libvirt/src/conf/domain_event.h

337 lines
13 KiB
C
Raw Normal View History

/*
* domain_event.h: domain event queue processing helpers
*
event: filter global events by domain:getattr ACL [CVE-2014-0028] Ever since ACL filtering was added in commit 7639736 (v1.1.1), a user could still use event registration to obtain access to a domain that they could not normally access via virDomainLookup* or virConnectListAllDomains and friends. We already have the framework in the RPC generator for creating the filter, and previous cleanup patches got us to the point that we can now wire the filter through the entire object event stack. Furthermore, whether or not domain:getattr is honored, use of global events is a form of obtaining a list of networks, which is covered by connect:search_domains added in a93cd08 (v1.1.0). Ideally, we'd have a way to enforce connect:search_domains when doing global registrations while omitting that check on a per-domain registration. But this patch just unconditionally requires connect:search_domains, even when no list could be obtained, based on the following observations: 1. Administrators are unlikely to grant domain:getattr for one or all domains while still denying connect:search_domains - a user that is able to manage domains will want to be able to manage them efficiently, but efficient management includes being able to list the domains they can access. The idea of denying connect:search_domains while still granting access to individual domains is therefore not adding any real security, but just serves as a layer of obscurity to annoy the end user. 2. In the current implementation, domain events are filtered on the client; the server has no idea if a domain filter was requested, and must therefore assume that all domain event requests are global. Even if we fix the RPC protocol to allow for server-side filtering for newer client/server combos, making the connect:serach_domains ACL check conditional on whether the domain argument was NULL won't benefit older clients. Therefore, we choose to document that connect:search_domains is a pre-requisite to any domain event management. Network events need the same treatment, with the obvious change of using connect:search_networks and network:getattr. * src/access/viraccessperm.h (VIR_ACCESS_PERM_CONNECT_SEARCH_DOMAINS) (VIR_ACCESS_PERM_CONNECT_SEARCH_NETWORKS): Document additional effect of the permission. * src/conf/domain_event.h (virDomainEventStateRegister) (virDomainEventStateRegisterID): Add new parameter. * src/conf/network_event.h (virNetworkEventStateRegisterID): Likewise. * src/conf/object_event_private.h (virObjectEventStateRegisterID): Likewise. * src/conf/object_event.c (_virObjectEventCallback): Track a filter. (virObjectEventDispatchMatchCallback): Use filter. (virObjectEventCallbackListAddID): Register filter. * src/conf/domain_event.c (virDomainEventFilter): New function. (virDomainEventStateRegister, virDomainEventStateRegisterID): Adjust callers. * src/conf/network_event.c (virNetworkEventFilter): New function. (virNetworkEventStateRegisterID): Adjust caller. * src/remote/remote_protocol.x (REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER) (REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER_ANY) (REMOTE_PROC_CONNECT_NETWORK_EVENT_REGISTER_ANY): Generate a filter, and require connect:search_domains instead of weaker connect:read. * src/test/test_driver.c (testConnectDomainEventRegister) (testConnectDomainEventRegisterAny) (testConnectNetworkEventRegisterAny): Update callers. * src/remote/remote_driver.c (remoteConnectDomainEventRegister) (remoteConnectDomainEventRegisterAny): Likewise. * src/xen/xen_driver.c (xenUnifiedConnectDomainEventRegister) (xenUnifiedConnectDomainEventRegisterAny): Likewise. * src/vbox/vbox_tmpl.c (vboxDomainGetXMLDesc): Likewise. * src/libxl/libxl_driver.c (libxlConnectDomainEventRegister) (libxlConnectDomainEventRegisterAny): Likewise. * src/qemu/qemu_driver.c (qemuConnectDomainEventRegister) (qemuConnectDomainEventRegisterAny): Likewise. * src/uml/uml_driver.c (umlConnectDomainEventRegister) (umlConnectDomainEventRegisterAny): Likewise. * src/network/bridge_driver.c (networkConnectNetworkEventRegisterAny): Likewise. * src/lxc/lxc_driver.c (lxcConnectDomainEventRegister) (lxcConnectDomainEventRegisterAny): Likewise. Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-08 20:34:48 +00:00
* Copyright (C) 2012-2014 Red Hat, Inc.
* Copyright (C) 2008 VirtualIron
* Copyright (C) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library. If not, see
* <http://www.gnu.org/licenses/>.
