Commit Graph

20265 Commits

Author SHA1 Message Date
Stefan Berger
06f7fec561 tpm: adapt sysfs cancel path for new TPM driver
This patch addresses BZ 1244895.

Adapt the sysfs TPM command cancel path for the TPM driver that
does not use a miscdevice anymore since Linux 4.0. Support old
and new paths and check their availability.

Add a mockup for the test cases to avoid the testing for
availability of the cancel path.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
(cherry picked from commit 5ed7afa9de)
2015-12-23 18:00:07 -05:00
Guido Günther
c46e1a92ce libvirt-guests: Disable shutdown timeout
Since we can't know at service start how many VMs will be running we
can't calculate an apropriate shutdown timeout. So instead of killing
off the service just let it use it's own internal timeout mechanism.

References:
    http://bugs.debian.org/803714
    https://bugzilla.redhat.com/show_bug.cgi?id=1195544

(cherry picked from commit ba08d16d6c)
2015-12-23 17:59:49 -05:00
Martin Kletzander
ac3dbf5a68 systemd: Escape only needed characters for machined
Machine name escaping follows the same rules as serice name escape,
except that '.' and '-' must not be escaped in machine names, due
to a bug in systemd-machined.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1282846

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
(cherry picked from commit 0e0149ce91)
2015-12-23 17:54:51 -05:00
Martin Kletzander
c0fa258b3d systemd: Escape machine name for machined
According to the documentation, CreateMachine accepts only 7bit ASCII
characters in the machinename parameter, so let's make sure we can start
machines with unicode names with systemd.  We already have a function
for that, we just forgot to use it.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1062943
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1282846

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
(cherry picked from commit e24eda48cf)
2015-12-23 17:54:46 -05:00
Eric Blake
d035796675 CVE-2015-5313: storage: don't allow '/' in filesystem volume names
The libvirt file system storage driver determines what file to
act on by concatenating the pool location with the volume name.
If a user is able to pick names like "../../../etc/passwd", then
they can escape the bounds of the pool.  For that matter,
virStoragePoolListVolumes() doesn't descend into subdirectories,
so a user really shouldn't use a name with a slash.

Normally, only privileged users can coerce libvirt into creating
or opening existing files using the virStorageVol APIs; and such
users already have full privilege to create any domain XML (so it
is not an escalation of privilege).  But in the case of
fine-grained ACLs, it is feasible that a user can be granted
storage_vol:create but not domain:write, and it violates
assumptions if such a user can abuse libvirt to access files
outside of the storage pool.

Therefore, prevent all use of volume names that contain "/",
whether or not such a name is actually attempting to escape the
pool.

This changes things from:

$ virsh vol-create-as default ../../../../../../etc/haha --capacity 128
Vol ../../../../../../etc/haha created
$ rm /etc/haha

to:

$ virsh vol-create-as default ../../../../../../etc/haha --capacity 128
error: Failed to create vol ../../../../../../etc/haha
error: Requested operation is not valid: volume name '../../../../../../etc/haha' cannot contain '/'

Signed-off-by: Eric Blake <eblake@redhat.com>
(cherry picked from commit 034e47c338)
2015-12-12 20:18:04 -07:00
Dominik Perpeet
4ee196bf30 docs: event impl. registration before hypervisor connection
Event implementations need to be registered before a connection to the
Hypervisor is opened, otherwise event handling can be impaired (e.g.
delayed messages). This fact is referenced in an e-mail [1], but should
also be noted in the documentation of the registration functions.

[1] https://www.redhat.com/archives/libvirt-users/2014-April/msg00011.html

(cherry picked from commit 9bf1cef737)
2015-10-15 19:53:49 -04:00
Cole Robinson
404e42d3c6 spec: Fix some warnings with latest rpmbuild
$ rpmbuild -ba libvirt.spec
warning: Macro expanded in comment on line 5: # If neither fedora nor rhel was defined, try to guess them from %{dist}

warning: Macro %enable_autotools defined but not used within scope
warning: Macro %client_only defined but not used within scope
...

