:31:48 +00:00
|
|
|
int ret = -1;
|
2014-01-06 12:32:55 +00:00
|
|
|
int remoteID = -1;
|
2013-11-26 14:10:15 +00:00
|
|
|
|
2016-06-23 16:14:23 +00:00
|
|
|
VIR_DEBUG("conn=%p cblist=%p key=%p filter=%p filter_opaque=%p "
|
2014-01-08 04:00:54 +00:00
|
|
|
"klass=%p eventID=%d callback=%p opaque=%p "
|
|
|
|
"legacy=%d callbackID=%p serverFilter=%d",
|
2016-06-23 16:14:23 +00:00
|
|
|
conn, cbList, key, filter, filter_opaque, klass, eventID,
|
2014-01-08 04:00:54 +00:00
|
|
|
callback, opaque, legacy, callbackID, serverFilter);
|
2013-12-11 15:27:13 +00:00
|
|
|
|
2013-11-26 14:10:15 +00:00
|
|
|
/* Check incoming */
|
2014-11-13 14:23:27 +00:00
|
|
|
if (!cbList)
|
2013-11-26 14:10:15 +00:00
|
|
|
return -1;
|
|
|
|
|
qemu: enable monitor event filtering by name
Filtering monitor events by name requires tracking the name for
the duration of the filtering. In order to free the name, I
found it easiest to just piggyback on the user's freecb function,
which gets called when the event is deregistered.
For events without a name filter, we have the design of multiple
client registrations sharing a common server registration, because
the server side uses the same callback function and we reject
duplicate use of the same function. But with events in the mix,
we want to be able to allow the same function pointer to be used
with more than one event name. The solution is to tweak the
duplicate detection code to only act when there is no additional
filtering; if name filtering is in use, there is exactly one
client registration per server registration. Yes, this means
that there is no longer a bound on the number of server
registrations possible, so a malicious client could repeatedly
register for the same name event to exhaust server memory. On
the other hand, we already restricted monitor events to require
write access (compared to normal events only needing read access),
and separated it into the intentionally unsupported
libvirt-qemu.so, with documentation that using this function is
for debug purposes only; so it is not a security risk worth
worrying about a client trying to abuse multiple registrations.
* src/conf/domain_event.c (virDomainQemuMonitorEventData): New
struct.
(virDomainQemuMonitorEventFilter)
(virDomainQemuMonitorEventCleanup): New functions.
(virDomainQemuMonitorEventDispatchFunc)
(virDomainQemuMonitorEventStateRegisterID): Use new struct.
* src/conf/object_event.c (virObjectEventCallbackListCount)
(virObjectEventCallbackListAddID)
(virObjectEventCallbackListRemoveID)
(virObjectEventCallbackListMarkDeleteID): Drop duplicate detection
when filtering is in effect.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-31 14:02:25 +00:00
|
|
|
/* If there is no additional filtering, then check if we already
|
|
|
|
* have this callback on our list. */
|
|
|
|
if (!filter &&
|
2016-06-23 16:14:23 +00:00
|
|
|
virObjectEventCallbackLookup(conn, cbList, key,
|
2014-01-08 04:00:54 +00:00
|
|
|
klass, eventID, callback, legacy,
|
2014-01-06 12:32:55 +00:00
|
|
|
serverFilter ? &remoteID : NULL) != -1) {
|
2014-01-08 17:10:49 +00:00
|
|
|
virReportError(VIR_ERR_INVALID_ARG, "%s",
|
event: don't let old-style events clobber per-domain events
Right now, the older virConnectDomainEventRegister (takes a
function pointer, returns 0 on success) and the newer
virConnectDomainEventRegisterID (takes an eventID, returns a
callbackID) share the underlying implementation (the older
API ends up consuming a callbackID for eventID 0 under the
hood). We implemented that by a lot of copy and pasted
code between object_event.c and domain_event.c, according to
whether we are dealing with a function pointer or an eventID.
However, our copy and paste is not symmetric. Consider this
sequence:
id1 = virConnectDomainEventRegisterAny(conn, dom,
VIR_DOMAIN_EVENT_ID_LIFECYCLE,
VIR_DOMAIN_EVENT_CALLBACK(callback), NULL, NULL);
virConnectDomainEventRegister(conn, callback, NULL, NULL);
virConnectDomainEventDeregister(conn, callback);
virConnectDomainEventDeregsiterAny(conn, id1);
the first three calls would succeed, but the third call ended
up nuking the id1 callbackID (the per-domain new-style handler),
then the fourth call failed with an error about an unknown
callbackID, leaving us with the global handler (old-style) still
live and receiving events. It required another old-style
deregister to clean up the mess. Root cause was that
virDomainEventCallbackList{Remove,MarkDelete} were only
checking for function pointer match, rather than also checking
for whether the registration was global.
Rather than playing with the guts of object_event ourselves
in domain_event, it is nicer to add a mapping function for the
internal callback id, then share common code for event removal.
For now, the function-to-id mapping is used only internally;
I thought about whether a new public API to let a user learn
the callback would be useful, but decided exposing this to the
user is probably a disservice, since we already publicly
document that they should avoid the old style, and since this
patch already demonstrates that older libvirt versions have
weird behavior when mixing old and new styles.
And like all good bug fix patches, I enhanced the testsuite,
validating that the changes in tests/ expose the failure
without the rest of the patch.
* src/conf/object_event.c (virObjectEventCallbackLookup)
(virObjectEventStateCallbackID): New functions.
(virObjectEventCallbackLookup): Use helper function.
* src/conf/object_event_private.h (virObjectEventStateCallbackID):
Declare new function.
* src/conf/domain_event.c (virDomainEventStateRegister)
(virDomainEventStateDeregister): Let common code handle the
complexity.
(virDomainEventCallbackListRemove)
(virDomainEventCallbackListMarkDelete)
(virDomainEventCallbackListAdd): Drop unused functions.
* tests/objecteventtest.c (testDomainCreateXMLMixed): New test.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-03 23:50:14 +00:00
|
|
|
_("event callback already tracked"));
|
|
|
|
return -1;
|
2013-11-26 14:10:15 +00:00
|
|
|
}
|
2016-06-23 15:43:24 +00:00
|
|
|
/* Allocate new cb */
|
|
|
|
if (VIR_ALLOC(cb) < 0)
|
2014-01-03 20:31:48 +00:00
|
|
|
goto cleanup;
|
2016-06-23 15:43:24 +00:00
|
|
|
cb->conn = virObjectRef(conn);
|
|
|
|
*callbackID = cb->callbackID = cbList->nextID++;
|
|
|
|
cb->cb = callback;
|
|
|
|
cb->klass = klass;
|
|
|
|
cb->eventID = eventID;
|
|
|
|
cb->opaque = opaque;
|
|
|
|
cb->freecb = freecb;
|
|
|
|
cb->remoteID = remoteID;
|
2013-11-26 14:10:15 +00:00
|
|
|
|
2016-06-23 16:14:23 +00:00
|
|
|
if (key) {
|
|
|
|
cb->key_filter = true;
|
|
|
|
if (VIR_STRDUP(cb->key, key) < 0)
|
2016-06-23 15:50:05 +00:00
|
|
|
goto cleanup;
|
2013-11-26 14:10:15 +00:00
|
|
|
}
|
2016-06-23 15:43:24 +00:00
|
|
|
cb->filter = filter;
|
|
|
|
cb->filter_opaque = filter_opaque;
|
|
|
|
cb->legacy = legacy;
|
2013-11-26 14:10:15 +00:00
|
|
|
|
2016-06-23 15:43:24 +00:00
|
|
|
if (VIR_APPEND_ELEMENT(cbList->callbacks, cbList->count, cb) < 0)
|
2014-01-03 20:31:48 +00:00
|
|
|
goto cleanup;
|
2013-11-26 14:10:15 +00:00
|
|
|
|
qemu: enable monitor event filtering by name
Filtering monitor events by name requires tracking the name for
the duration of the filtering. In order to free the name, I
found it easiest to just piggyback on the user's freecb function,
which gets called when the event is deregistered.
For events without a name filter, we have the design of multiple
client registrations sharing a common server registration, because
the server side uses the same callback function and we reject
duplicate use of the same function. But with events in the mix,
we want to be able to allow the same function pointer to be used
with more than one event name. The solution is to tweak the
duplicate detection code to only act when there is no additional
filtering; if name filtering is in use, there is exactly one
client registration per server registration. Yes, this means
that there is no longer a bound on the number of server
registrations possible, so a malicious client could repeatedly
register for the same name event to exhaust server memory. On
the other hand, we already restricted monitor events to require
write access (compared to normal events only needing read access),
and separated it into the intentionally unsupported
libvirt-qemu.so, with documentation that using this function is
for debug purposes only; so it is not a security risk worth
worrying about a client trying to abuse multiple registrations.
* src/conf/domain_event.c (virDomainQemuMonitorEventData): New
struct.
(virDomainQemuMonitorEventFilter)
(virDomainQemuMonitorEventCleanup): New functions.
(virDomainQemuMonitorEventDispatchFunc)
(virDomainQemuMonitorEventStateRegisterID): Use new struct.
* src/conf/object_event.c (virObjectEventCallbackListCount)
(virObjectEventCallbackListAddID)
(virObjectEventCallbackListRemoveID)
(virObjectEventCallbackListMarkDeleteID): Drop duplicate detection
when filtering is in effect.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-31 14:02:25 +00:00
|
|
|
/* When additional filtering is being done, every client callback
|
|
|
|
* is matched to exactly one server callback. */
|
|
|
|
if (filter) {
|
|
|
|
ret = 1;
|
|
|
|
} else {
|
|
|
|
ret = virObjectEventCallbackListCount(conn, cbList, klass, eventID,
|
2016-06-23 16:14:23 +00:00
|
|
|
key, serverFilter);
|
qemu: enable monitor event filtering by name
Filtering monitor events by name requires tracking the name for
the duration of the filtering. In order to free the name, I
found it easiest to just piggyback on the user's freecb function,
which gets called when the event is deregistered.