*/
#pragma once
#include "internal.h"
#include "object_event.h"
#include "domain_conf.h"
2008-12-04 21:09:20 +00:00
virObjectEvent *
2013-12-11 10:38:03 +00:00
virDomainEventLifecycleNew(int id,
const char *name,
const unsigned char *uuid,
int type,
int detail);
virObjectEvent *
2013-12-11 10:38:03 +00:00
virDomainEventLifecycleNewFromDom(virDomainPtr dom,
int type,
int detail);
virObjectEvent *
virDomainEventLifecycleNewFromObj(virDomainObj *obj,
2013-12-11 10:38:03 +00:00
int type,
int detail);
virObjectEvent *
virDomainEventLifecycleNewFromDef(virDomainDef *def,
2013-12-11 10:38:03 +00:00
int type,
int detail);
virObjectEvent *
2013-12-11 10:38:03 +00:00
virDomainEventRebootNew(int id,
const char *name,
const unsigned char *uuid);
virObjectEvent *
2013-12-11 10:38:03 +00:00
virDomainEventRebootNewFromDom(virDomainPtr dom);
virObjectEvent *
virDomainEventRebootNewFromObj(virDomainObj *obj);
2013-12-11 10:38:03 +00:00
virObjectEvent *
2013-12-11 10:38:03 +00:00
virDomainEventRTCChangeNewFromDom(virDomainPtr dom,
long long offset);
virObjectEvent *
virDomainEventRTCChangeNewFromObj(virDomainObj *obj,
2013-12-11 10:38:03 +00:00
long long offset);
virObjectEvent *
2013-12-11 10:38:03 +00:00
virDomainEventWatchdogNewFromDom(virDomainPtr dom,
int action);
virObjectEvent *
virDomainEventWatchdogNewFromObj(virDomainObj *obj,
2013-12-11 10:38:03 +00:00
int action);
virObjectEvent *
2013-12-11 10:38:03 +00:00
virDomainEventIOErrorNewFromDom(virDomainPtr dom,
const char *srcPath,
const char *devAlias,
int action);
virObjectEvent *
virDomainEventIOErrorNewFromObj(virDomainObj *obj,
2013-12-11 10:38:03 +00:00
const char *srcPath,
const char *devAlias,
int action);
virObjectEvent *
2013-12-11 10:38:03 +00:00
virDomainEventIOErrorReasonNewFromDom(virDomainPtr dom,
const char *srcPath,
const char *devAlias,
int action,
const char *reason);
virObjectEvent *
virDomainEventIOErrorReasonNewFromObj(virDomainObj *obj,
2013-12-11 10:38:03 +00:00
const char *srcPath,
const char *devAlias,
int action,
const char *reason);
virObjectEvent *
2013-12-11 10:38:03 +00:00
virDomainEventGraphicsNewFromDom(virDomainPtr dom,
int phase,
virDomainEventGraphicsAddressPtr local,
virDomainEventGraphicsAddressPtr remote,
const char *authScheme,
virDomainEventGraphicsSubjectPtr subject);
virObjectEvent *
virDomainEventGraphicsNewFromObj(virDomainObj *obj,
2013-12-11 10:38:03 +00:00
int phase,
virDomainEventGraphicsAddressPtr local,
virDomainEventGraphicsAddressPtr remote,
const char *authScheme,
virDomainEventGraphicsSubjectPtr subject);
virObjectEvent *
2013-12-11 10:38:03 +00:00
virDomainEventControlErrorNewFromDom(virDomainPtr dom);
virObjectEvent *
virDomainEventControlErrorNewFromObj(virDomainObj *obj);
2013-12-11 10:38:03 +00:00
virObjectEvent *
virDomainEventBlockJobNewFromObj(virDomainObj *obj,
2013-12-11 10:38:03 +00:00
const char *path,
int type,
int status);
virObjectEvent *
2013-12-11 10:38:03 +00:00
virDomainEventBlockJobNewFromDom(virDomainPtr dom,
const char *path,
int type,
int status);
virObjectEvent *
virDomainEventBlockJob2NewFromObj(virDomainObj *obj,
blockjob: use stable disk string in job event When the block job event was first added, it was for block pull, where the active layer of the disk remains the same name. It was also in a day where we only cared about local files, and so we always had a canonical absolute file name. But two things have changed since then: we now have network disks, where determining a single absolute string does not really make sense; and we have two-phase jobs (copy and active commit) where the name of the active layer changes between the first event (ready, on the old name) and second (complete, on the pivoted name). Adam Litke reported that having an unstable string between events makes life harder for clients. Furthermore, all of our API that operate on a particular disk of a domain accept multiple strings: not only the absolute name of the active layer, but also the destination device name (such as 'vda'). As this latter name is stable, even for network sources, it serves as a better string to supply in block job events. But backwards-compatibility demands that we should not change the name handed to users unless they explicitly request it. Therefore, this patch adds a new event, BLOCK_JOB_2 (alas, I couldn't think of any nicer name - but at least Migrate2 and Migrate3 are precedent for a number suffix). We must double up on emitting both old-style and new-style