Commit Graph

28868 Commits

Author SHA1 Message Date
Ján Tomko
4ce590b007 api: disallow virConnectGetDomainCapabilities on read-only connections
This API can be used to execute arbitrary emulators.
Forbid it on read-only connections.

Fixes: CVE-2019-10167
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 8afa68bac0)
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2019-06-24 09:59:40 +02:00
Ján Tomko
1813138f6b api: disallow virDomainManagedSaveDefineXML on read-only connections
The virDomainManagedSaveDefineXML can be used to alter the domain's
config used for managedsave or even execute arbitrary emulator binaries.
Forbid it on read-only connections.

Fixes: CVE-2019-10166
Reported-by: Matthias Gerstner <mgerstner@suse.de>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit db0b78457f)
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2019-06-24 09:59:40 +02:00
Ján Tomko
7312304ec0 api: disallow virDomainSaveImageGetXMLDesc on read-only connections
The virDomainSaveImageGetXMLDesc API is taking a path parameter,
which can point to any path on the system. This file will then be
read and parsed by libvirtd running with root privileges.

Forbid it on read-only connections.

Fixes: CVE-2019-10161
Reported-by: Matthias Gerstner <mgerstner@suse.de>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit aed6a032ce)
Signed-off-by: Ján Tomko <jtomko@redhat.com>

Conflicts:
  src/libvirt-domain.c
  src/remote/remote_protocol.x

Upstream commit 12a51f372 which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE
alias for VIR_DOMAIN_XML_SECURE is not backported.
Just skip the commit since we now disallow the whole API on read-only
connections, regardless of the flag.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
2019-06-24 09:59:40 +02:00
Daniel P. Berrangé
f845754de1 logging: restrict sockets to mode 0600
The virtlogd daemon's only intended client is the libvirtd daemon. As
such it should never allow clients from other user accounts to connect.
The code already enforces this and drops clients from other UIDs, but
we can get earlier (and thus stronger) protection against DoS by setting
the socket permissions to 0600

Fixes CVE-2019-10132

Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit e37bd65f99)
2019-05-21 13:30:30 +01:00
Daniel P. Berrangé
63095b01eb locking: restrict sockets to mode 0600
The virtlockd daemon's only intended client is the libvirtd daemon. As
such it should never allow clients from other user accounts to connect.
The code already enforces this and drops clients from other UIDs, but
we can get earlier (and thus stronger) protection against DoS by setting
the socket permissions to 0600

Fixes CVE-2019-10132

Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit f111e09468)
2019-05-21 13:30:30 +01:00
Daniel P. Berrangé
9bef445981 admin: reject clients unless their UID matches the current UID
The admin protocol RPC messages are only intended for use by the user
running the daemon. As such they should not be allowed for any client
UID that does not match the server UID.

Fixes CVE-2019-10132

Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 96f41cd765)
2019-05-21 13:30:30 +01:00
Daniel Veillard
2b7bb7027d Release of libvirt-4.2.0
* docs/news.xml: updated
* po/*.po*: regenerated

Signed-off-by: Daniel Veillard <veillard@redhat.com>
2018-04-01 10:21:27 +02:00
Chen Hanxiao
c595fc788e virsh: add missing help info of --source to domifaddr
commit b4b5c82ce forgot to add this.

Signed-off-by: Chen Hanxiao <chenhanxiao@gmail.com>
2018-03-29 13:29:49 -04:00
Daniel P. Berrangé
17f223d1aa remote: remove outdated comment about Solaris
When removing a conditional in:

  commit da1ade7a52
  Author: Daniel P. Berrangé <berrange@redhat.com>
  Date:   Fri Mar 23 10:50:59 2018 +0000

    remote: remove some __sun conditionals

the corresponding comment was mistakenly left behind.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-03-28 16:12:59 +01:00
John Ferlan
5bb07527c1 openvz: Cleanup indention
Some of the indents were only 2 spaces, make consistent w/ 4 spaces.
Also some indents didn't align properly. Fix them all up.

