tests: dynamically replace dnsmasq path
The path to the dnsmasq binary can be configured while in the test data
the path is hard-coded to /usr/bin/. This break the test suite if a the
binary is located in a different location, like /usr/local/sbin/.
Replace the hard coded path in the test data by a token, which is
dynamically replaced in networkxml2argvtest with the configured path
after the test data has been loaded.
(Another option would have been to modify configure.ac to generate the
test data during configure, but I do not know of an easy way do trick
configure into mass-generate those test files without listing every
single one, which I consider less flexible.)
- unit-test the unit-test:
#include <assert.h>
#define TEST(in,token,rep,out) { char *buf = strdup(in); assert(!replaceTokens(&buf, token, rep) && !strcmp(buf, out)); free(buf); }
TEST("", "AA", "B", "");
TEST("A", "AA", "B", "A");
TEST("AA", "AA", "B", "B");
TEST("AAA", "AA", "B", "BA");
TEST("AA", "AA", "BB", "BB");
TEST("AA", "AA", "BBB", "BBB");
TEST("<AA", "AA", "B", "<B");
TEST("<AA", "AA", "BB", "<BB");
TEST("<AA", "AA", "BBB", "<BBB");
TEST("AA>", "AA", "B", "B>");
TEST("AA>", "AA", "BB", "BB>");
TEST("AA>", "AA", "BBB", "BBB>");
TEST("<AA>", "AA", "B", "<B>");
TEST("<AA>", "AA", "BB", "<BB>");
TEST("<AA>", "AA", "BBB", "<BBB>");
TEST("<AA|AA>", "AA", "B", "<B|B>");
TEST("<AA|AA>", "AA", "BB", "<BB|BB>");
TEST("<AA|AA>", "AA", "BBB", "<BBB|BBB>");
TEST("<AAAA>", "AA", "B", "<BB>");
TEST("<AAAA>", "AA", "BB", "<BBBB>");
TEST("<AAAA>", "AA", "BBB", "<BBBBBB>");
TEST("AAAA>", "AA", "B", "BB>");
TEST("AAAA>", "AA", "BB", "BBBB>");
TEST("AAAA>", "AA", "BBB", "BBBBBB>");
TEST("<AAAA", "AA", "B", "<BB");
TEST("<AAAA", "AA", "BB", "<BBBB");
TEST("<AAAA", "AA", "BBB", "<BBBBBB");
alarm(1); /* no infinite loop */
TEST("A", "A", "A", "A");
TEST("AA", "A", "A", "AA");
alarm(0);
Signed-off-by: Philipp Hahn <hahn@univention.de>
2012-01-30 17:13:08 +00:00
|
|
|
@DNSMASQ@ \
|
2012-01-02 14:23:54 +00:00
|
|
|
--strict-order \
|
2012-09-06 16:08:22 +00:00
|
|
|
--local=// --domain-needed --conf-file= \
|
network: prevent dnsmasq from listening on localhost
This patch resolves the problem reported in:
https://bugzilla.redhat.com/show_bug.cgi?id=886663
The source of the problem was the fix for CVE 2011-3411:
https://bugzilla.redhat.com/show_bug.cgi?id=833033
which was originally committed upstream in commit
753ff83a50263d6975f88d6605d4b5ddfcc97560. That commit improperly
removed the "--except-interface lo" from dnsmasq commandlines when
--bind-dynamic was used (based on comments in the latter bug).
It turns out that the problem reported in the CVE could be eliminated
without removing "--except-interface lo", and removing it actually
caused each instance of dnsmasq to listen on localhost on port 53,
which created a new problem:
If another instance of dnsmasq using "bind-interfaces" (instead of
"bind-dynamic") had already been started (or if another instance
started later used "bind-dynamic"), this wouldn't have any immediately
visible ill effects, but if you tried to start another dnsmasq
instance using "bind-interfaces" *after* starting any libvirt
networks, the new dnsmasq would fail to start, because there was
already another process listening on port 53.
This patch changes the network driver to *always* add
"except-interface=lo" to dnsmasq conf files, regardless of whether we use
bind-dynamic or bind-interfaces. This way no libvirt dnsmasq instances
are listening on localhost (and the CVE is still fixed).
The actual code change is miniscule, but must be propogated through all
of the test files as well.
(This is *not* a cherry-pick of the upstream commit that fixes the bug
(commit d66eb7866757dd371560c288dc6201fb9348792a), because subsequent
to the CVE fix, another patch changed the network driver to put
dnsmasq options in a conf file rather than directly on the dnsmasq
commandline preserving the same options), so a cherry-pick is just one
very large conflict.)
2012-12-13 06:46:40 +00:00
|
|
|
--except-interface lo --bind-interfaces \
|
2012-01-02 14:23:54 +00:00
|
|
|
--listen-address 192.168.122.1 \
|
|
|
|
|
--listen-address 192.168.123.1 \
|
network: use dnsmasq --bind-dynamic when available
This bug resolves CVE-2012-3411, which is described in the following
bugzilla report:
https://bugzilla.redhat.com/show_bug.cgi?id=833033
The following report is specifically for libvirt on Fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=874702
In short, a dnsmasq instance run with the intention of listening for
DHCP/DNS requests only on a libvirt virtual network (which is
constructed using a Linux host bridge) would also answer queries sent
from outside the virtualization host.
This patch takes advantage of a new dnsmasq option "--bind-dynamic",
which will cause the listening socket to be setup such that it will
only receive those requests that actually come in via the bridge
interface. In order for this behavior to actually occur, not only must
"--bind-interfaces" be replaced with "--bind-dynamic", but also all
"--listen-address" options must be replaced with a single
"--interface" option. Fully:
--bind-interfaces --except-interface lo --listen-address x.x.x.x ...