events according to what clients have registered for (see also how IOError and IOErrorReason emits double events, but there the difference was a larger struct rather than changed meaning of one of the struct members). Unfortunately, adding a new event isn't something that can easily be broken into pieces, so the commit is rather large. * include/libvirt/libvirt.h.in (virDomainEventID): Add a new id for VIR_DOMAIN_EVENT_ID_BLOCK_JOB_2. (virConnectDomainEventBlockJobCallback): Document new semantics. * src/conf/domain_event.c (_virDomainEventBlockJob): Rename field, to ensure we catch all clients. (virDomainEventBlockJobNew): Add parameter. (virDomainEventBlockJobDispose) (virDomainEventBlockJobNewFromObj) (virDomainEventBlockJobNewFromDom) (virDomainEventDispatchDefaultFunc): Adjust clients. (virDomainEventBlockJob2NewFromObj) (virDomainEventBlockJob2NewFromDom): New functions. * src/conf/domain_event.h: Add new prototypes. * src/libvirt_private.syms (domain_event.h): Export new functions. * src/qemu/qemu_driver.c (qemuDomainBlockJobImpl): Generate two different events. * src/qemu/qemu_process.c (qemuProcessHandleBlockJob): Likewise. * src/remote/remote_protocol.x (remote_domain_event_block_job_2_msg): New struct. (REMOTE_PROC_DOMAIN_EVENT_BLOCK_JOB_2): New RPC. * src/remote/remote_driver.c (remoteDomainBuildEventBlockJob2): New handler. (remoteEvents): Register new event. * daemon/remote.c (remoteRelayDomainEventBlockJob2): New handler. (domainEventCallbacks): Register new event. * tools/virsh-domain.c (vshEventCallbacks): Likewise. (vshEventBlockJobPrint): Adjust client. * src/remote_protocol-structs: Regenerate. Signed-off-by: Eric Blake <eblake@redhat.com>
2014-06-14 13:18:04 +00:00
const char *dst,
int type,
int status);
virObjectEvent *
blockjob: use stable disk string in job event When the block job event was first added, it was for block pull, where the active layer of the disk remains the same name. It was also in a day where we only cared about local files, and so we always had a canonical absolute file name. But two things have changed since then: we now have network disks, where determining a single absolute string does not really make sense; and we have two-phase jobs (copy and active commit) where the name of the active layer changes between the first event (ready, on the old name) and second (complete, on the pivoted name). Adam Litke reported that having an unstable string between events makes life harder for clients. Furthermore, all of our API that operate on a particular disk of a domain accept multiple strings: not only the absolute name of the active layer, but also the destination device name (such as 'vda'). As this latter name is stable, even for network sources, it serves as a better string to supply in block job events. But backwards-compatibility demands that we should not change the name handed to users unless they explicitly request it. Therefore, this patch adds a new event, BLOCK_JOB_2 (alas, I couldn't think of any nicer name - but at least Migrate2 and Migrate3 are precedent for a number suffix). We must double up on emitting both old-style and new-style events according to what clients have registered for (see also how IOError and IOErrorReason emits double events, but there the difference was a larger struct rather than changed meaning of one of the struct members). Unfortunately, adding a new event isn't something that can easily be broken into pieces, so the commit is rather large. * include/libvirt/libvirt.h.in (virDomainEventID): Add a new id for VIR_DOMAIN_EVENT_ID_BLOCK_JOB_2. (virConnectDomainEventBlockJobCallback): Document new semantics. * src/conf/domain_event.c (_virDomainEventBlockJob): Rename field, to ensure we catch all clients. (virDomainEventBlockJobNew): Add parameter. (virDomainEventBlockJobDispose) (virDomainEventBlockJobNewFromObj) (virDomainEventBlockJobNewFromDom) (virDomainEventDispatchDefaultFunc): Adjust clients. (virDomainEventBlockJob2NewFromObj) (virDomainEventBlockJob2NewFromDom): New functions. * src/conf/domain_event.h: Add new prototypes. * src/libvirt_private.syms (domain_event.h): Export new functions. * src/qemu/qemu_driver.c (qemuDomainBlockJobImpl): Generate two different events. * src/qemu/qemu_process.c (qemuProcessHandleBlockJob): Likewise. * src/remote/remote_protocol.x (remote_domain_event_block_job_2_msg): New struct. (REMOTE_PROC_DOMAIN_EVENT_BLOCK_JOB_2): New RPC. * src/remote/remote_driver.c (remoteDomainBuildEventBlockJob2): New handler. (remoteEvents): Register new event. * daemon/remote.c (remoteRelayDomainEventBlockJob2): New handler. (domainEventCallbacks): Register new event. * tools/virsh-domain.c (vshEventCallbacks): Likewise. (vshEventBlockJobPrint): Adjust client. * src/remote_protocol-structs: Regenerate. Signed-off-by: Eric Blake <eblake@redhat.com>