Signed-off-by: John Ferlan <jferlan@redhat.com>
Reviewed-by: Marc Hartmayer <mhartmay@linux.vnet.ibm.com>
2018-03-26 11:20:04 -04:00
Ján Tomko
a1745174e9 qemu: do not drop implicit controllers with non-implicit attributes
If someone set a user alias or pcihole64 on an implicit controller,
we need to format it to migrate the domain properly.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reported-by: Joseph Richard <Joseph.Richard@windriver.com>
2018-03-26 15:13:26 +02:00
Ján Tomko
186412fe76 virDomainDeviceAliasIsUserAlias: tolerate NULL
Do not crash in virDomainDeviceInfoParseXML if someone provides
an 'alias' element without a 'name' attribute.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
2018-03-26 15:13:26 +02:00
Ján Tomko
5123e6ed1f polkit: reintroduce check for pkcheck
Commit 2499d1a0 was too eager and possibly enabled polkit
on all platforms with D-Bus, regardless of whether they use polkit.

Reintroduce the usage of pkcheck as a witness for --with-polkit=check,
but do not require it for --with-polkit=yes.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reported-by: Jiří Denemark <jdenemar@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
2018-03-25 22:27:22 +02:00
Rainer Müller
c28d837c0f build: Remove --with-xml-catalog-file option
After validation against XHTML 1.0 was dropped in f802c9de0,
the XML_CATALOG_FILE is not in use anymore. Therefore the checks in
configure can be removed.

Signed-off-by: Rainer Müller <raimue@codingfarm.de>
2018-03-25 19:49:25 +02:00
Andrea Bolognani
7dd5b0c54b tests: qemucapabilities: Drop mostly duplicated data
When GIC support was introduced (QEMU 2.6 timeframe) we needed
to make sure both GICv2 hardware and GICv3 hardware were handled
correctly, and that was achieved by having separate capabilities
data for each.

Now that we have capabilities data for several QEMU versions we
can stop storing data for GICv2 and GICv3 hardware separately,
and instead have GICv2 data for QEMU <= 2.10 and GICv3 data for
QEMU >= 2.12, without losing any coverage.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
2018-03-23 20:27:52 +01:00
Andrea Bolognani
9be6210f9e tests: domaincaps: Add QEMU 2.12
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
2018-03-23 20:27:51 +01:00
Andrea Bolognani
edf2239bb5 tests: domaincaps: Order by architecture
Test cases in qemucapabilitiestest are ordered by architecture
first, then by QEMU version. Use the same order here.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
2018-03-23 20:27:51 +01:00
Farhan Ali
4315c8b869 news: Update for virtio-gpu-ccw and virtio input ccw devices
Document support for the virtio-gpu-ccw and
virtio-{keyboard, mouse, tablet}-ccw devices.

Signed-off-by: Farhan Ali <alifm@linux.vnet.ibm.com>
Reviewed-by: Boris Fiuczynski <fiuczy@linux.vnet.ibm.com>
2018-03-23 19:40:20 +01:00
Farhan Ali
24149bc060 qemu: Add support for virtio input ccw devices
QEMU on S390 (since v2.11) can support virtio input ccw devices.
So build the qemu command line for ccw devices.

Also add test cases for virtio-{keyboard, mouse, tablet}-ccw.

Signed-off-by: Farhan Ali <alifm@linux.vnet.ibm.com>
Signed-off-by: Boris Fiuczynski <fiuczy@linux.vnet.ibm.com>
2018-03-23 19:40:20 +01:00
Farhan Ali
f79e38795e qemu: Introduce capabilities for virtio input ccw devices
QEMU on S390 (since v2.11) can support virtio input ccw devices.
Introduce qemu capabilities for these devices.

Signed-off-by: Farhan Ali <alifm@linux.vnet.ibm.com>
Signed-off-by: Boris Fiuczynski <fiuczy@linux.vnet.ibm.com>
2018-03-23 19:40:20 +01:00
Farhan Ali
2a0c3490dd qemu: Change default video model type to virtio for S390
S390 guests can only support a virtio-gpu-ccw device as a video
device. So set default video model type to VIR_DOMAIN_VIDEO_TYPE_VIRTIO
for S390 guests.