(cherry picked from commit dae1250b24)
2015-10-06 16:01:15 -04:00
Cole Robinson
ee7a60854b qemu: Fix dynamic_ownership qemu.conf setting
Commit 307fb904 (Sep 10) added a 'privileged' variable when creating
the DAC driver:

@@ -153,6 +157,7 @@ virSecurityManagerNewDAC(const char *virtDriver,
                          bool defaultConfined,
                          bool requireConfined,
                          bool dynamicOwnership,
+                         bool privileged,
                          virSecurityManagerDACChownCallback chownCallback)

But argument order is mixed up at the caller, swapping dynamicOwnership
and privileged values. This corrects the argument order

https://bugzilla.redhat.com/show_bug.cgi?id=1266628
(cherry picked from commit 68572de822)
2015-10-06 15:17:00 -04:00
Cole Robinson
a267bb501b Prep for release 1.2.18.1 2015-09-21 20:54:37 -04:00
David Mansfield
7d2cf48532 test driver: don't unlock pool after freeing it
Invalid read of size 4
    at 0x945CA30: __pthread_mutex_unlock_full (in /lib64/libpthread-2.20.so)
    by 0x4F0404B: virMutexUnlock (virthread.c:94)
    by 0x4F7161B: virStoragePoolObjUnlock (storage_conf.c:2603)
    by 0x4FE0476: testStoragePoolUndefine (test_driver.c:4328)
    by 0x4FCF086: virStoragePoolUndefine (libvirt-storage.c:656)
    by 0x15A7F5: cmdPoolUndefine (virsh-pool.c:1721)
    by 0x12F48D: vshCommandRun (vsh.c:1212)
    by 0x132AA7: main (virsh.c:943)
  Address 0xfda56a0 is 16 bytes inside a block of size 104 free'd
    at 0x4C2BA6C: free (vg_replace_malloc.c:473)
    by 0x4EA5C96: virFree (viralloc.c:582)
    by 0x4F70B69: virStoragePoolObjFree (storage_conf.c:412)
    by 0x4F7167B: virStoragePoolObjRemove (storage_conf.c:437)
    by 0x4FE0468: testStoragePoolUndefine (test_driver.c:4323)
    by 0x4FCF086: virStoragePoolUndefine (libvirt-storage.c:656)
    by 0x15A7F5: cmdPoolUndefine (virsh-pool.c:1721)
    by 0x12F48D: vshCommandRun (vsh.c:1212)
    by 0x132AA7: main (virsh.c:943)

(cherry picked from commit 03cf57a37d)
2015-09-21 20:18:06 -04:00
Chunyan Liu
e60d286b8e libxl: fix AttachDeviceConfig on hostdev type
After attach-device a <hostdev> with --config, new device doesn't
show up in dumpxml and in guest.

To fix that, set dev->data.hostdev = NULL after work so that the
pointer is not freed, since vmdef has the pointer and still need it.

Signed-off-by: Chunyan Liu <cyliu@suse.com>
(cherry picked from commit 56945e1374)
2015-09-21 20:18:06 -04:00
Michal Privoznik
a45823210d security_selinux: Take @privileged into account
https://bugzilla.redhat.com/show_bug.cgi?id=1124841

If running in session mode it may happen that we fail to set
correct SELinux label, but the image may still be readable to
the qemu process. Take this into account.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit 00e5b96716)
2015-09-21 20:18:06 -04:00
Guido Günther
eb8382fa5f selinux: fix compile errors
Remove unused variable, tag unused parameter and adjust return type.

introduced by 3f48345f7e

CC     security/libvirt_security_manager_la-security_selinux.lo
security/security_selinux.c: In function 'virSecuritySELinuxDomainSetDirLabel':
security/security_selinux.c:2520:5: error: return makes pointer from integer without a cast [-Werror]
security/security_selinux.c:2514:9: error: unused variable 'ret' [-Werror=unused-variable]
security/security_selinux.c:2509:59: error: unused parameter 'mgr' [-Werror=unused-parameter]