2014-06-14 13:18:04 +00:00
virDomainEventBlockJob2NewFromDom(virDomainPtr dom,
const char *dst,
int type,
int status);
virObjectEvent *
virDomainEventDiskChangeNewFromObj(virDomainObj *obj,
2013-12-11 10:38:03 +00:00
const char *oldSrcPath,
const char *newSrcPath,
const char *devAlias,
int reason);
virObjectEvent *
2013-12-11 10:38:03 +00:00
virDomainEventDiskChangeNewFromDom(virDomainPtr dom,
const char *oldSrcPath,
const char *newSrcPath,
const char *devAlias,
int reason);
virObjectEvent *
virDomainEventTrayChangeNewFromObj(virDomainObj *obj,
2013-12-11 10:38:03 +00:00
const char *devAlias,
int reason);
virObjectEvent *
2013-12-11 10:38:03 +00:00
virDomainEventTrayChangeNewFromDom(virDomainPtr dom,
const char *devAlias,
int reason);
virObjectEvent *
virDomainEventPMWakeupNewFromObj(virDomainObj *obj);
virObjectEvent *
event: pass reason for PM events Commit 57ddcc23 (v0.9.11) introduced the pmwakeup event, with an optional 'reason' field reserved for possible future expansion. But it failed to wire the field through RPC, so even if we do add a reason in the future, we will be unable to get it back to the user. Worse, commit 7ba5defb (v1.0.0) repeated the same mistake with the pmsuspend_disk event. As long as we are adding new RPC calls, we might as well fix the events to actually match the signature so that we don't have to add yet another RPC in the future if we do decide to start using the reason field. * src/remote/remote_protocol.x (remote_domain_event_callback_pmwakeup_msg) (remote_domain_event_callback_pmsuspend_msg) (remote_domain_event_callback_pmsuspend_disk_msg): Add reason field. * daemon/remote.c (remoteRelayDomainEventPMWakeup) (remoteRelayDomainEventPMSuspend) (remoteRelayDomainEventPMSuspendDisk): Pass reason to client. * src/conf/domain_event.h (virDomainEventPMWakeupNewFromDom) (virDomainEventPMSuspendNewFromDom) (virDomainEventPMSuspendDiskNewFromDom): Require additional parameter. * src/conf/domain_event.c (virDomainEventPMClass): New class. (virDomainEventPMDispose): New function. (virDomainEventPMWakeupNew*, virDomainEventPMSuspendNew*) (virDomainEventPMSuspendDiskNew*) (virDomainEventDispatchDefaultFunc): Use new class. * src/remote/remote_driver.c (remoteDomainBuildEvent*PM*): Pass reason through. * src/remote_protocol-structs: Regenerate. Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-29 00:41:34 +00:00
virDomainEventPMWakeupNewFromDom(virDomainPtr dom, int reason);
virObjectEvent *
virDomainEventPMSuspendNewFromObj(virDomainObj *obj);
virObjectEvent *
event: pass reason for PM events Commit 57ddcc23 (v0.9.11) introduced the pmwakeup event, with an optional 'reason' field reserved for possible future expansion. But it failed to wire the field through RPC, so even if we do add a reason in the future, we will be unable to get it back to the user. Worse, commit 7ba5defb (v1.0.0) repeated the same mistake with the pmsuspend_disk event. As long as we are adding new RPC calls, we might as well fix the events to actually match the signature so that we don't have to add yet another RPC in the future if we do decide to start using the reason field. * src/remote/remote_protocol.x (remote_domain_event_callback_pmwakeup_msg) (remote_domain_event_callback_pmsuspend_msg) (remote_domain_event_callback_pmsuspend_disk_msg): Add reason field. * daemon/remote.c (remoteRelayDomainEventPMWakeup) (remoteRelayDomainEventPMSuspend) (remoteRelayDomainEventPMSuspendDisk): Pass reason to client. * src/conf/domain_event.h (virDomainEventPMWakeupNewFromDom) (virDomainEventPMSuspendNewFromDom) (virDomainEventPMSuspendDiskNewFromDom): Require additional parameter. * src/conf/domain_event.c (virDomainEventPMClass): New class. (virDomainEventPMDispose): New function. (virDomainEventPMWakeupNew*, virDomainEventPMSuspendNew*) (virDomainEventPMSuspendDiskNew*) (virDomainEventDispatchDefaultFunc): Use new class. * src/remote/remote_driver.c (remoteDomainBuildEvent*PM*): Pass reason through. * src/remote_protocol-structs: Regenerate. Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-29 00:41:34 +00:00