For events without a name filter, we have the design of multiple
client registrations sharing a common server registration, because
the server side uses the same callback function and we reject
duplicate use of the same function. But with events in the mix,
we want to be able to allow the same function pointer to be used
with more than one event name. The solution is to tweak the
duplicate detection code to only act when there is no additional
filtering; if name filtering is in use, there is exactly one
client registration per server registration. Yes, this means
that there is no longer a bound on the number of server
registrations possible, so a malicious client could repeatedly
register for the same name event to exhaust server memory. On
the other hand, we already restricted monitor events to require
write access (compared to normal events only needing read access),
and separated it into the intentionally unsupported
libvirt-qemu.so, with documentation that using this function is
for debug purposes only; so it is not a security risk worth
worrying about a client trying to abuse multiple registrations.
* src/conf/domain_event.c (virDomainQemuMonitorEventData): New
struct.
(virDomainQemuMonitorEventFilter)
(virDomainQemuMonitorEventCleanup): New functions.
(virDomainQemuMonitorEventDispatchFunc)
(virDomainQemuMonitorEventStateRegisterID): Use new struct.
* src/conf/object_event.c (virObjectEventCallbackListCount)
(virObjectEventCallbackListAddID)
(virObjectEventCallbackListRemoveID)
(virObjectEventCallbackListMarkDeleteID): Drop duplicate detection
when filtering is in effect.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-31 14:02:25 +00:00
|
|
|
if (serverFilter && remoteID < 0)
|
|
|
|
ret++;
|
|
|
|
}
|
2013-11-26 14:10:15 +00:00
|
|
|
|
2014-03-25 06:48:31 +00:00
|
|
|
cleanup:
|
2016-06-23 15:43:24 +00:00
|
|
|
virObjectEventCallbackFree(cb);
|
2014-01-03 20:31:48 +00:00
|
|
|
return ret;
|
2013-11-26 14:10:15 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
* virObjectEventQueueClear:
|
|
|
|
* @queue: pointer to the queue
|
|
|
|
*
|
|
|
|
* Removes all elements from the queue
|
|
|
|
*/
|
2014-01-03 21:44:29 +00:00
|
|
|
static void
|
2013-11-26 14:10:15 +00:00
|
|
|
virObjectEventQueueClear(virObjectEventQueuePtr queue)
|
|
|
|
{
|
|
|
|
size_t i;
|
|
|
|
if (!queue)
|
|
|
|
return;
|
|
|
|
|
2014-11-13 14:23:27 +00:00
|
|
|
for (i = 0; i < queue->count; i++)
|
2013-11-26 14:10:15 +00:00
|
|
|
virObjectUnref(queue->events[i]);
|
|
|
|
VIR_FREE(queue->events);
|
|
|
|
queue->count = 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* virObjectEventQueueFree:
|
|
|
|
* @queue: pointer to the queue
|
|
|
|
*
|
|
|
|
* Free the memory in the queue. We process this like a list here
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
virObjectEventQueueFree(virObjectEventQueuePtr queue)
|
|
|
|
{
|
|
|
|
if (!queue)
|
|
|
|
return;
|
|
|
|
|
|
|
|
virObjectEventQueueClear(queue);
|
|
|
|
VIR_FREE(queue);
|
|
|
|
}
|
|
|
|
|
|
|
|
static virObjectEventQueuePtr
|
|
|
|
virObjectEventQueueNew(void)
|
|
|
|
{
|
|
|
|
virObjectEventQueuePtr ret;
|
|
|
|
|
|
|
|
ignore_value(VIR_ALLOC(ret));
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2014-01-02 14:16:49 +00:00
|
|
|
|
|
|
|
/**
|
2016-10-11 07:48:36 +00:00
|
|
|
* virObjectEventStateDispose:
|
2013-11-26 14:10:15 +00:00
|
|
|
* @list: virObjectEventStatePtr to free
|
|
|
|
*
|
|
|
|
* Free a virObjectEventStatePtr and its members, and unregister the timer.
|
|
|
|
*/
|
2016-10-11 07:48:36 +00:00
|
|
|
static void
|
|
|
|
virObjectEventStateDispose(void *obj)
|
2013-11-26 14:10:15 +00:00
|
|
|
{
|
2016-10-11 07:48:36 +00:00
|
|
|
virObjectEventStatePtr state = obj;
|
|
|
|
|
|
|
|
VIR_DEBUG("obj=%p", state);
|
2013-11-26 14:10:15 +00:00
|
|
|
|
|
|
|
virObjectEventCallbackListFree(state->callbacks);
|
|
|
|
virObjectEventQueueFree(state->queue);
|
|
|
|
|
|
|
|
if (state->timer != -1)
|
|
|
|
virEventRemoveTimeout(state->timer);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void virObjectEventStateFlush(virObjectEventStatePtr state);
|
|
|
|
|
2014-01-02 14:16:49 +00:00
|
|
|
|
|
|
|
/**
|
|
|
|
* virObjectEventTimer:
|
|
|
|
* @timer: id of the event loop timer
|
|
|
|
* @opaque: the event state object
|
|
|
|
*
|
|
|
|
* Register this function with the event state as its opaque data as
|
|
|
|
* the callback of a periodic timer on the event loop, in order to
|
|
|
|
* flush the callback queue.
|
|
|
|
*/
|
2014-01-03 21:44:29 +00:00
|
|
|
static void
|
2013-11-26 14:10:15 +00:00
|
|
|
virObjectEventTimer(int timer ATTRIBUTE_UNUSED, void *opaque)
|
|
|
|
{
|
|
|
|
virObjectEventStatePtr state = opaque;
|
|
|
|
|
|
|
|
virObjectEventStateFlush(state);
|
|
|
|
}
|
|
|
|
|
2014-01-02 14:16:49 +00:00
|
|
|
|
2013-11-26 14:10:15 +00:00
|
|
|
/**
|
|
|
|
* virObjectEventStateNew:
|
2014-01-02 14:16:49 +00:00
|
|
|
*
|
|
|
|
* Allocate a new event state object.
|
2013-11-26 14:10:15 +00:00
|
|
|
*/
|
|
|
|
virObjectEventStatePtr
|
|
|
|
virObjectEventStateNew(void)
|
|
|
|
{
|
|
|
|
virObjectEventStatePtr state = NULL;
|
|
|
|
|
2016-10-11 07:48:36 +00:00
|
|
|
if (virObjectEventInitialize() < 0)
|
|
|
|
return NULL;
|
2013-11-26 14:10:15 +00:00
|
|
|
|
2016-10-11 07:48:36 +00:00
|
|
|
if (!(state = virObjectLockableNew(virObjectEventStateClass)))
|
|
|
|
return NULL;
|
2013-11-26 14:10:15 +00:00
|
|
|
|
|
|
|
if (VIR_ALLOC(state->callbacks) < 0)
|
|
|
|
goto error;
|
|
|
|
|
|
|
|
if (!(state->queue = virObjectEventQueueNew()))
|
|
|
|
goto error;
|
|
|
|
|
|
|
|
state->timer = -1;
|
|
|
|
|
|
|
|
return state;
|
|
|
|
|
2014-03-25 06:48:31 +00:00
|
|
|
error:
|
2016-10-11 07:48:36 +00:00
|
|
|
virObjectUnref(state);
|
2013-11-26 14:10:15 +00:00
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2014-01-02 14:16:49 +00:00
|
|
|
|
|
|
|
/**
|
|
|
|
* virObjectEventNew:
|
|
|
|
* @klass: subclass of event to be created
|
|
|
|
* @dispatcher: callback for dispatching the particular subclass of event
|
|
|
|
* @eventID: id of the event
|
|
|
|
* @id: id of the object the event describes, or 0
|
|
|
|
* @name: name of the object the event describes
|
|
|
|
* @uuid: uuid of the object the event describes
|
2016-06-23 16:06:39 +00:00
|
|
|
* @key: key for per-object filtering
|
2014-01-02 14:16:49 +00:00
|
|
|
*
|
|
|
|
* Create a new event, with the information common to all events.