Signed-off-by: Farhan Ali <alifm@linux.vnet.ibm.com>
2018-03-23 19:40:20 +01:00
Farhan Ali
4bbf7f8cb5 qemu: Add support for virtio-gpu-ccw video device on S390
QEMU on S390 (since v2.11) can support the virtio-gpu-ccw device,
which can be used as a video device.

Signed-off-by: Farhan Ali <alifm@linux.vnet.ibm.com>
2018-03-23 19:40:20 +01:00
Farhan Ali
a6441402a5 qemu: Introduce a new capability for virtio-gpu-ccw
QEMU on S390 (since v2.11) can support virtio-gpu-ccw device.
Let's introduce a new qemu capability for the device.

Signed-off-by: Farhan Ali <alifm@linux.vnet.ibm.com>
Signed-off-by: Boris Fiuczynski <fiuczy@linux.vnet.ibm.com>
2018-03-23 19:40:20 +01:00
Daniel P. Berrangé
f0fd90d722 conf: avoid reporting errors when network driver is disabled
In previous releases all these methods were a no-op if the network
driver is disabled. These helper methods are called unconditionally for
all types of network interface, so must be no-ops if missing. Other code
will already generate an error if the network driver is disabled and a
NIC with type=network is used.

Reviewed-by: Laine Stump <laine@laine.org>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-03-23 15:32:50 +00:00
Daniel P. Berrangé
da1ade7a52 remote: remove some __sun conditionals
The libvirtd daemon has some arbitrary logic to drop privileges, but
only on Solaris platforms. This was added during Xen days, when Xen was
the only driver running in libvirtd. There's no expectation or testing
that this works with the new libxl stack, nor whether dropping
privileges breaks any of the secondary drivers. Finally, we'll be
splitting drivers out into their own independant daemons, so this won't
be applicable to libvirtd in future anyway.

The remote driver client meanwhile arbitrarily disables daemon
auto-spawn when connecting as non-root, breaking a key feature of
libvirt unprivileged connections.

Since we've not had any contributions for Solaris since circa 2012
and we don't do any CI testing we should consider this platform
unmaintained and thus reasonable to remove this cruft. If someone steps
forward to maintain Solaris again, this code would need re-evaluating to
come up with something more targetted.

There's various __sun conditionals in the Xen driver code, but those are
not touched. This is all for the legacy Xen driver, which will be
entirely removed at some point in future, so not benefit to hacking out
just the Solaris parts.

Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-03-23 15:10:25 +00:00
Michal Privoznik
42900ec622 qemu: Build smartcard command line more wisely
https://bugzilla.redhat.com/show_bug.cgi?id=1558317

Similarly to b133fac356 we need to look up alias of CCID
controller when constructing smartcard command line instead of
relying on broken assumption it will always be 'ccid0'. After
user aliases it can be anything.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
2018-03-23 15:57:06 +01:00
John Ferlan
1706bef617 qemu: Fix virQEMUCapsCommands formatting
Starting with commit id 'fab9d6e1' the formatting of:

{ "command-name", QEMU_CAPS_NAME },

was altered to:

{ "command-name", QEMU_CAPS_NAME},

and then commit id 'e2b05c9a' altered that to:

{ "command-name", QEMU_CAPS_NAME}

So, let's just fix that up to make things consistent with the
rest of the structures.

Signed-off-by: John Ferlan <jferlan@redhat.com>
2018-03-23 10:11:17 -04:00
Peter Krempa
9f7373e8c1 qemu: domain: Drop declaration of qemuDomainDefValidateDisk
There is no such function in our code. Commit abca72faa4 added it
spuriously.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
2018-03-23 15:02:07 +01:00
Peter Krempa
b949b39476 tests: qemumonitorjson: Do some useful testing in the 'simple' tests
The 'simple' monitor tests were quite useless, since the code did not
even check whether the correct command was called.