virDomainEventPMSuspendNewFromDom(virDomainPtr dom, int reason);
2013-12-11 10:38:03 +00:00
virObjectEvent *
2013-12-11 10:38:03 +00:00
virDomainEventBalloonChangeNewFromDom(virDomainPtr dom,
unsigned long long actual);
virObjectEvent *
virDomainEventBalloonChangeNewFromObj(virDomainObj *obj,
2013-12-11 10:38:03 +00:00
unsigned long long actual);
virObjectEvent *
virDomainEventPMSuspendDiskNewFromObj(virDomainObj *obj);
virObjectEvent *
event: pass reason for PM events Commit 57ddcc23 (v0.9.11) introduced the pmwakeup event, with an optional 'reason' field reserved for possible future expansion. But it failed to wire the field through RPC, so even if we do add a reason in the future, we will be unable to get it back to the user. Worse, commit 7ba5defb (v1.0.0) repeated the same mistake with the pmsuspend_disk event. As long as we are adding new RPC calls, we might as well fix the events to actually match the signature so that we don't have to add yet another RPC in the future if we do decide to start using the reason field. * src/remote/remote_protocol.x (remote_domain_event_callback_pmwakeup_msg) (remote_domain_event_callback_pmsuspend_msg) (remote_domain_event_callback_pmsuspend_disk_msg): Add reason field. * daemon/remote.c (remoteRelayDomainEventPMWakeup) (remoteRelayDomainEventPMSuspend) (remoteRelayDomainEventPMSuspendDisk): Pass reason to client. * src/conf/domain_event.h (virDomainEventPMWakeupNewFromDom) (virDomainEventPMSuspendNewFromDom) (virDomainEventPMSuspendDiskNewFromDom): Require additional parameter. * src/conf/domain_event.c (virDomainEventPMClass): New class. (virDomainEventPMDispose): New function. (virDomainEventPMWakeupNew*, virDomainEventPMSuspendNew*) (virDomainEventPMSuspendDiskNew*) (virDomainEventDispatchDefaultFunc): Use new class. * src/remote/remote_driver.c (remoteDomainBuildEvent*PM*): Pass reason through. * src/remote_protocol-structs: Regenerate. Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-29 00:41:34 +00:00
virDomainEventPMSuspendDiskNewFromDom(virDomainPtr dom, int reason);
2013-12-11 10:38:03 +00:00
virObjectEvent *
virDomainEventDeviceRemovedNewFromObj(virDomainObj *obj,
2013-12-11 10:38:03 +00:00
const char *devAlias);
virObjectEvent *
2013-12-11 10:38:03 +00:00
virDomainEventDeviceRemovedNewFromDom(virDomainPtr dom,
const char *devAlias);
virObjectEvent *
virDomainEventDeviceAddedNewFromObj(virDomainObj *obj,
const char *devAlias);
virObjectEvent *
virDomainEventDeviceAddedNewFromDom(virDomainPtr dom,
const char *devAlias);
virObjectEvent *
virDomainEventDeviceRemovalFailedNewFromObj(virDomainObj *obj,
const char *devAlias);
virObjectEvent *
virDomainEventDeviceRemovalFailedNewFromDom(virDomainPtr dom,
const char *devAlias);
virObjectEvent *
virDomainEventTunableNewFromObj(virDomainObj *obj,
virTypedParameterPtr params,
int nparams);
virObjectEvent *
virDomainEventTunableNewFromDom(virDomainPtr dom,
virTypedParameterPtr params,
int nparams);
virObjectEvent *
virDomainEventAgentLifecycleNewFromObj(virDomainObj *obj,
int state,
int reason);
virObjectEvent *
virDomainEventAgentLifecycleNewFromDom(virDomainPtr dom,
int state,
int reason);
2013-12-11 10:38:03 +00:00
virObjectEvent *
virDomainEventMigrationIterationNewFromObj(virDomainObj *obj,
int iteration);
virObjectEvent *
virDomainEventMigrationIterationNewFromDom(virDomainPtr dom,
int iteration);
virObjectEvent *
virDomainEventJobCompletedNewFromObj(virDomainObj *obj,
virTypedParameterPtr params,
int nparams);
virObjectEvent *
virDomainEventJobCompletedNewFromDom(virDomainPtr dom,
virTypedParameterPtr params,
int nparams);
virObjectEvent *
virDomainEventMetadataChangeNewFromObj(virDomainObj *obj,
int type,
const char *nsuri);
virObjectEvent *
virDomainEventMetadataChangeNewFromDom(virDomainPtr dom,
int type,
const char *nsuri);
virObjectEvent *
virDomainEventBlockThresholdNewFromObj(virDomainObj *obj,
const char *dev,
const char *path,
unsigned long long threshold,
unsigned long long excess);
virObjectEvent *
virDomainEventBlockThresholdNewFromDom(virDomainPtr dom,
const char *dev,
const char *path,
unsigned long long threshold,
unsigned long long excess);
virObjectEvent *
virDomainEventMemoryFailureNewFromObj(virDomainObj *obj,
int recipient,
int action,
unsigned int flags);
virObjectEvent *
virDomainEventMemoryFailureNewFromDom(virDomainPtr dom,
int recipient,
int action,
unsigned int flags);
2013-12-11 10:38:03 +00:00
int
virDomainEventStateRegister(virConnectPtr conn,