|
|
|
|
*/
|
2013-12-11 10:38:03 +00:00
|
|
|
void *
|
|
|
|
virObjectEventNew(virClassPtr klass,
|
2013-12-12 17:47:42 +00:00
|
|
|
virObjectEventDispatchFunc dispatcher,
|
2013-12-11 10:38:03 +00:00
|
|
|
int eventID,
|
|
|
|
int id,
|
|
|
|
const char *name,
|
2016-06-23 16:06:39 +00:00
|
|
|
const unsigned char *uuid,
|
|
|
|
const char *key)
|
2013-11-26 14:10:15 +00:00
|
|
|
{
|
|
|
|
virObjectEventPtr event;
|
|
|
|
|
|
|
|
if (virObjectEventInitialize() < 0)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
if (!virClassIsDerivedFrom(klass, virObjectEventClass)) {
|
|
|
|
virReportInvalidArg(klass,
|
|
|
|
_("Class %s must derive from virObjectEvent"),
|
|
|
|
virClassName(klass));
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!(event = virObjectNew(klass)))
|
|
|
|
return NULL;
|
|
|
|
|
2013-12-12 17:47:42 +00:00
|
|
|
event->dispatch = dispatcher;
|
2013-11-26 14:10:15 +00:00
|
|
|
event->eventID = eventID;
|
2014-01-06 12:32:55 +00:00
|
|
|
event->remoteID = -1;
|
2013-11-26 14:10:15 +00:00
|
|
|
|
2016-08-04 06:33:17 +00:00
|
|
|
if (VIR_STRDUP(event->meta.name, name) < 0 ||
|
|
|
|
VIR_STRDUP(event->meta.key, key) < 0) {
|
|
|
|
virObjectUnref(event);
|
2016-06-23 16:06:39 +00:00
|
|
|
return NULL;
|
|
|
|
}
|
2013-11-26 14:10:15 +00:00
|
|
|
event->meta.id = id;
|
2016-07-19 17:23:06 +00:00
|
|
|
if (uuid)
|
|
|
|
memcpy(event->meta.uuid, uuid, VIR_UUID_BUFLEN);
|
2013-11-26 14:10:15 +00:00
|
|
|
|
|
|
|
VIR_DEBUG("obj=%p", event);
|
|
|
|
return event;
|
|
|
|
}
|
|
|
|
|
2014-01-02 14:16:49 +00:00
|
|
|
|
2013-11-26 14:10:15 +00:00
|
|
|
/**
|
|
|
|
* virObjectEventQueuePush:
|
|
|
|
* @evtQueue: the object event queue
|
|
|
|
* @event: the event to add
|
|
|
|
*
|
|
|
|
* Internal function to push to the back of a virObjectEventQueue
|
|
|
|
*
|
|
|
|
* Returns: 0 on success, -1 on failure
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
virObjectEventQueuePush(virObjectEventQueuePtr evtQueue,
|
|
|
|
virObjectEventPtr event)
|
|
|
|
{
|
2014-01-03 20:31:48 +00:00
|
|
|
if (!evtQueue)
|
2013-11-26 14:10:15 +00:00
|
|
|
return -1;
|
|
|
|
|
2014-01-03 20:31:48 +00:00
|
|
|
if (VIR_APPEND_ELEMENT(evtQueue->events, evtQueue->count, event) < 0)
|
2013-11-26 14:10:15 +00:00
|
|
|
return -1;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2014-01-03 17:34:39 +00:00
|
|
|
static bool
|
2013-12-11 10:38:03 +00:00
|
|
|
virObjectEventDispatchMatchCallback(virObjectEventPtr event,
|
|
|
|
virObjectEventCallbackPtr cb)
|
2013-11-26 14:10:15 +00:00
|
|
|
{
|
|
|
|
if (!cb)
|
2014-01-03 17:34:39 +00:00
|
|
|
return false;
|
2013-11-26 14:10:15 +00:00
|
|
|
if (cb->deleted)
|
2014-01-03 17:34:39 +00:00
|
|
|
return false;
|
2013-12-11 14:10:34 +00:00
|
|
|
if (!virObjectIsClass(event, cb->klass))
|
2014-01-03 17:34:39 +00:00
|
|
|
return false;
|
2014-01-02 14:40:50 +00:00
|
|
|
if (cb->eventID != event->eventID)
|
2014-01-03 17:34:39 +00:00
|
|
|
return false;
|
2014-01-06 12:32:55 +00:00
|
|
|
if (cb->remoteID != event->remoteID)
|
|
|
|
return false;
|
2013-11-26 14:10:15 +00:00
|
|
|
|
event: filter global events by domain:getattr ACL [CVE-2014-0028]
Ever since ACL filtering was added in commit 7639736 (v1.1.1), a
user could still use event registration to obtain access to a
domain that they could not normally access via virDomainLookup*
or virConnectListAllDomains and friends. We already have the
framework in the RPC generator for creating the filter, and
previous cleanup patches got us to the point that we can now
wire the filter through the entire object event stack.
Furthermore, whether or not domain:getattr is honored, use of
global events is a form of obtaining a list of networks, which
is covered by connect:search_domains added in a93cd08 (v1.1.0).
Ideally, we'd have a way to enforce connect:search_domains when
doing global registrations while omitting that check on a
per-domain registration. But this patch just unconditionally
requires connect:search_domains, even when no list could be
obtained, based on the following observations:
1. Administrators are unlikely to grant domain:getattr for one
or all domains while still denying connect:search_domains - a
user that is able to manage domains will want to be able to
manage them efficiently, but efficient management includes being
able to list the domains they can access. The idea of denying
connect:search_domains while still granting access to individual
domains is therefore not adding any real security, but just
serves as a layer of obscurity to annoy the end user.
2. In the current implementation, domain events are filtered
on the client; the server has no idea if a domain filter was
requested, and must therefore assume that all domain event
requests are global. Even if we fix the RPC protocol to
allow for server-side filtering for newer client/server combos,
making the connect:serach_domains ACL check conditional on
whether the domain argument was NULL won't benefit older clients.
Therefore, we choose to document that connect:search_domains
is a pre-requisite to any domain event management.
Network events need the same treatment, with the obvious
change of using connect:search_networks and network:getattr.
* src/access/viraccessperm.h
(VIR_ACCESS_PERM_CONNECT_SEARCH_DOMAINS)
(VIR_ACCESS_PERM_CONNECT_SEARCH_NETWORKS): Document additional
effect of the permission.
* src/conf/domain_event.h (virDomainEventStateRegister)
(virDomainEventStateRegisterID): Add new parameter.
* src/conf/network_event.h (virNetworkEventStateRegisterID):
Likewise.
* src/conf/object_event_private.h (virObjectEventStateRegisterID):
Likewise.
* src/conf/object_event.c (_virObjectEventCallback): Track a filter.
(virObjectEventDispatchMatchCallback): Use filter.
(virObjectEventCallbackListAddID): Register filter.
* src/conf/domain_event.c (virDomainEventFilter): New function.
(virDomainEventStateRegister, virDomainEventStateRegisterID):
Adjust callers.
* src/conf/network_event.c (virNetworkEventFilter): New function.
(virNetworkEventStateRegisterID): Adjust caller.
* src/remote/remote_protocol.x
(REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER)
(REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER_ANY)
(REMOTE_PROC_CONNECT_NETWORK_EVENT_REGISTER_ANY): Generate a
filter, and require connect:search_domains instead of weaker
connect:read.
* src/test/test_driver.c (testConnectDomainEventRegister)
(testConnectDomainEventRegisterAny)
(testConnectNetworkEventRegisterAny): Update callers.
* src/remote/remote_driver.c (remoteConnectDomainEventRegister)
(remoteConnectDomainEventRegisterAny): Likewise.
* src/xen/xen_driver.c (xenUnifiedConnectDomainEventRegister)
(xenUnifiedConnectDomainEventRegisterAny): Likewise.
* src/vbox/vbox_tmpl.c (vboxDomainGetXMLDesc): Likewise.
* src/libxl/libxl_driver.c (libxlConnectDomainEventRegister)
(libxlConnectDomainEventRegisterAny): Likewise.
* src/qemu/qemu_driver.c (qemuConnectDomainEventRegister)
(qemuConnectDomainEventRegisterAny): Likewise.
* src/uml/uml_driver.c (umlConnectDomainEventRegister)
(umlConnectDomainEventRegisterAny): Likewise.
* src/network/bridge_driver.c
(networkConnectNetworkEventRegisterAny): Likewise.
* src/lxc/lxc_driver.c (lxcConnectDomainEventRegister)
(lxcConnectDomainEventRegisterAny): Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-08 20:34:48 +00:00
|
|
|
if (cb->filter && !(cb->filter)(cb->conn, event, cb->filter_opaque))
|
|
|
|
return false;
|
|
|
|
|
2016-06-23 16:14:23 +00:00
|
|
|
if (cb->key_filter)
|
|
|
|
return STREQ(event->meta.key, cb->key);
|
2014-01-03 17:34:39 +00:00
|
|
|
return true;
|
2013-11-26 14:10:15 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
2013-12-12 17:47:42 +00:00
|
|
|
virObjectEventStateDispatchCallbacks(virObjectEventStatePtr state,
|
|
|
|
virObjectEventPtr event,
|
|
|
|
virObjectEventCallbackListPtr callbacks)
|
2013-11-26 14:10:15 +00:00
|
|
|
{
|
|
|
|
size_t i;
|
|
|
|
/* Cache this now, since we may be dropping the lock,
|
|
|
|
and have more callbacks added. We're guaranteed not
|
|
|
|
to have any removed */
|
2014-01-03 20:31:48 +00:00
|
|
|
size_t cbCount = callbacks->count;
|
2013-11-26 14:10:15 +00:00
|
|
|
|
|
|
|
for (i = 0; i < cbCount; i++) {
|
2014-01-03 20:31:48 +00:00
|
|
|
virObjectEventCallbackPtr cb = callbacks->callbacks[i];
|
|
|
|
|
|
|
|
if (!virObjectEventDispatchMatchCallback(event, cb))
|
2013-11-26 14:10:15 +00:00
|
|
|
continue;
|
|
|
|
|
2018-12-04 17:08:14 +00:00
|
|
|
/* Drop the lock while dispatching, for sake of re-entrance */
|
2016-10-11 07:48:36 +00:00
|
|
|
virObjectUnlock(state);
|
2014-01-03 20:31:48 +00:00
|
|
|
event->dispatch(cb->conn, event, cb->cb, cb->opaque);
|
2016-10-11 07:48:36 +00:00
|
|
|
virObjectLock(state);
|
2013-11-26 14:10:15 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
2013-12-12 17:47:42 +00:00
|
|
|
virObjectEventStateQueueDispatch(virObjectEventStatePtr state,
|
|
|
|
virObjectEventQueuePtr queue,
|
|
|
|
virObjectEventCallbackListPtr callbacks)
|
2013-11-26 14:10:15 +00:00
|
|
|
{
|
|
|
|
size_t i;
|
|
|
|
|
|
|
|
for (i = 0; i < queue->count; i++) {
|
2014-01-03 20:31:48 +00:00
|
|
|
virObjectEventStateDispatchCallbacks(state, queue->events[i],
|
|
|
|
callbacks);
|
2013-11-26 14:10:15 +00:00
|
|
|
virObjectUnref(queue->events[i]);
|
|
|
|
}
|
|
|
|
VIR_FREE(queue->events);
|
|
|
|
queue->count = 0;
|
|
|
|
}
|
|
|
|
|
2014-01-02 14:16:49 +00:00
|
|
|
|
|
|
|
/**
|
2014-01-06 12:32:55 +00:00
|
|
|
* virObjectEventStateQueueRemote:
|
2014-01-02 14:16:49 +00:00
|
|
|
* @state: the event state object
|
|
|
|
* @event: event to add to the queue
|
2014-01-06 12:32:55 +00:00
|
|
|
* @remoteID: limit dispatch to callbacks with the same remote id
|
2014-01-02 14:16:49 +00:00
|
|
|
*
|
|
|
|
* Adds @event to the queue of events to be dispatched at the next
|
|
|
|
* safe moment. The caller should no longer use @event after this
|
2014-01-06 12:32:55 +00:00
|
|
|
* call. If @remoteID is non-negative, the event will only be sent to
|
|
|
|
* callbacks where virObjectEventStateSetRemote() registered a remote
|
|
|
|
* id.
