build: drop libvirt setuid library build

The virt-login-shell setuid program is now a tiny piece of code
that only uses standard libc functions, and santizes the execution
environment before invoking the real virt-login-shell-helper.
The latter is thus able to use the normal libvirt.so build,
allowing us to delete the special cut down setuid library build.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

config-post.h

@@ -17,39 +17,15 @@
  */
 
 /*
- * Since virt-login-shell will be setuid, we must do everything
- * we can to avoid linking to other libraries. Many of them do
- * unsafe things in functions marked __attribute__((constructor)).
+ * The NSS module can be loaded into any binary and thus we want
+ * to minimize what code is liable to be run. Especiall we need
+ * to minimize use of any 3rd party libraries which have
+ * __attribute__((constructor)) functions.
+ *
  * The only way to avoid such deps is to re-compile the
  * functions with the code in question disabled, and for that we
  * must override the main config.h rules. Hence this file :-(
  */
-
-#ifdef LIBVIRT_SETUID_RPC_CLIENT
-# undef HAVE_LIBNL
-# undef HAVE_LIBNL3
-# undef HAVE_LIBSASL2
-# undef HAVE_SYS_ACL_H
-# undef WITH_CAPNG
-# undef WITH_CURL
-# undef WITH_DBUS
-# undef WITH_DEVMAPPER
-# undef WITH_DTRACE_PROBES
-# undef WITH_GNUTLS
-# undef WITH_LIBSSH
-# undef WITH_MACVTAP
-# undef WITH_NUMACTL
-# undef WITH_SASL
-# undef WITH_SSH2
-# undef WITH_SYSTEMD_DAEMON
-# undef WITH_VIRTUALPORT
-# undef WITH_YAJL
-#endif
-
-/*
- * With the NSS module it's the same story as virt-login-shell. See the
- * explanation above.
- */
 #ifdef LIBVIRT_NSS
 # undef HAVE_LIBNL
 # undef HAVE_LIBNL3

configure.ac

@@ -512,9 +512,6 @@ dnl
 AC_CHECK_HEADERS([linux/kvm.h])
 
 
-AM_CONDITIONAL([WITH_SETUID_RPC_CLIENT], [test "$with_lxc$with_login_shell" != "nono"])
-
-
 dnl
 dnl check for kernel headers required by src/bridge.c
 dnl

src/Makefile.am

@@ -647,107 +647,6 @@ libvirt_lxc_la_LDFLAGS = \
 libvirt_lxc_la_CFLAGS = $(AM_CFLAGS)
 libvirt_lxc_la_LIBADD = libvirt.la $(CYGWIN_EXTRA_LIBADD)
 