virObjectEventState *state,
2013-12-11 10:38:03 +00:00
virConnectDomainEventCallback callback,
void *opaque,
virFreeCallback freecb)
event: move event filtering to daemon (regression fix) https://bugzilla.redhat.com/show_bug.cgi?id=1058839 Commit f9f56340 for CVE-2014-0028 almost had the right idea - we need to check the ACL rules to filter which events to send. But it overlooked one thing: the event dispatch queue is running in the main loop thread, and therefore does not normally have a current virIdentityPtr. But filter checks can be based on current identity, so when libvirtd.conf contains access_drivers=["polkit"], we ended up rejecting access for EVERY event due to failure to look up the current identity, even if it should have been allowed. Furthermore, even for events that are triggered by API calls, it is important to remember that the point of events is that they can be copied across multiple connections, which may have separate identities and permissions. So even if events were dispatched from a context where we have an identity, we must change to the correct identity of the connection that will be receiving the event, rather than basing a decision on the context that triggered the event, when deciding whether to filter an event to a particular connection. If there were an easy way to get from virConnectPtr to the appropriate virIdentityPtr, then object_event.c could adjust the identity prior to checking whether to dispatch an event. But setting up that back-reference is a bit invasive. Instead, it is easier to delay the filtering check until lower down the stack, at the point where we have direct access to the RPC client object that owns an identity. As such, this patch ends up reverting a large portion of the framework of commit f9f56340. We also have to teach 'make check' to special-case the fact that the event registration filtering is done at the point of dispatch, rather than the point of registration. Note that even though we don't actually use virConnectDomainEventRegisterCheckACL (because the RegisterAny variant is sufficient), we still generate the function for the purposes of documenting that the filtering takes place. Also note that I did not entirely delete the notion of a filter from object_event.c; I still plan on using that for my upcoming patch series for qemu monitor events in libvirt-qemu.so. In other words, while this patch changes ACL filtering to live in remote.c and therefore we have no current client of the filtering in object_event.c, the notion of filtering in object_event.c is still useful down the road. * src/check-aclrules.pl: Exempt event registration from having to pass checkACL filter down call stack. * daemon/remote.c (remoteRelayDomainEventCheckACL) (remoteRelayNetworkEventCheckACL): New functions. (remoteRelay*Event*): Use new functions. * src/conf/domain_event.h (virDomainEventStateRegister) (virDomainEventStateRegisterID): Drop unused parameter. * src/conf/network_event.h (virNetworkEventStateRegisterID): Likewise. * src/conf/domain_event.c (virDomainEventFilter): Delete unused function. * src/conf/network_event.c (virNetworkEventFilter): Likewise. * src/libxl/libxl_driver.c: Adjust caller. * src/lxc/lxc_driver.c: Likewise. * src/network/bridge_driver.c: Likewise. * src/qemu/qemu_driver.c: Likewise. * src/remote/remote_driver.c: Likewise. * src/test/test_driver.c: Likewise. * src/uml/uml_driver.c: Likewise. * src/vbox/vbox_tmpl.c: Likewise. * src/xen/xen_driver.c: Likewise. Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-28 21:50:02 +00:00
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3);
2013-12-11 10:38:03 +00:00
int
virDomainEventStateRegisterID(virConnectPtr conn,
virObjectEventState *state,
2013-12-11 10:38:03 +00:00
virDomainPtr dom,
int eventID,
virConnectDomainEventGenericCallback cb,
void *opaque,
virFreeCallback freecb,
int *callbackID)