|
2014-01-02 14:16:49 +00:00
|
|
|
*/
|
2013-11-26 14:10:15 +00:00
|
|
|
void
|
2014-01-06 12:32:55 +00:00
|
|
|
virObjectEventStateQueueRemote(virObjectEventStatePtr state,
|
|
|
|
virObjectEventPtr event,
|
|
|
|
int remoteID)
|
2013-11-26 14:10:15 +00:00
|
|
|
{
|
2018-06-11 19:38:18 +00:00
|
|
|
if (!event)
|
|
|
|
return;
|
|
|
|
|
2013-11-26 14:10:15 +00:00
|
|
|
if (state->timer < 0) {
|
|
|
|
virObjectUnref(event);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2016-10-11 07:48:36 +00:00
|
|
|
virObjectLock(state);
|
2013-11-26 14:10:15 +00:00
|
|
|
|
2014-01-06 12:32:55 +00:00
|
|
|
event->remoteID = remoteID;
|
2013-11-26 14:10:15 +00:00
|
|
|
if (virObjectEventQueuePush(state->queue, event) < 0) {
|
|
|
|
VIR_DEBUG("Error adding event to queue");
|
|
|
|
virObjectUnref(event);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (state->queue->count == 1)
|
|
|
|
virEventUpdateTimeout(state->timer, 0);
|
2016-10-11 07:48:36 +00:00
|
|
|
virObjectUnlock(state);
|
2013-11-26 14:10:15 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2014-01-06 12:32:55 +00:00
|
|
|
/**
|
|
|
|
* virObjectEventStateQueue:
|
|
|
|
* @state: the event state object
|
|
|
|
* @event: event to add to the queue
|
|
|
|
*
|
|
|
|
* Adds @event to the queue of events to be dispatched at the next
|
|
|
|
* safe moment. The caller should no longer use @event after this
|
|
|
|
* call.
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
virObjectEventStateQueue(virObjectEventStatePtr state,
|
|
|
|
virObjectEventPtr event)
|
|
|
|
{
|
|
|
|
virObjectEventStateQueueRemote(state, event, -1);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2016-10-11 11:35:18 +00:00
|
|
|
static void
|
|
|
|
virObjectEventStateCleanupTimer(virObjectEventStatePtr state, bool clear_queue)
|
|
|
|
{
|
|
|
|
/* There are still some callbacks, keep the timer. */
|
|
|
|
if (state->callbacks->count)
|
|
|
|
return;
|
|
|
|
|
|
|
|
/* The timer is not registered, nothing to do. */
|
|
|
|
if (state->timer == -1)
|
|
|
|
return;
|
|
|
|
|
|
|
|
virEventRemoveTimeout(state->timer);
|
|
|
|
state->timer = -1;
|
|
|
|
|
|
|
|
if (clear_queue)
|
|
|
|
virObjectEventQueueClear(state->queue);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2013-11-26 14:10:15 +00:00
|
|
|
static void
|
|
|
|
virObjectEventStateFlush(virObjectEventStatePtr state)
|
|
|
|
{
|
|
|
|
virObjectEventQueue tempQueue;
|
|
|
|
|
2016-10-11 11:44:21 +00:00
|
|
|
/* We need to lock as well as ref due to the fact that we might
|
|
|
|
* unref the state we're working on in this very function */
|
|
|
|
virObjectRef(state);
|
2016-10-11 07:48:36 +00:00
|
|
|
virObjectLock(state);
|
2013-11-26 14:10:15 +00:00
|
|
|
state->isDispatching = true;
|
|
|
|
|
|
|
|
/* Copy the queue, so we're reentrant safe when dispatchFunc drops the
|
|
|
|
* driver lock */
|
|
|
|
tempQueue.count = state->queue->count;
|
|
|
|
tempQueue.events = state->queue->events;
|
|
|
|
state->queue->count = 0;
|
|
|
|
state->queue->events = NULL;
|
2016-10-06 15:05:14 +00:00
|
|
|
if (state->timer != -1)
|
|
|
|
virEventUpdateTimeout(state->timer, -1);
|
2013-11-26 14:10:15 +00:00
|
|
|
|
2013-12-12 17:47:42 +00:00
|
|
|
virObjectEventStateQueueDispatch(state,
|
|
|
|
&tempQueue,
|
|
|
|
state->callbacks);
|
2013-11-26 14:10:15 +00:00
|
|
|
|
|
|
|
/* Purge any deleted callbacks */
|
|
|
|
virObjectEventCallbackListPurgeMarked(state->callbacks);
|
|
|
|
|
2016-10-11 11:44:21 +00:00
|
|
|
/* If we purged all callbacks, we need to remove the timeout as
|
|
|
|
* well like virObjectEventStateDeregisterID() would do. */
|
|
|
|
virObjectEventStateCleanupTimer(state, true);
|
|
|
|
|
2013-11-26 14:10:15 +00:00
|
|
|
state->isDispatching = false;
|
2016-10-11 07:48:36 +00:00
|
|
|
virObjectUnlock(state);
|
2016-10-11 11:44:21 +00:00
|
|
|
virObjectUnref(state);
|
2013-11-26 14:10:15 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
* virObjectEventStateRegisterID:
|
|
|
|
* @conn: connection to associate with callback
|
|
|
|
* @state: domain event state
|
2016-06-23 16:14:23 +00:00
|
|
|
* @key: key of the object for event filtering
|
2013-12-11 14:10:34 +00:00
|
|
|
* @klass: the base event class
|
2013-11-26 14:10:15 +00:00
|
|
|
* @eventID: ID of the event type to register for
|
2014-01-02 14:16:49 +00:00
|
|
|
* @cb: function to invoke when event occurs
|
|
|
|
* @opaque: data blob to pass to @callback
|
2013-11-26 14:10:15 +00:00
|
|
|
* @freecb: callback to free @opaque
|
2014-01-08 04:00:54 +00:00
|
|
|
* @legacy: true if callback is tracked by function instead of callbackID
|
2013-11-26 14:10:15 +00:00
|
|
|
* @callbackID: filled with callback ID
|
2014-01-06 12:32:55 +00:00
|
|
|
* @serverFilter: true if server supports object filtering
|
2013-11-26 14:10:15 +00:00
|
|
|
*
|
2014-01-02 14:16:49 +00:00
|
|
|
* Register the function @cb with connection @conn, from @state, for
|
|
|
|
* events of type @eventID, and return the registration handle in
|
|
|
|
* @callbackID.
|
2013-11-26 14:10:15 +00:00
|
|
|
*
|
2014-01-06 12:32:55 +00:00
|
|
|
* The return value is only important when registering client-side
|
|
|
|
* mirroring of remote events (since the public API is documented to
|
|
|
|
* return the callbackID rather than a count). A return of 1 means
|
|
|
|
* that this is the first use of this type of event, so a remote event
|
|
|
|
* must be enabled; a return larger than 1 means that an existing
|
|
|
|
* remote event can already feed this callback. If @serverFilter is
|
|
|
|
* false, the return count assumes that a single global remote feeds
|
|
|
|
* both generic and per-object callbacks, and that the event queue
|
|
|
|
* will be fed with virObjectEventStateQueue(). If it is true, then
|
|
|
|
* the return count assumes that the remote side is capable of per-
|
|
|
|
* object filtering; the user must call virObjectEventStateSetRemote()
|
|
|
|
* to record the remote id, and queue events with
|
|
|
|
* virObjectEventStateQueueRemote().
|
|
|
|
*
|
|
|
|
* Returns: the number of callbacks now registered, or -1 on error.
|
2013-11-26 14:10:15 +00:00
|
|
|
*/
|
|
|
|
int
|
|
|
|
virObjectEventStateRegisterID(virConnectPtr conn,
|
|
|
|
virObjectEventStatePtr state,
|
2016-06-23 16:14:23 +00:00
|
|
|
const char *key,
|
event: filter global events by domain:getattr ACL [CVE-2014-0028]
Ever since ACL filtering was added in commit 7639736 (v1.1.1), a
user could still use event registration to obtain access to a
domain that they could not normally access via virDomainLookup*
or virConnectListAllDomains and friends. We already have the
framework in the RPC generator for creating the filter, and
previous cleanup patches got us to the point that we can now
wire the filter through the entire object event stack.
Furthermore, whether or not domain:getattr is honored, use of
global events is a form of obtaining a list of networks, which
is covered by connect:search_domains added in a93cd08 (v1.1.0).