This patch uses the QAPI schema validator to validate that the arguments
are in format according to the schema.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
2018-03-23 14:52:07 +01:00
Peter Krempa
5a96b8d775 tests: qemumonitor: Allow testing schema for fake monitor interactions
Add infrastructure that will allow testing schema of the commands we
pass to the fake monitor object, so that we can make sure that it
actually does something.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
2018-03-23 14:52:07 +01:00
Peter Krempa
a54c82e463 tests: qemumonitorjson: Fix few arguments of test cases
Prepare for testing of the schema of used commands by changing few
arguments to values which will not be rejected.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
2018-03-23 14:52:07 +01:00
Peter Krempa
98b6087e83 tests: qemu: Add infrastructure for QAPI schema testing
Add a function which will allow to test whether a JSON object conforms
to the QAPI schema. This greatly helps when developing formatters for
new JSON objects and will help make sure that the code will not break in
cases which have unit tests but were actually not function-tested
(mostly various disk access protocols).

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
2018-03-23 14:52:07 +01:00
Peter Krempa
5b57f57e24 tests: Add data file with QEMU QAPI schema
Add the QAPI schema (returned by 'query-qmp-schema' command) which will
be used for QAPI schema testing in upcoming patches.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
2018-03-23 14:52:07 +01:00
Peter Krempa
3283950057 qemu: qapi: Return correct entry in virQEMUQAPISchemaTraverse
virQEMUQAPISchemaTraverse would return previous-to-last queried item on
a query. It would not be a problem if checking if the given path exists
since error reporting works properly but if the caller is interested in
the result, it would be wrong.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
2018-03-23 14:52:07 +01:00
Peter Krempa
57cd22bc54 util: json: Add accessor for looking up JSON value type
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
2018-03-23 14:52:07 +01:00
Peter Krempa
38b3b20c66 qemu: monitor: Move processing of QMP schema to the new file
The JSON array was processed to the hash table used by the query apis in
the monitor code. Move it to a new helper in qemu_qapi.c.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
2018-03-23 14:52:07 +01:00
Peter Krempa
ab8c5fe63f qemu: qapi: Fix naming of moved functions
Change the prefix of the functions to 'virQEMUQapi' and rename the two
public APIs so that the verb is put last.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
2018-03-23 14:52:07 +01:00
Peter Krempa
367697c54c qemu: caps: Move QAPI schema related code into separate file
Extract the code into qemu_qapi.c/h so that we separate it from various
parts of the code.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
2018-03-23 14:52:07 +01:00
Peter Krempa
9be9e26b74 util: buffer: Tolerate NULL 'buf' in virBufferStrcat
Most other buffer APIs tolerate the buffer being NULL.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
2018-03-23 14:52:07 +01:00
Prafull
3f9e02b40a lxc: report error message raised by the failing function
The code that calls VIR_WARN after a function fails, doesn't
report the error message raised by the failing function.
Such error messages are now reported in lxc/lxc_driver.c

Signed-off-by: Prafullkumar Tale <talep158@gmail.com>
2018-03-23 13:13:38 +00:00
Pavel Hrdina
247e3a7275 docs: introduce libvirt-dbus binding
libvirt-dbus is a new binding that wraps libvirt API into D-Bus calls.

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2018-03-23 12:59:56 +01:00
Pavel Hrdina
0641b5fe06 docs: fix a typo in docs.html page
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2018-03-23 12:59:47 +01:00
Daniel P. Berrangé
76e1720c4f rpc: avoid duplicating config in virtlockd/virtlogd augeas tests
Most of the augeas test files use ::CONFIG:: to pull in the master
config file for testing. This ensures that entries added to the config
file are actually tested by augeas.

This identified the missing admin_max_clients example in the virtlogd
config file, which in turn prompted a change in description of the
max_clients parameter, since these daemons don't have separate
readonly & readwrite sockets.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-03-23 10:44:48 +00:00
Daniel P. Berrangé
65824a7e45 rpc: remove remains of obsolete log_buffer_size config parameter
The global log buffer feature was deleted in:

  commit c0c8c1d7bb
  Author: Daniel P. Berrange <berrange@redhat.com>
  Date:   Mon Mar 3 14:54:33 2014 +0000

    Remove global log buffer feature entirely

    A earlier commit changed the global log buffer so that it only
    records messages that are explicitly requested via the log
    filters setting. This removes the performance burden, and
    improves the signal/noise ratio for messages in the global
    buffer. At the same time though, it is somewhat pointless, since
    all the recorded log messages are already going to be sent to an
    explicit log output like syslog, stderr or the journal. The
    global log buffer is thus just duplicating this data on stderr
    upon crash.