event: move event filtering to daemon (regression fix) https://bugzilla.redhat.com/show_bug.cgi?id=1058839 Commit f9f56340 for CVE-2014-0028 almost had the right idea - we need to check the ACL rules to filter which events to send. But it overlooked one thing: the event dispatch queue is running in the main loop thread, and therefore does not normally have a current virIdentityPtr. But filter checks can be based on current identity, so when libvirtd.conf contains access_drivers=["polkit"], we ended up rejecting access for EVERY event due to failure to look up the current identity, even if it should have been allowed. Furthermore, even for events that are triggered by API calls, it is important to remember that the point of events is that they can be copied across multiple connections, which may have separate identities and permissions. So even if events were dispatched from a context where we have an identity, we must change to the correct identity of the connection that will be receiving the event, rather than basing a decision on the context that triggered the event, when deciding whether to filter an event to a particular connection. If there were an easy way to get from virConnectPtr to the appropriate virIdentityPtr, then object_event.c could adjust the identity prior to checking whether to dispatch an event. But setting up that back-reference is a bit invasive. Instead, it is easier to delay the filtering check until lower down the stack, at the point where we have direct access to the RPC client object that owns an identity. As such, this patch ends up reverting a large portion of the framework of commit f9f56340. We also have to teach 'make check' to special-case the fact that the event registration filtering is done at the point of dispatch, rather than the point of registration. Note that even though we don't actually use virConnectDomainEventRegisterCheckACL (because the RegisterAny variant is sufficient), we still generate the function for the purposes of documenting that the filtering takes place. Also note that I did not entirely delete the notion of a filter from object_event.c; I still plan on using that for my upcoming patch series for qemu monitor events in libvirt-qemu.so. In other words, while this patch changes ACL filtering to live in remote.c and therefore we have no current client of the filtering in object_event.c, the notion of filtering in object_event.c is still useful down the road. * src/check-aclrules.pl: Exempt event registration from having to pass checkACL filter down call stack. * daemon/remote.c (remoteRelayDomainEventCheckACL) (remoteRelayNetworkEventCheckACL): New functions. (remoteRelay*Event*): Use new functions. * src/conf/domain_event.h (virDomainEventStateRegister) (virDomainEventStateRegisterID): Drop unused parameter. * src/conf/network_event.h (virNetworkEventStateRegisterID): Likewise. * src/conf/domain_event.c (virDomainEventFilter): Delete unused function. * src/conf/network_event.c (virNetworkEventFilter): Likewise. * src/libxl/libxl_driver.c: Adjust caller. * src/lxc/lxc_driver.c: Likewise. * src/network/bridge_driver.c: Likewise. * src/qemu/qemu_driver.c: Likewise. * src/remote/remote_driver.c: Likewise. * src/test/test_driver.c: Likewise. * src/uml/uml_driver.c: Likewise. * src/vbox/vbox_tmpl.c: Likewise. * src/xen/xen_driver.c: Likewise. Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-28 21:50:02 +00:00
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(5);
int
event: prepare client to track domain callbackID We want to convert over to server-side events, even for older APIs. To do that, the client side of the remote driver wants to distinguish between legacy virConnectDomainEventRegister and normal virConnectDomainEventRegisterAny, while knowing the client callbackID and the server's serverID for both types of registration. The client also needs to probe whether the server supports server-side filtering. However, for ease of review, we don't actually use the new RPCs until a later patch. * src/conf/object_event_private.h (virObjectEventStateCallbackID): Add parameter. * src/conf/object_event.c (virObjectEventCallbackListAddID) (virObjectEventStateRegisterID): Separate legacy from callbackID. (virObjectEventStateCallbackID): Pass through parameter. (virObjectEventCallbackLookup): Let legacy and global domain lifecycle events share a common remoteID. * src/conf/network_event.c (virNetworkEventStateRegisterID): Update caller. * src/conf/domain_event.c (virDomainEventStateRegister) (virDomainEventStateRegisterID, virDomainEventStateDeregister): Likewise. (virDomainEventStateRegisterClient) (virDomainEventStateCallbackID): Implement new functions. * src/conf/domain_event.h (virDomainEventStateRegisterClient) (virDomainEventStateCallbackID): New prototypes. * src/remote/remote_driver.c (private_data): Add field. (doRemoteOpen): Probe server feature. (remoteConnectDomainEventRegister) (remoteConnectDomainEventRegisterAny): Use new function. Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-08 04:00:54 +00:00