Ideally, we'd have a way to enforce connect:search_domains when
doing global registrations while omitting that check on a
per-domain registration. But this patch just unconditionally
requires connect:search_domains, even when no list could be
obtained, based on the following observations:
1. Administrators are unlikely to grant domain:getattr for one
or all domains while still denying connect:search_domains - a
user that is able to manage domains will want to be able to
manage them efficiently, but efficient management includes being
able to list the domains they can access. The idea of denying
connect:search_domains while still granting access to individual
domains is therefore not adding any real security, but just
serves as a layer of obscurity to annoy the end user.
2. In the current implementation, domain events are filtered
on the client; the server has no idea if a domain filter was
requested, and must therefore assume that all domain event
requests are global. Even if we fix the RPC protocol to
allow for server-side filtering for newer client/server combos,
making the connect:serach_domains ACL check conditional on
whether the domain argument was NULL won't benefit older clients.
Therefore, we choose to document that connect:search_domains
is a pre-requisite to any domain event management.
Network events need the same treatment, with the obvious
change of using connect:search_networks and network:getattr.
* src/access/viraccessperm.h
(VIR_ACCESS_PERM_CONNECT_SEARCH_DOMAINS)
(VIR_ACCESS_PERM_CONNECT_SEARCH_NETWORKS): Document additional
effect of the permission.
* src/conf/domain_event.h (virDomainEventStateRegister)
(virDomainEventStateRegisterID): Add new parameter.
* src/conf/network_event.h (virNetworkEventStateRegisterID):
Likewise.
* src/conf/object_event_private.h (virObjectEventStateRegisterID):
Likewise.
* src/conf/object_event.c (_virObjectEventCallback): Track a filter.
(virObjectEventDispatchMatchCallback): Use filter.
(virObjectEventCallbackListAddID): Register filter.
* src/conf/domain_event.c (virDomainEventFilter): New function.
(virDomainEventStateRegister, virDomainEventStateRegisterID):
Adjust callers.
* src/conf/network_event.c (virNetworkEventFilter): New function.
(virNetworkEventStateRegisterID): Adjust caller.
* src/remote/remote_protocol.x
(REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER)
(REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER_ANY)
(REMOTE_PROC_CONNECT_NETWORK_EVENT_REGISTER_ANY): Generate a
filter, and require connect:search_domains instead of weaker
connect:read.
* src/test/test_driver.c (testConnectDomainEventRegister)
(testConnectDomainEventRegisterAny)
(testConnectNetworkEventRegisterAny): Update callers.
* src/remote/remote_driver.c (remoteConnectDomainEventRegister)
(remoteConnectDomainEventRegisterAny): Likewise.
* src/xen/xen_driver.c (xenUnifiedConnectDomainEventRegister)
(xenUnifiedConnectDomainEventRegisterAny): Likewise.
* src/vbox/vbox_tmpl.c (vboxDomainGetXMLDesc): Likewise.
* src/libxl/libxl_driver.c (libxlConnectDomainEventRegister)
(libxlConnectDomainEventRegisterAny): Likewise.
* src/qemu/qemu_driver.c (qemuConnectDomainEventRegister)
(qemuConnectDomainEventRegisterAny): Likewise.
* src/uml/uml_driver.c (umlConnectDomainEventRegister)
(umlConnectDomainEventRegisterAny): Likewise.
* src/network/bridge_driver.c
(networkConnectNetworkEventRegisterAny): Likewise.
* src/lxc/lxc_driver.c (lxcConnectDomainEventRegister)
(lxcConnectDomainEventRegisterAny): Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-08 20:34:48 +00:00
|
|
|
virObjectEventCallbackFilter filter,
|
|
|
|
void *filter_opaque,
|
2013-12-11 14:10:34 +00:00
|
|
|
virClassPtr klass,
|
2013-11-26 14:10:15 +00:00
|
|
|
int eventID,
|
|
|
|
virConnectObjectEventGenericCallback cb,
|
|
|
|
void *opaque,
|
|
|
|
virFreeCallback freecb,
|
2014-01-08 04:00:54 +00:00
|
|
|
bool legacy,
|
2014-01-06 12:32:55 +00:00
|
|
|
int *callbackID,
|
|
|
|
bool serverFilter)
|
2013-11-26 14:10:15 +00:00
|
|
|
{
|
|
|
|
int ret = -1;
|
|
|
|
|
2016-10-11 07:48:36 +00:00
|
|
|
virObjectLock(state);
|
2013-11-26 14:10:15 +00:00
|
|
|
|
|
|
|
if ((state->callbacks->count == 0) &&
|
2019-09-19 08:02:15 +00:00
|
|
|
(state->timer == -1)) {
|
|
|
|
if ((state->timer = virEventAddTimeout(-1,
|
|
|
|
virObjectEventTimer,
|
|
|
|
state,
|
|
|
|
virObjectFreeCallback)) < 0) {
|
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
|
|
|
|
_("could not initialize domain event timer"));
|
|
|
|
goto cleanup;
|
|
|
|
}
|
2013-11-26 14:10:15 +00:00
|
|
|
|
2019-09-19 08:02:15 +00:00
|
|
|
/* event loop has one reference, but we need one more for the
|
|
|
|
* timer's opaque argument */
|
|
|
|
virObjectRef(state);
|
|
|
|
}
|
2016-10-11 11:30:11 +00:00
|
|
|
|
2013-11-26 14:10:15 +00:00
|
|
|
ret = virObjectEventCallbackListAddID(conn, state->callbacks,
|
2016-06-23 16:14:23 +00:00
|
|
|
key, filter, filter_opaque,
|
event: filter global events by domain:getattr ACL [CVE-2014-0028]
Ever since ACL filtering was added in commit 7639736 (v1.1.1), a
user could still use event registration to obtain access to a
domain that they could not normally access via virDomainLookup*
or virConnectListAllDomains and friends. We already have the
framework in the RPC generator for creating the filter, and
previous cleanup patches got us to the point that we can now
wire the filter through the entire object event stack.
Furthermore, whether or not domain:getattr is honored, use of
global events is a form of obtaining a list of networks, which
is covered by connect:search_domains added in a93cd08 (v1.1.0).
Ideally, we'd have a way to enforce connect:search_domains when
doing global registrations while omitting that check on a
per-domain registration. But this patch just unconditionally
requires connect:search_domains, even when no list could be
obtained, based on the following observations:
1. Administrators are unlikely to grant domain:getattr for one
or all domains while still denying connect:search_domains - a
user that is able to manage domains will want to be able to
manage them efficiently, but efficient management includes being
able to list the domains they can access. The idea of denying
connect:search_domains while still granting access to individual
domains is therefore not adding any real security, but just
serves as a layer of obscurity to annoy the end user.
2. In the current implementation, domain events are filtered
on the client; the server has no idea if a domain filter was
requested, and must therefore assume that all domain event
requests are global. Even if we fix the RPC protocol to
allow for server-side filtering for newer client/server combos,
making the connect:serach_domains ACL check conditional on
whether the domain argument was NULL won't benefit older clients.
Therefore, we choose to document that connect:search_domains
is a pre-requisite to any domain event management.
Network events need the same treatment, with the obvious
change of using connect:search_networks and network:getattr.
* src/access/viraccessperm.h
(VIR_ACCESS_PERM_CONNECT_SEARCH_DOMAINS)
(VIR_ACCESS_PERM_CONNECT_SEARCH_NETWORKS): Document additional
effect of the permission.
* src/conf/domain_event.h (virDomainEventStateRegister)
(virDomainEventStateRegisterID): Add new parameter.
* src/conf/network_event.h (virNetworkEventStateRegisterID):
Likewise.
* src/conf/object_event_private.h (virObjectEventStateRegisterID):
Likewise.
* src/conf/object_event.c (_virObjectEventCallback): Track a filter.
(virObjectEventDispatchMatchCallback): Use filter.
(virObjectEventCallbackListAddID): Register filter.
* src/conf/domain_event.c (virDomainEventFilter): New function.
(virDomainEventStateRegister, virDomainEventStateRegisterID):
Adjust callers.
* src/conf/network_event.c (virNetworkEventFilter): New function.
(virNetworkEventStateRegisterID): Adjust caller.
* src/remote/remote_protocol.x
(REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER)
(REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER_ANY)
(REMOTE_PROC_CONNECT_NETWORK_EVENT_REGISTER_ANY): Generate a
filter, and require connect:search_domains instead of weaker
connect:read.
* src/test/test_driver.c (testConnectDomainEventRegister)
(testConnectDomainEventRegisterAny)
(testConnectNetworkEventRegisterAny): Update callers.
* src/remote/remote_driver.c (remoteConnectDomainEventRegister)
(remoteConnectDomainEventRegisterAny): Likewise.
* src/xen/xen_driver.c (xenUnifiedConnectDomainEventRegister)
(xenUnifiedConnectDomainEventRegisterAny): Likewise.
* src/vbox/vbox_tmpl.c (vboxDomainGetXMLDesc): Likewise.
* src/libxl/libxl_driver.c (libxlConnectDomainEventRegister)
(libxlConnectDomainEventRegisterAny): Likewise.
* src/qemu/qemu_driver.c (qemuConnectDomainEventRegister)
(qemuConnectDomainEventRegisterAny): Likewise.
* src/uml/uml_driver.c (umlConnectDomainEventRegister)
(umlConnectDomainEventRegisterAny): Likewise.
* src/network/bridge_driver.c
(networkConnectNetworkEventRegisterAny): Likewise.