(cherry picked from commit 4d4c90dfd5)
2015-09-21 20:18:06 -04:00
Martin Kletzander
82dce08750 security_selinux: Add SetDirLabel support
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
(cherry picked from commit 3f48345f7e)
2015-09-21 20:18:06 -04:00
Martin Kletzander
5290876dbc security: Add virSecurityDomainSetDirLabel
That function can be used for setting security labels on arbitrary
directories.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
(cherry picked from commit f65a2a12f4)
2015-09-21 20:18:05 -04:00
Martin Kletzander
6fb8fbad9f security_selinux: Use proper structure to access socket data
In virSecuritySELinuxSetSecurityChardevLabel() we are labelling unix
socket path, but accessing another structure of the union.  This does
not pose a problem currently as both paths are at the same offset, but
this should be fixed for the future.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
(cherry picked from commit 4ac6ce38d3)
2015-09-21 20:18:05 -04:00
Michal Privoznik
9a7a699896 security_selinux: Replace SELinuxSCSICallbackData with proper struct
We have plenty of callbacks in the driver. Some of these
callbacks require more than one argument to be passed. For that
we currently have a data type (struct) per each callback. Well,
so far for only one - SELinuxSCSICallbackData. But lets turn it
into more general name so it can be reused in other callbacks too
instead of each one introducing a new, duplicate data type.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit 276c409163)
2015-09-21 20:18:05 -04:00
Michal Privoznik
ee89fc6e7a virSecuritySELinuxSetSecurityAllLabel: drop useless virFileIsSharedFSType
The check is done in virSecuritySELinuxSetFilecon itself. There's
no need to check it again.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit 370461d1db)
2015-09-21 20:18:05 -04:00
Michal Privoznik
bb8ebbbc08 virSecurityManager: Track if running as privileged
We may want to do some decisions in drivers based on fact if we
are running as privileged user or not. Propagate this info there.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit 307fb9044c)
2015-09-21 20:18:05 -04:00
Peter Krempa
66899258e1 qemu: hotplug: Properly clean up drive backend if frontend hotplug fails
Commit 8125113c added code that should remove the disk backend if the
fronted hotplug failed for any reason. The code had a bug though as it
used the disk string for unplug rather than the backend alias. Fix the
code by pre-creating an alias string and using it instead of the disk
string. In cases where qemu does not support QEMU_CAPS_DEVICE, we ignore
the unplug of the backend since we can't really create an alias in that
case.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1262399
(cherry picked from commit 64c6695f1a)
2015-09-21 20:18:05 -04:00
Daniel P. Berrange
9372343f7c xen: fix race in refresh of config cache
The xenXMConfigCacheRefresh method scans /etc/xen and loads
all config files it finds. It then scans its internal hash
table and purges any (previously) loaded config files whose
refresh timestamp does not match the timestamp recorded at
the start of xenXMConfigCacheRefresh(). There is unfortunately
a subtle flaw in this, because if loading the config files
takes longer than 1 second, some of the config files will
have a refresh timestamp that is 1 or more seconds different
(newer) than is checked for. So we immediately purge a bunch
of valid config files we just loaded.

To avoid this flaw, we must pass the timestamp we record at
the start of xenXMConfigCacheRefresh() into the
xenXMConfigCacheAddFile() method, instead of letting the
latter call time(NULL) again.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 427067f7ed)
2015-09-21 20:18:05 -04:00
Ian Campbell
b84e9ef24b libxl: don't end job for ephemeal domain on start failure
commit 4b53d0d4ac "libxl: don't remove persistent domain on start
failure" cleans up the vm object and sets it to NULL if the vm is not
persistent, however at end job vm (now NULL) is dereferenced via the call to
libxlDomainObjEndJob. Avoid this by skipping "endjob" and going
straight to "cleanup" in this case.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
(cherry picked from commit ee7758f09b)
2015-09-21 20:18:04 -04:00
Luyao Huang
328ad9e678 conf: fix crash when parsing a unordered NUMA <cell/>
https://bugzilla.redhat.com/show_bug.cgi?id=1260846

Introduced by 8fedbbdb, if we parse an unordered NUMA cell, will
get a segfault. This is because of a check for overlapping @cpus
sets we have there. However, since the array to hold guest NUMA
cells is allocated upfront and therefore it contains all zeros,
an out of order cell will break our assumption that cell IDs have
increasing character. At this point we try to access yet NULL
bitmap and therefore segfault.

Signed-off-by: Luyao Huang <lhuang@redhat.com>
(cherry picked from commit 83ae3ee39b)
2015-09-21 20:18:04 -04:00
John Ferlan
e5db3c4df2 qemu: Check virGetLastError return value for migration finish failure
Commit id '2e7cea243' added a check for an error from Finish instead
of 'unexpected error'; however, if for some reason there wasn't an
error, then virGetLastError could return NULL resulting in the
NULL pointer deref to err->domain.