(with --listen-address possibly repeated) is replaced with:
--bind-dynamic --interface virbrX
Of course libvirt can't use this new option if the host's dnsmasq
doesn't have it, but we still want libvirt to function (because the
great majority of libvirt installations, which only have mode='nat'
networks using RFC1918 private address ranges (e.g. 192.168.122.0/24),
are immune to this vulnerability from anywhere beyond the local subnet
of the host), so we use the new dnsmasqCaps API to check if dnsmasq
supports the new option and, if not, we use the "old" option style
instead. In order to assure that this permissiveness doesn't lead to a
vulnerable system, we do check for non-private addresses in this case,
and refuse to start the network if both a) we are using the old-style
options, and b) the network has a publicly routable IP
address. Hopefully this will provide the proper balance of not being
disruptive to those not practically affected, and making sure that
those who *are* affected get their dnsmasq upgraded.
(--bind-dynamic was added to dnsmasq in upstream commit
54dd393f3938fc0c19088fbd319b95e37d81a2b0, which was included in
dnsmasq-2.63)
2012-11-22 02:21:02 +00:00
|
|
|
--listen-address fc00:db8:ac10:fe01::1 \
|
|
|
|
|
--listen-address fc00:db8:ac10:fd01::1 \
|
2012-01-02 14:23:54 +00:00
|
|
|
--listen-address 10.24.10.1 \
|
network: use dnsmasq --bind-dynamic when available
This bug resolves CVE-2012-3411, which is described in the following
bugzilla report:
https://bugzilla.redhat.com/show_bug.cgi?id=833033
The following report is specifically for libvirt on Fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=874702
In short, a dnsmasq instance run with the intention of listening for
DHCP/DNS requests only on a libvirt virtual network (which is
constructed using a Linux host bridge) would also answer queries sent
from outside the virtualization host.
This patch takes advantage of a new dnsmasq option "--bind-dynamic",
which will cause the listening socket to be setup such that it will
only receive those requests that actually come in via the bridge
interface. In order for this behavior to actually occur, not only must
"--bind-interfaces" be replaced with "--bind-dynamic", but also all
"--listen-address" options must be replaced with a single
"--interface" option. Fully:
--bind-interfaces --except-interface lo --listen-address x.x.x.x ...
(with --listen-address possibly repeated) is replaced with:
--bind-dynamic --interface virbrX
Of course libvirt can't use this new option if the host's dnsmasq
doesn't have it, but we still want libvirt to function (because the
great majority of libvirt installations, which only have mode='nat'
networks using RFC1918 private address ranges (e.g. 192.168.122.0/24),
are immune to this vulnerability from anywhere beyond the local subnet
of the host), so we use the new dnsmasqCaps API to check if dnsmasq
supports the new option and, if not, we use the "old" option style
instead. In order to assure that this permissiveness doesn't lead to a
vulnerable system, we do check for non-private addresses in this case,
and refuse to start the network if both a) we are using the old-style
options, and b) the network has a publicly routable IP
address. Hopefully this will provide the proper balance of not being
disruptive to those not practically affected, and making sure that
those who *are* affected get their dnsmasq upgraded.
(--bind-dynamic was added to dnsmasq in upstream commit
54dd393f3938fc0c19088fbd319b95e37d81a2b0, which was included in
dnsmasq-2.63)
2012-11-22 02:21:02 +00:00
|
|
|
--srv-host=name.tcp.,,,, \
|
2012-01-02 14:23:54 +00:00
|
|
|
--dhcp-range 192.168.122.2,192.168.122.254 \
|
|
|
|
|
--dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases \
|
|
|
|
|
--dhcp-lease-max=253 \
|
|
|
|
|
--dhcp-no-override \
|
network: always create dnsmasq hosts and addnhosts files, even if empty
This fixes the problem reported in:
https://bugzilla.redhat.com/show_bug.cgi?id=868389
Previously, the dnsmasq hosts file (used for static dhcp entries, and
addnhosts file (used for additional dns host entries) were only
created/referenced on the dnsmasq commandline if there was something
to put in them at the time the network was started. Once we can update
a network definition while it's active (which is now possible with
virNetworkUpdate), this is no longer a valid strategy - if there were
0 dhcp static hosts (resulting in no reference to the hosts file on the
commandline), then one was later added, the commandline wouldn't have
linked dnsmasq up to the file, so even though we create it, dnsmasq
doesn't pay any attention.
The solution is to just always create these files and reference them
on the dnsmasq commandline (almost always, anyway). That way dnsmasq
can notice when a new entry is added at runtime (a SIGHUP is sent to
dnsmasq by virNetworkUdpate whenever a host entry is added or removed)
The exception to this is that the dhcp static hosts file isn't created
if there are no lease ranges *and* no static hosts. This is because in
this case dnsmasq won't be setup to listen for dhcp requests anyway -
in that case, if the count of dhcp hosts goes from 0 to 1, dnsmasq
will need to be restarted anyway (to get it listening on the dhcp
port). Likewise, if the dhcp hosts count goes from 1 to 0 (and there
are no dhcp ranges) we need to restart dnsmasq so that it will stop
listening on port 67. These special situations are handled in the
bridge driver's networkUpdate() by checking for ((bool)
nranges||nhosts) both before and after the update, and triggering a
dnsmasq restart if the before and after don't match.
(cherry picked from commit 1cb1f9dabf8e9c9fc8dfadbb3097776ca5f2c68c)
2012-10-19 20:15:44 +00:00
|
|
|
--dhcp-hostsfile=/var/lib/libvirt/dnsmasq/default.hostsfile \
|
|
|
|
|
--addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts\
|