* src/lxc/lxc_driver.c (lxcConnectDomainEventRegister)
(lxcConnectDomainEventRegisterAny): Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-08 20:34:48 +00:00
|
|
|
klass, eventID,
|
2013-12-11 14:10:34 +00:00
|
|
|
cb, opaque, freecb,
|
2014-01-08 04:00:54 +00:00
|
|
|
legacy, callbackID, serverFilter);
|
2013-11-26 14:10:15 +00:00
|
|
|
|
2016-10-11 11:35:18 +00:00
|
|
|
if (ret < 0)
|
|
|
|
virObjectEventStateCleanupTimer(state, false);
|
2013-11-26 14:10:15 +00:00
|
|
|
|
2014-03-25 06:48:31 +00:00
|
|
|
cleanup:
|
2016-10-11 07:48:36 +00:00
|
|
|
virObjectUnlock(state);
|
2013-11-26 14:10:15 +00:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
* virObjectEventStateDeregisterID:
|
|
|
|
* @conn: connection to associate with callback
|
|
|
|
* @state: object event state
|
|
|
|
* @callbackID: ID of the function to remove from event
|
2017-06-14 11:32:15 +00:00
|
|
|
* @doFreeCb: Allow the calling of a freecb
|
2013-11-26 14:10:15 +00:00
|
|
|
*
|
|
|
|
* Unregister the function @callbackID with connection @conn,
|
2017-06-14 11:32:15 +00:00
|
|
|
* from @state, for events. If @doFreeCb is false, then we
|
|
|
|
* are being called from a remote call failure path for the
|
|
|
|
* Event registration indicating a -1 return to the caller. The
|
|
|
|
* caller wouldn't expect us to run their freecb function if it
|
|
|
|
* exists, so we cannot do so.
|
2013-11-26 14:10:15 +00:00
|
|
|
*
|
|
|
|
* Returns: the number of callbacks still registered, or -1 on error
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
virObjectEventStateDeregisterID(virConnectPtr conn,
|
|
|
|
virObjectEventStatePtr state,
|
2017-06-14 11:32:15 +00:00
|
|
|
int callbackID,
|
|
|
|
bool doFreeCb)
|
2013-11-26 14:10:15 +00:00
|
|
|
{
|
|
|
|
int ret;
|
|
|
|
|
2016-10-11 07:48:36 +00:00
|
|
|
virObjectLock(state);
|
2013-11-26 14:10:15 +00:00
|
|
|
if (state->isDispatching)
|
|
|
|
ret = virObjectEventCallbackListMarkDeleteID(conn,
|
2014-01-02 14:16:49 +00:00
|
|
|
state->callbacks,
|
|
|
|
callbackID);
|
2013-11-26 14:10:15 +00:00
|
|
|
else
|
2017-06-14 11:32:15 +00:00
|
|
|
ret = virObjectEventCallbackListRemoveID(conn, state->callbacks,
|
|
|
|
callbackID, doFreeCb);
|
2013-11-26 14:10:15 +00:00
|
|
|
|
2016-10-11 11:35:18 +00:00
|
|
|
virObjectEventStateCleanupTimer(state, true);
|
2013-11-26 14:10:15 +00:00
|
|
|
|
2016-10-11 07:48:36 +00:00
|
|
|
virObjectUnlock(state);
|
2013-11-26 14:10:15 +00:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
event: don't let old-style events clobber per-domain events
Right now, the older virConnectDomainEventRegister (takes a
function pointer, returns 0 on success) and the newer
virConnectDomainEventRegisterID (takes an eventID, returns a
callbackID) share the underlying implementation (the older
API ends up consuming a callbackID for eventID 0 under the
hood). We implemented that by a lot of copy and pasted
code between object_event.c and domain_event.c, according to
whether we are dealing with a function pointer or an eventID.
However, our copy and paste is not symmetric. Consider this
sequence:
id1 = virConnectDomainEventRegisterAny(conn, dom,
VIR_DOMAIN_EVENT_ID_LIFECYCLE,
VIR_DOMAIN_EVENT_CALLBACK(callback), NULL, NULL);
virConnectDomainEventRegister(conn, callback, NULL, NULL);
virConnectDomainEventDeregister(conn, callback);
virConnectDomainEventDeregsiterAny(conn, id1);
the first three calls would succeed, but the third call ended
up nuking the id1 callbackID (the per-domain new-style handler),
then the fourth call failed with an error about an unknown
callbackID, leaving us with the global handler (old-style) still
live and receiving events. It required another old-style
deregister to clean up the mess. Root cause was that
virDomainEventCallbackList{Remove,MarkDelete} were only
checking for function pointer match, rather than also checking
for whether the registration was global.
Rather than playing with the guts of object_event ourselves
in domain_event, it is nicer to add a mapping function for the
internal callback id, then share common code for event removal.
For now, the function-to-id mapping is used only internally;
I thought about whether a new public API to let a user learn
the callback would be useful, but decided exposing this to the
user is probably a disservice, since we already publicly
document that they should avoid the old style, and since this
patch already demonstrates that older libvirt versions have
weird behavior when mixing old and new styles.
And like all good bug fix patches, I enhanced the testsuite,
validating that the changes in tests/ expose the failure
without the rest of the patch.
* src/conf/object_event.c (virObjectEventCallbackLookup)
(virObjectEventStateCallbackID): New functions.
(virObjectEventCallbackLookup): Use helper function.
* src/conf/object_event_private.h (virObjectEventStateCallbackID):
Declare new function.
* src/conf/domain_event.c (virDomainEventStateRegister)
(virDomainEventStateDeregister): Let common code handle the
complexity.
(virDomainEventCallbackListRemove)
(virDomainEventCallbackListMarkDelete)
(virDomainEventCallbackListAdd): Drop unused functions.
* tests/objecteventtest.c (testDomainCreateXMLMixed): New test.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-03 23:50:14 +00:00
|
|
|
/**
|
|
|
|
* virObjectEventStateCallbackID:
|
|
|
|
* @conn: connection associated with callback
|
|
|
|
* @state: object event state
|
|
|
|
* @klass: the base event class
|
|
|
|
* @eventID: the event ID
|
|
|
|
* @callback: function registered as a callback
|
2014-01-08 04:00:54 +00:00
|
|
|
* @remoteID: optional output, containing resulting remote id
|
event: don't let old-style events clobber per-domain events
Right now, the older virConnectDomainEventRegister (takes a
function pointer, returns 0 on success) and the newer
virConnectDomainEventRegisterID (takes an eventID, returns a
callbackID) share the underlying implementation (the older
API ends up consuming a callbackID for eventID 0 under the
hood). We implemented that by a lot of copy and pasted
code between object_event.c and domain_event.c, according to
whether we are dealing with a function pointer or an eventID.
However, our copy and paste is not symmetric. Consider this
sequence:
id1 = virConnectDomainEventRegisterAny(conn, dom,
VIR_DOMAIN_EVENT_ID_LIFECYCLE,
VIR_DOMAIN_EVENT_CALLBACK(callback), NULL, NULL);
virConnectDomainEventRegister(conn, callback, NULL, NULL);
virConnectDomainEventDeregister(conn, callback);
virConnectDomainEventDeregsiterAny(conn, id1);
the first three calls would succeed, but the third call ended
up nuking the id1 callbackID (the per-domain new-style handler),
then the fourth call failed with an error about an unknown
callbackID, leaving us with the global handler (old-style) still
live and receiving events. It required another old-style
deregister to clean up the mess. Root cause was that
virDomainEventCallbackList{Remove,MarkDelete} were only
checking for function pointer match, rather than also checking
for whether the registration was global.
Rather than playing with the guts of object_event ourselves
in domain_event, it is nicer to add a mapping function for the
internal callback id, then share common code for event removal.
For now, the function-to-id mapping is used only internally;
I thought about whether a new public API to let a user learn
the callback would be useful, but decided exposing this to the
user is probably a disservice, since we already publicly
document that they should avoid the old style, and since this
patch already demonstrates that older libvirt versions have
weird behavior when mixing old and new styles.
And like all good bug fix patches, I enhanced the testsuite,
validating that the changes in tests/ expose the failure
without the rest of the patch.
* src/conf/object_event.c (virObjectEventCallbackLookup)
(virObjectEventStateCallbackID): New functions.
(virObjectEventCallbackLookup): Use helper function.
* src/conf/object_event_private.h (virObjectEventStateCallbackID):
Declare new function.
* src/conf/domain_event.c (virDomainEventStateRegister)
(virDomainEventStateDeregister): Let common code handle the
complexity.
(virDomainEventCallbackListRemove)
(virDomainEventCallbackListMarkDelete)
(virDomainEventCallbackListAdd): Drop unused functions.
* tests/objecteventtest.c (testDomainCreateXMLMixed): New test.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-03 23:50:14 +00:00
|
|
|
*
|
|
|
|
* Returns the callbackID of @callback, or -1 with an error issued if the
|
event: don't allow mix of old- and new-style registration
Consider these two calls, in either order:
id1 = virConnectDomainEventRegisterAny(conn, NULL,
VIR_DOMAIN_EVENT_ID_LIFECYCLE,
VIR_DOMAIN_EVENT_CALLBACK(callback), NULL, NULL);
virConnectDomainEventRegister(conn, callback, NULL, NULL);
Right now, the second call fails, because under the hood, the
old-style function registration is tightly coupled to the
new style lifecycle eventID, and the two calls both try
to register the same global eventID callback representation.
We've alreay documented that users should avoid old-style
registration and deregistration, so anyone heeding the advice
won't run into this situation. But it would be even nicer if
we pretend the two interfaces are completely separate, and
disallow any cross-linking. That is, a call to old-style
deregister should never remove a new-style callback even if it
is the same function pointer, and a call to new-style callback
using only callbackIDs obtained legitimately should never
remove an old-style callback (of course, since our callback
IDs are sequential, and there is still coupling under the
hood, you can easily guess the callbackID of an old style
registration and use new-style deregistration to nuke it - but
that starts to be blatantly bad coding on your part rather
than a surprising result on what looks like reasonable
stand-alone API).