-# Since virt-login-shell will be setuid, we must do everything
-# we can to avoid linking to other libraries. Many of them do
-# unsafe things in functions marked __attribute__((constructor)).
-# This library is built to include the bare minimum required to
-# have a RPC client for local UNIX socket access only. We use
-# the ../config-post.h header to disable all external deps that
-# we don't want
-if WITH_SETUID_RPC_CLIENT
-noinst_LTLIBRARIES += libvirt-setuid-rpc-client.la
-
-libvirt_setuid_rpc_client_la_SOURCES = \
-		util/viralloc.c \
-		util/virarch.c \
-		util/viratomic.c \
-		util/viratomic.h \
-		util/virautoclean.h \
-		util/virbitmap.c \
-		util/virbuffer.c \
-		util/vircgroup.c \
-		util/vircgroupbackend.c \
-		util/vircgroupv1.c \
-		util/vircgroupv2.c \
-		util/vircommand.c \
-		util/virconf.c \
-		util/virdbus.c \
-		util/virenum.c \
-		util/virerror.c \
-		util/virevent.c \
-		util/vireventpoll.c \
-		util/virfile.c \
-		util/virgettext.c \
-		util/virhash.c \
-		util/virhashcode.c \
-		util/virhostcpu.c \
-		util/virjson.c \
-		util/virlog.c \
-		util/virobject.c \
-		util/virpidfile.c \
-		util/virprocess.c \
-		util/virrandom.c \
-		util/virsocketaddr.c \
-		util/virstring.c \
-		util/virsystemd.c \
-		util/virtime.c \
-		util/virthread.c \
-		util/virthreadjob.c \
-		util/virtypedparam.c \
-		util/viruri.c \
-		util/virutil.c \
-		util/viruuid.c \
-		conf/domain_event.c \
-		conf/network_event.c \
-		conf/object_event.c \
-		conf/storage_event.c \
-		conf/node_device_event.c \
-		conf/secret_event.c \
-		rpc/virnetsocket.c \
-		rpc/virnetsocket.h \
-		rpc/virnetmessage.h \
-		rpc/virnetmessage.c \
-		rpc/virkeepalive.c \
-		rpc/virkeepalive.h \
-		rpc/virnetclient.c \
-		rpc/virnetclientprogram.c \
-		rpc/virnetclientstream.c \
-		rpc/virnetprotocol.c \
-		remote/remote_driver.c \
-		remote/remote_protocol.c \
-		remote/qemu_protocol.c \
-		remote/lxc_protocol.c \
-		datatypes.c \
-		libvirt.c \
-		libvirt-domain.c \
-		libvirt-domain-checkpoint.c \
-		libvirt-domain-snapshot.c \
-		libvirt-host.c \
-		libvirt-interface.c \
-		libvirt-network.c \
-		libvirt-nodedev.c \
-		libvirt-nwfilter.c \
-		libvirt-secret.c \
-		libvirt-storage.c \
-		libvirt-stream.c \
-		libvirt-lxc.c \
-		$(NULL)
-
-libvirt_setuid_rpc_client_la_LDFLAGS = \
-		$(AM_LDFLAGS) \
-		$(LIBXML_LIBS) \
-		$(SECDRIVER_LIBS) \
-		$(NULL)
-libvirt_setuid_rpc_client_la_CFLAGS = \
-		-DLIBVIRT_SETUID_RPC_CLIENT \
-		-I$(srcdir)/conf \
-		-I$(srcdir)/rpc \
-		$(AM_CFLAGS) \
-		$(SECDRIVER_CFLAGS) \
-		$(XDR_CFLAGS) \
-		$(NULL)
-endif WITH_SETUID_RPC_CLIENT
-
 EXTRA_DIST += $(SYSCONF_FILES)
 
 install-sysconfig:

src/libvirt.c

@@ -280,43 +280,37 @@ virGlobalInit(void)
         goto error;
 #endif /* HAVE_LIBINTL_H */
 
-    /*
-     * Note we must avoid everything except 'remote' driver
-     * for virt-login-shell usage
-     */
-#ifndef LIBVIRT_SETUID_RPC_CLIENT
     /*
      * Note that the order is important: the first ones have a higher
      * priority when calling virConnectOpen.
      */
-# ifdef WITH_TEST
+#ifdef WITH_TEST
     if (testRegister() == -1)
         goto error;
-# endif
-# ifdef WITH_OPENVZ
+#endif
+#ifdef WITH_OPENVZ
     if (openvzRegister() == -1)
         goto error;
-# endif
-# ifdef WITH_VMWARE
+#endif
+#ifdef WITH_VMWARE
     if (vmwareRegister() == -1)
         goto error;
-# endif
-# ifdef WITH_PHYP
+#endif
+#ifdef WITH_PHYP
     if (phypRegister() == -1)
         goto error;
-# endif
-# ifdef WITH_ESX
+#endif
+#ifdef WITH_ESX
     if (esxRegister() == -1)
         goto error;
-# endif
-# ifdef WITH_HYPERV
+#endif
+#ifdef WITH_HYPERV
     if (hypervRegister() == -1)
         goto error;
-# endif
-# ifdef WITH_XENAPI
+#endif
+#ifdef WITH_XENAPI
     if (xenapiRegister() == -1)
         goto error;
-# endif
 #endif
 #ifdef WITH_REMOTE
     if (remoteRegister() == -1)

src/util/virfile.c

@@ -632,7 +632,7 @@ int virFileUpdatePerm(const char *path,
 
 
 #if defined(__linux__) && HAVE_DECL_LO_FLAGS_AUTOCLEAR && \
-    !defined(LIBVIRT_SETUID_RPC_CLIENT) && !defined(LIBVIRT_NSS)
+    !defined(LIBVIRT_NSS)
 
 # if HAVE_DECL_LOOP_CTL_GET_FREE