virDomainEventStateRegisterClient(virConnectPtr conn,
virObjectEventState *state,
event: prepare client to track domain callbackID We want to convert over to server-side events, even for older APIs. To do that, the client side of the remote driver wants to distinguish between legacy virConnectDomainEventRegister and normal virConnectDomainEventRegisterAny, while knowing the client callbackID and the server's serverID for both types of registration. The client also needs to probe whether the server supports server-side filtering. However, for ease of review, we don't actually use the new RPCs until a later patch. * src/conf/object_event_private.h (virObjectEventStateCallbackID): Add parameter. * src/conf/object_event.c (virObjectEventCallbackListAddID) (virObjectEventStateRegisterID): Separate legacy from callbackID. (virObjectEventStateCallbackID): Pass through parameter. (virObjectEventCallbackLookup): Let legacy and global domain lifecycle events share a common remoteID. * src/conf/network_event.c (virNetworkEventStateRegisterID): Update caller. * src/conf/domain_event.c (virDomainEventStateRegister) (virDomainEventStateRegisterID, virDomainEventStateDeregister): Likewise. (virDomainEventStateRegisterClient) (virDomainEventStateCallbackID): Implement new functions. * src/conf/domain_event.h (virDomainEventStateRegisterClient) (virDomainEventStateCallbackID): New prototypes. * src/remote/remote_driver.c (private_data): Add field. (doRemoteOpen): Probe server feature. (remoteConnectDomainEventRegister) (remoteConnectDomainEventRegisterAny): Use new function. Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-08 04:00:54 +00:00
virDomainPtr dom,
int eventID,
virConnectDomainEventGenericCallback cb,
void *opaque,
virFreeCallback freecb,
bool legacy,
int *callbackID,
bool remoteID)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(5)
ATTRIBUTE_NONNULL(9);
int
virDomainEventStateCallbackID(virConnectPtr conn,
virObjectEventState *state,
event: prepare client to track domain callbackID We want to convert over to server-side events, even for older APIs. To do that, the client side of the remote driver wants to distinguish between legacy virConnectDomainEventRegister and normal virConnectDomainEventRegisterAny, while knowing the client callbackID and the server's serverID for both types of registration. The client also needs to probe whether the server supports server-side filtering. However, for ease of review, we don't actually use the new RPCs until a later patch. * src/conf/object_event_private.h (virObjectEventStateCallbackID): Add parameter. * src/conf/object_event.c (virObjectEventCallbackListAddID) (virObjectEventStateRegisterID): Separate legacy from callbackID. (virObjectEventStateCallbackID): Pass through parameter. (virObjectEventCallbackLookup): Let legacy and global domain lifecycle events share a common remoteID. * src/conf/network_event.c (virNetworkEventStateRegisterID): Update caller. * src/conf/domain_event.c (virDomainEventStateRegister) (virDomainEventStateRegisterID, virDomainEventStateDeregister): Likewise. (virDomainEventStateRegisterClient) (virDomainEventStateCallbackID): Implement new functions. * src/conf/domain_event.h (virDomainEventStateRegisterClient) (virDomainEventStateCallbackID): New prototypes. * src/remote/remote_driver.c (private_data): Add field. (doRemoteOpen): Probe server feature. (remoteConnectDomainEventRegister) (remoteConnectDomainEventRegisterAny): Use new function. Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-08 04:00:54 +00:00
virConnectDomainEventCallback callback,
int *remoteID)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)
ATTRIBUTE_NONNULL(4);
int
virDomainEventStateDeregister(virConnectPtr conn,
virObjectEventState *state,
virConnectDomainEventCallback callback)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3);
int
virDomainQemuMonitorEventStateRegisterID(virConnectPtr conn,
virObjectEventState *state,
virDomainPtr dom,
const char *event,
virConnectDomainQemuMonitorEventCallback cb,
void *opaque,
virFreeCallback freecb,
unsigned int flags,
int *callbackID)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(5)
ATTRIBUTE_NONNULL(9);
virObjectEvent *
virDomainQemuMonitorEventNew(int id,
const char *name,
const unsigned char *uuid,
const char *event,
long long seconds,
unsigned int micros,
const char *details)
ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3) ATTRIBUTE_NONNULL(4);