With this patch, you can now register a global lifecycle event
handler twice, by using both old and new APIs; if such an event
occurs, your callback will be entered twice. But that is not a
problem in practice, since it is already possible to use the
new API to register both a global and per-domain event handler
using the same function, which will likewise fire your callback
twice for that domain. Duplicates are still prevented when
using the same API with same parameters twice (old-style twice,
new-style global twice, or new-style per-domain with same domain
twice), and things are still bounded (it is not possible to
register a single function pointer more than N+2 times per event
id, where N is the number of domains available on the connection).
Besides, it has always been possible to register as many
separate function pointers on the same event id as desired,
through either old or new style API, where the bound there is
the physical limitation of writing a program with enough
distinct function pointers.
Adding another event registration in the testsuite is sufficient
to cover this, where the test fails without the rest of the patch.
* src/conf/object_event.c (_virObjectEventCallback): Add field.
(virObjectEventCallbackLookup): Add argument.
(virObjectEventCallbackListAddID, virObjectEventStateCallbackID):
Adjust callers.
* tests/objecteventtest.c (testDomainCreateXMLMixed): Enhance test.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-04 12:55:55 +00:00
|
|
|
* function is not currently registered. This only finds functions
|
|
|
|
* registered via virConnectDomainEventRegister, even if modern style
|
|
|
|
* virConnectDomainEventRegisterAny also registers the same callback.
|
event: don't let old-style events clobber per-domain events
Right now, the older virConnectDomainEventRegister (takes a
function pointer, returns 0 on success) and the newer
virConnectDomainEventRegisterID (takes an eventID, returns a
callbackID) share the underlying implementation (the older
API ends up consuming a callbackID for eventID 0 under the
hood). We implemented that by a lot of copy and pasted
code between object_event.c and domain_event.c, according to
whether we are dealing with a function pointer or an eventID.
However, our copy and paste is not symmetric. Consider this
sequence:
id1 = virConnectDomainEventRegisterAny(conn, dom,
VIR_DOMAIN_EVENT_ID_LIFECYCLE,
VIR_DOMAIN_EVENT_CALLBACK(callback), NULL, NULL);
virConnectDomainEventRegister(conn, callback, NULL, NULL);
virConnectDomainEventDeregister(conn, callback);
virConnectDomainEventDeregsiterAny(conn, id1);
the first three calls would succeed, but the third call ended
up nuking the id1 callbackID (the per-domain new-style handler),
then the fourth call failed with an error about an unknown
callbackID, leaving us with the global handler (old-style) still
live and receiving events. It required another old-style
deregister to clean up the mess. Root cause was that
virDomainEventCallbackList{Remove,MarkDelete} were only
checking for function pointer match, rather than also checking
for whether the registration was global.
Rather than playing with the guts of object_event ourselves
in domain_event, it is nicer to add a mapping function for the
internal callback id, then share common code for event removal.
For now, the function-to-id mapping is used only internally;
I thought about whether a new public API to let a user learn
the callback would be useful, but decided exposing this to the
user is probably a disservice, since we already publicly
document that they should avoid the old style, and since this
patch already demonstrates that older libvirt versions have
weird behavior when mixing old and new styles.
And like all good bug fix patches, I enhanced the testsuite,
validating that the changes in tests/ expose the failure
without the rest of the patch.
* src/conf/object_event.c (virObjectEventCallbackLookup)
(virObjectEventStateCallbackID): New functions.
(virObjectEventCallbackLookup): Use helper function.
* src/conf/object_event_private.h (virObjectEventStateCallbackID):
Declare new function.
* src/conf/domain_event.c (virDomainEventStateRegister)
(virDomainEventStateDeregister): Let common code handle the
complexity.
(virDomainEventCallbackListRemove)
(virDomainEventCallbackListMarkDelete)
(virDomainEventCallbackListAdd): Drop unused functions.
* tests/objecteventtest.c (testDomainCreateXMLMixed): New test.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-03 23:50:14 +00:00
|
|
|
*/
|
|
|
|
int
|
|
|
|
virObjectEventStateCallbackID(virConnectPtr conn,
|
|
|
|
virObjectEventStatePtr state,
|
|
|
|
virClassPtr klass,
|
|
|
|
int eventID,
|
2014-01-08 04:00:54 +00:00
|
|
|
virConnectObjectEventGenericCallback callback,
|
|
|
|
int *remoteID)
|
event: don't let old-style events clobber per-domain events
Right now, the older virConnectDomainEventRegister (takes a
function pointer, returns 0 on success) and the newer
virConnectDomainEventRegisterID (takes an eventID, returns a
callbackID) share the underlying implementation (the older
API ends up consuming a callbackID for eventID 0 under the
hood). We implemented that by a lot of copy and pasted
code between object_event.c and domain_event.c, according to
whether we are dealing with a function pointer or an eventID.
However, our copy and paste is not symmetric. Consider this
sequence:
id1 = virConnectDomainEventRegisterAny(conn, dom,
VIR_DOMAIN_EVENT_ID_LIFECYCLE,
VIR_DOMAIN_EVENT_CALLBACK(callback), NULL, NULL);
virConnectDomainEventRegister(conn, callback, NULL, NULL);
virConnectDomainEventDeregister(conn, callback);
virConnectDomainEventDeregsiterAny(conn, id1);
the first three calls would succeed, but the third call ended
up nuking the id1 callbackID (the per-domain new-style handler),
then the fourth call failed with an error about an unknown
callbackID, leaving us with the global handler (old-style) still
live and receiving events. It required another old-style
deregister to clean up the mess. Root cause was that
virDomainEventCallbackList{Remove,MarkDelete} were only
checking for function pointer match, rather than also checking
for whether the registration was global.
Rather than playing with the guts of object_event ourselves
in domain_event, it is nicer to add a mapping function for the
internal callback id, then share common code for event removal.
For now, the function-to-id mapping is used only internally;
I thought about whether a new public API to let a user learn
the callback would be useful, but decided exposing this to the
user is probably a disservice, since we already publicly
document that they should avoid the old style, and since this
patch already demonstrates that older libvirt versions have
weird behavior when mixing old and new styles.
And like all good bug fix patches, I enhanced the testsuite,
validating that the changes in tests/ expose the failure
without the rest of the patch.
* src/conf/object_event.c (virObjectEventCallbackLookup)
(virObjectEventStateCallbackID): New functions.
(virObjectEventCallbackLookup): Use helper function.
* src/conf/object_event_private.h (virObjectEventStateCallbackID):
Declare new function.
* src/conf/domain_event.c (virDomainEventStateRegister)
(virDomainEventStateDeregister): Let common code handle the
complexity.
(virDomainEventCallbackListRemove)
(virDomainEventCallbackListMarkDelete)
(virDomainEventCallbackListAdd): Drop unused functions.
* tests/objecteventtest.c (testDomainCreateXMLMixed): New test.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-03 23:50:14 +00:00
|
|
|
{
|
|
|
|
int ret = -1;
|
|
|
|
|
2016-10-11 07:48:36 +00:00
|
|
|
virObjectLock(state);
|
event: don't let old-style events clobber per-domain events
Right now, the older virConnectDomainEventRegister (takes a
function pointer, returns 0 on success) and the newer
virConnectDomainEventRegisterID (takes an eventID, returns a
callbackID) share the underlying implementation (the older
API ends up consuming a callbackID for eventID 0 under the
hood). We implemented that by a lot of copy and pasted
code between object_event.c and domain_event.c, according to
whether we are dealing with a function pointer or an eventID.
However, our copy and paste is not symmetric. Consider this
sequence:
id1 = virConnectDomainEventRegisterAny(conn, dom,
VIR_DOMAIN_EVENT_ID_LIFECYCLE,
VIR_DOMAIN_EVENT_CALLBACK(callback), NULL, NULL);
virConnectDomainEventRegister(conn, callback, NULL, NULL);
virConnectDomainEventDeregister(conn, callback);
virConnectDomainEventDeregsiterAny(conn, id1);
the first three calls would succeed, but the third call ended
up nuking the id1 callbackID (the per-domain new-style handler),
then the fourth call failed with an error about an unknown
callbackID, leaving us with the global handler (old-style) still
live and receiving events. It required another old-style
deregister to clean up the mess. Root cause was that
virDomainEventCallbackList{Remove,MarkDelete} were only
checking for function pointer match, rather than also checking
for whether the registration was global.
Rather than playing with the guts of object_event ourselves
in domain_event, it is nicer to add a mapping function for the
internal callback id, then share common code for event removal.
For now, the function-to-id mapping is used only internally;
I thought about whether a new public API to let a user learn
the callback would be useful, but decided exposing this to the
user is probably a disservice, since we already publicly
document that they should avoid the old style, and since this
patch already demonstrates that older libvirt versions have
weird behavior when mixing old and new styles.
And like all good bug fix patches, I enhanced the testsuite,
validating that the changes in tests/ expose the failure
without the rest of the patch.
* src/conf/object_event.c (virObjectEventCallbackLookup)
(virObjectEventStateCallbackID): New functions.
(virObjectEventCallbackLookup): Use helper function.
* src/conf/object_event_private.h (virObjectEventStateCallbackID):
Declare new function.
* src/conf/domain_event.c (virDomainEventStateRegister)
(virDomainEventStateDeregister): Let common code handle the
complexity.
(virDomainEventCallbackListRemove)
(virDomainEventCallbackListMarkDelete)
(virDomainEventCallbackListAdd): Drop unused functions.