    The log_buffer_size config parameter is left in the augeas
    lens to prevent breakage for users on upgrade. It is however
    completely ignored hereafter.

    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

This was in the 1.2.3 release, and 4 years is sufficient time for a
graceful upgrade path for augeas, so all remaining traces are now
removed.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-03-23 10:44:35 +00:00
Christian Ehrhardt
2b717929a8
virt-aa-helper: test: check for expected profile content
So far the virt-aa-helper tests only checked the return code and thereby
catched aborts like issues failing to parse the XML. But there is one
category of virt-aa-helper issues so far untested - not generating the
expected rule.

This adds a basic grep based checks after each test to match against the
rule that is expected to be added by the test.

Acked-by: Jamie Strandboge <jamie@canonical.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2018-03-23 07:14:58 +01:00
Katerina Koukiou
094af02b82 test_driver: Add testDomainDestroyFlags
Adding this for completeness

Signed-off-by: Katerina Koukiou <kkoukiou@redhat.com>
2018-03-22 21:48:13 +01:00
Christian Ehrhardt
ac254f342f
virt-aa-helper: generate rules for nvdimm memory
nvdimm memory is backed by a path on the host. This currently works only via
hotplug where the AppArmor label is created via the domain label callbacks.

This adds the virt-aa-helper support for nvdimm memory devices to generate
rules for the needed paths from the initial guest definition as well.

Example in domain xml:
  <memory model='nvdimm'>
    <source>
      <path>/tmp/nvdimm-base</path>
    </source>
    <target>
     <size unit='KiB'>524288</size>
     <node>0</node>
    </target>
  </memory>
Works to start now and creates:
  "/tmp/nvdimm-base" rw,

Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1757085

Acked-by: Jamie Strandboge <jamie@canonical.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2018-03-22 09:42:01 +01:00
Christian Ehrhardt
26bb6d76ec
virt-aa-helper: generate rules for passthrough input devices
Input devices can passthrough an event device. This currently works only via
hotplug where the AppArmor label is created via the domain label callbacks.

This adds the virt-aa-helper support for passthrough input devices to generate
rules for the needed paths from the initial guest definition as well.

Example in domain xml:
  <input type='passthrough' bus='virtio'>
          <source evdev='/dev/input/event0' />
  </input>
Works to start now and creates:
  "/dev/input/event0" rw,

Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1757085

Acked-by: Jamie Strandboge <jamie@canonical.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2018-03-22 09:42:01 +01:00
Christian Ehrhardt
943c1fd9b6
security, apparmor: add (Set|Restore)InputLabel
d8116b5a "security: Introduce functions for input device hot(un)plug"
implemented the code (Set|Restore)InputLabel for several security modules,
this patch adds an AppArmor implementation for it as well.

That fixes hot-plugging event input devices by generating a rule for the
path that needs to be accessed.

Example hot adding:
  <input type='passthrough' bus='virtio'>
     <source evdev='/dev/input/event0' />
  </input>
Creates now:
  "/dev/input/event0" rwk,

Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1755153

Acked-by: Jamie Strandboge <jamie@canonical.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2018-03-22 09:42:01 +01:00
Christian Ehrhardt
999998a792
security, apparmor: add (Set|Restore)MemoryLabel
Recent changes have made implementing this mandatory to hot add any
memory.
Implementing this in apparmor fixes this as well as allows hot-add of nvdimm
tpye memory with an nvdimmPath set generating a AppArmor rule for that
path.

Example hot adding:
  <memory model='nvdimm'>
    <source>
      <path>/tmp/nvdimm-test</path>
    </source>
    <target>
      <size unit='KiB'>524288</size>
      <node>0</node>
    </target>
  </memory>
Creates now:
  "/tmp/nvdimm-test" rwk,

Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1755153

Acked-by: Jamie Strandboge <jamie@canonical.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2018-03-22 09:41:57 +01:00