* tests/objecteventtest.c (testDomainCreateXMLMixed): New test.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-03 23:50:14 +00:00
|
|
|
ret = virObjectEventCallbackLookup(conn, state->callbacks, NULL,
|
2014-01-08 04:00:54 +00:00
|
|
|
klass, eventID, callback, true,
|
|
|
|
remoteID);
|
2016-10-11 07:48:36 +00:00
|
|
|
virObjectUnlock(state);
|
event: don't let old-style events clobber per-domain events
Right now, the older virConnectDomainEventRegister (takes a
function pointer, returns 0 on success) and the newer
virConnectDomainEventRegisterID (takes an eventID, returns a
callbackID) share the underlying implementation (the older
API ends up consuming a callbackID for eventID 0 under the
hood). We implemented that by a lot of copy and pasted
code between object_event.c and domain_event.c, according to
whether we are dealing with a function pointer or an eventID.
However, our copy and paste is not symmetric. Consider this
sequence:
id1 = virConnectDomainEventRegisterAny(conn, dom,
VIR_DOMAIN_EVENT_ID_LIFECYCLE,
VIR_DOMAIN_EVENT_CALLBACK(callback), NULL, NULL);
virConnectDomainEventRegister(conn, callback, NULL, NULL);
virConnectDomainEventDeregister(conn, callback);
virConnectDomainEventDeregsiterAny(conn, id1);
the first three calls would succeed, but the third call ended
up nuking the id1 callbackID (the per-domain new-style handler),
then the fourth call failed with an error about an unknown
callbackID, leaving us with the global handler (old-style) still
live and receiving events. It required another old-style
deregister to clean up the mess. Root cause was that
virDomainEventCallbackList{Remove,MarkDelete} were only
checking for function pointer match, rather than also checking
for whether the registration was global.
Rather than playing with the guts of object_event ourselves
in domain_event, it is nicer to add a mapping function for the
internal callback id, then share common code for event removal.
For now, the function-to-id mapping is used only internally;
I thought about whether a new public API to let a user learn
the callback would be useful, but decided exposing this to the
user is probably a disservice, since we already publicly
document that they should avoid the old style, and since this
patch already demonstrates that older libvirt versions have
weird behavior when mixing old and new styles.
And like all good bug fix patches, I enhanced the testsuite,
validating that the changes in tests/ expose the failure
without the rest of the patch.
* src/conf/object_event.c (virObjectEventCallbackLookup)
(virObjectEventStateCallbackID): New functions.
(virObjectEventCallbackLookup): Use helper function.
* src/conf/object_event_private.h (virObjectEventStateCallbackID):
Declare new function.
* src/conf/domain_event.c (virDomainEventStateRegister)
(virDomainEventStateDeregister): Let common code handle the
complexity.
(virDomainEventCallbackListRemove)
(virDomainEventCallbackListMarkDelete)
(virDomainEventCallbackListAdd): Drop unused functions.
* tests/objecteventtest.c (testDomainCreateXMLMixed): New test.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-03 23:50:14 +00:00
|
|
|
|
|
|
|
if (ret < 0)
|
2014-01-08 17:10:49 +00:00
|
|
|
virReportError(VIR_ERR_INVALID_ARG,
|
event: don't let old-style events clobber per-domain events
Right now, the older virConnectDomainEventRegister (takes a
function pointer, returns 0 on success) and the newer
virConnectDomainEventRegisterID (takes an eventID, returns a
callbackID) share the underlying implementation (the older
API ends up consuming a callbackID for eventID 0 under the
hood). We implemented that by a lot of copy and pasted
code between object_event.c and domain_event.c, according to
whether we are dealing with a function pointer or an eventID.
However, our copy and paste is not symmetric. Consider this
sequence:
id1 = virConnectDomainEventRegisterAny(conn, dom,
VIR_DOMAIN_EVENT_ID_LIFECYCLE,
VIR_DOMAIN_EVENT_CALLBACK(callback), NULL, NULL);
virConnectDomainEventRegister(conn, callback, NULL, NULL);
virConnectDomainEventDeregister(conn, callback);
virConnectDomainEventDeregsiterAny(conn, id1);
the first three calls would succeed, but the third call ended
up nuking the id1 callbackID (the per-domain new-style handler),
then the fourth call failed with an error about an unknown
callbackID, leaving us with the global handler (old-style) still
live and receiving events. It required another old-style
deregister to clean up the mess. Root cause was that
virDomainEventCallbackList{Remove,MarkDelete} were only
checking for function pointer match, rather than also checking
for whether the registration was global.
Rather than playing with the guts of object_event ourselves
in domain_event, it is nicer to add a mapping function for the
internal callback id, then share common code for event removal.
For now, the function-to-id mapping is used only internally;
I thought about whether a new public API to let a user learn
the callback would be useful, but decided exposing this to the
user is probably a disservice, since we already publicly
document that they should avoid the old style, and since this
patch already demonstrates that older libvirt versions have
weird behavior when mixing old and new styles.
And like all good bug fix patches, I enhanced the testsuite,
validating that the changes in tests/ expose the failure
without the rest of the patch.
* src/conf/object_event.c (virObjectEventCallbackLookup)
(virObjectEventStateCallbackID): New functions.
(virObjectEventCallbackLookup): Use helper function.
* src/conf/object_event_private.h (virObjectEventStateCallbackID):
Declare new function.
* src/conf/domain_event.c (virDomainEventStateRegister)
(virDomainEventStateDeregister): Let common code handle the
complexity.
(virDomainEventCallbackListRemove)
(virDomainEventCallbackListMarkDelete)
(virDomainEventCallbackListAdd): Drop unused functions.
* tests/objecteventtest.c (testDomainCreateXMLMixed): New test.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-03 23:50:14 +00:00
|
|
|
_("event callback function %p not registered"),
|
|
|
|
callback);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2013-11-26 14:10:15 +00:00
|
|
|
|
|
|
|
/**
|
|
|
|
* virObjectEventStateEventID:
|
|
|
|
* @conn: connection associated with the callback
|
|
|
|
* @state: object event state
|
|
|
|
* @callbackID: the callback to query
|
2014-01-06 12:32:55 +00:00
|
|
|
* @remoteID: optionally output remote ID of the callback
|
2013-11-26 14:10:15 +00:00
|
|
|
*
|
2014-01-06 12:32:55 +00:00
|
|
|
* Query what event ID type is associated with the callback
|
|
|
|
* @callbackID for connection @conn. If @remoteID is non-null, it
|
|
|
|
* will be set to the remote id previously registered with
|
|
|
|
* virObjectEventStateSetRemote().
|
2013-11-26 14:10:15 +00:00
|
|
|
*
|
|
|
|
* Returns 0 on success, -1 on error
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
virObjectEventStateEventID(virConnectPtr conn,
|
|
|
|
virObjectEventStatePtr state,
|
2014-01-06 12:32:55 +00:00
|
|
|
int callbackID,
|
|
|
|
int *remoteID)
|
2013-11-26 14:10:15 +00:00
|
|
|
{
|
2014-01-08 17:10:49 +00:00
|
|
|
int ret = -1;
|
|
|
|
size_t i;
|
|
|
|
virObjectEventCallbackListPtr cbList = state->callbacks;
|
2013-11-26 14:10:15 +00:00
|
|
|
|
2016-10-11 07:48:36 +00:00
|
|
|
virObjectLock(state);
|
2014-01-08 17:10:49 +00:00
|
|
|
for (i = 0; i < cbList->count; i++) {
|
|
|
|
virObjectEventCallbackPtr cb = cbList->callbacks[i];
|
|
|
|
|
|
|
|
if (cb->deleted)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
if (cb->callbackID == callbackID && cb->conn == conn) {
|
2014-01-06 12:32:55 +00:00
|
|
|
if (remoteID)
|
|
|
|
*remoteID = cb->remoteID;
|
2014-01-08 17:10:49 +00:00
|
|
|
ret = cb->eventID;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
2016-10-11 07:48:36 +00:00
|
|
|
virObjectUnlock(state);
|
2014-01-08 17:10:49 +00:00
|
|
|
|
|
|
|
if (ret < 0)
|
|
|
|
virReportError(VIR_ERR_INVALID_ARG,
|
|
|
|
_("event callback id %d not registered"),
|
|
|
|
callbackID);
|
2013-11-26 14:10:15 +00:00
|
|
|
return ret;
|
|
|
|
}
|
2014-01-06 12:32:55 +00:00
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
* virObjectEventStateSetRemote:
|
|
|
|
* @conn: connection associated with the callback
|
|
|
|
* @state: object event state
|
|
|
|
* @callbackID: the callback to adjust
|
|
|
|
* @remoteID: the remote ID to associate with the callback
|
|
|
|
*
|
|
|
|
* Update @callbackID for connection @conn to record that it is now
|
|
|
|
* tied to @remoteID, and will therefore only match events that are
|
|
|
|
* sent with virObjectEventStateQueueRemote() with the same remote ID.
|
|
|
|
* Silently does nothing if @callbackID is invalid.
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
virObjectEventStateSetRemote(virConnectPtr conn,
|
|
|
|
virObjectEventStatePtr state,
|
|
|
|
int callbackID,
|
|
|
|
int remoteID)
|
|
|
|
{
|
|
|
|
size_t i;
|
|
|
|
|
2016-10-11 07:48:36 +00:00
|
|
|
virObjectLock(state);
|
2014-01-06 12:32:55 +00:00
|
|
|
for (i = 0; i < state->callbacks->count; i++) {
|
|
|
|
virObjectEventCallbackPtr cb = state->callbacks->callbacks[i];
|
|
|
|
|
|
|
|
if (cb->deleted)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
if (cb->callbackID == callbackID && cb->conn == conn) {
|
|
|
|
cb->remoteID = remoteID;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
2016-10-11 07:48:36 +00:00
|
|
|
virObjectUnlock(state);
|
2014-01-06 12:32:55 +00:00
|
|
|
}
|