(cherry picked from commit ea3c5f25eb)
2015-09-21 20:18:04 -04:00
Jim Fehlig
0206984abb libxl: don't overwrite error from virNetSocketNewConnectTCP()
Remove redundant error reporting in libxlDomainMigrationPerform().
virNetSocketNewConnectTCP() is perfectly capable of reporting
sensible errors.

(cherry picked from commit 6ce939c247)
2015-09-21 20:18:04 -04:00
Pavel Hrdina
999a873db0 domain-conf: escape string for socket attribute
Commit d091518b tried to escape all strings in produced XML, but missed
this one.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
(cherry picked from commit e92e5ba128)
2015-09-21 20:18:04 -04:00
Michal Privoznik
d7eb40d779 src: Check for symbols ordering in ADMIN_SYM_FILES
Like we are checking for the correct order in SYM_FILES, we
should do the same for ADMIN_SYM_FILES.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit a0d2ceb32f)
2015-09-21 20:18:04 -04:00
Michal Privoznik
e2b6bd5032 src: Cleanup libvirt_admin.syms
It's a generated file, so after 'distclean' it should be gone.
But it isn't yet.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit 28fa50d226)
2015-09-21 20:18:04 -04:00
Michal Privoznik
00cf7e08e7 src: Check libvirt_admin.syms for exported symbols
We have this check rule in src/Makefile: check-symfile that
should check if all symbols we wanted to export are exported.
Moreover, if we are not exporting something more. Do the same
with libvirt_admin.syms.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit 74f11dd25b)
2015-09-21 20:18:03 -04:00
Laine Stump
b64d62c6b8 util: fallback to ioctl(SIOCBRDELBR) if netlink RTM_DELLINK fails
commit 09778e09 switched from using ioctl(SIOCBRDELBR) for bridge
device deletion to using a netlink RTM_DELLINK message, which is the
more modern way to delete a bridge (and also doesn't require the
bridge to be ~IFF_UP to succeed). However, although older kernels
(e.g. 2.6.32, in RHEL6/CentOS6) support deleting *some* link types
with RTM_NEWLINK, they don't support deleting bridges, and there is no
compile-time way to figure this out.

This patch moves the body of the SIOCBRDELBR version of
virNetDevBridgeDelete() into a static function, calls the new function
from the original, and also calls the new function from the
RTM_DELLINK version if the RTM_DELLINK message generates an EOPNOTSUPP
error. Since RTM_DELLINK is done from the subordinate function
virNetlinkDelLink, which is also called for other purposes (deleting a
macvtap interface), a function pointer called "fallback" has been
added to the arglist of virNetlinkDelLink() - if that arg != NULL, the
provided function will be called when (and only when) RTM_DELLINK
fails with EOPNOTSUPP.

Resolves:  https://bugzilla.redhat.com/show_bug.cgi?id=1252780 (part 2)
(cherry picked from commit 97d26e470d)
2015-09-21 20:18:03 -04:00
Laine Stump
e6c69718e2 util: fallback to ioctl(SIOCBRADDBR) if netlink RTM_NEWLINK fails
commit fc7b23db switched from using ioctl(SIOCBRADDBR) for bridge
creation to using a netlink RTM_NEWLINK message with IFLA_INFO_KIND =
"bridge", which is the more modern way to create a bridge. However,
although older kernels (e.g. 2.6.32, in RHEL6/CentOS6) support
creating *some* link types with RTM_NEWLINK, they don't support
creating bridges, and there is no compile-time way to figure this out
(since the "type" isn't an enum, but rather a character string).

This patch moves the body of the SIOCBRADDBR version of
virNetDevBridgeCreate() into a static function, calls the new function
from the original, and also calls the new function from the
RTM_NEWLINK version if the RTM_NEWLINK message generates an EOPNOTSUPP
error.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1252780
(cherry picked from commit 66dcb40937)
2015-09-21 20:18:03 -04:00
Jim Fehlig
14aa9d65c1 libxl: acquire a job when receiving a migrating domain
Commit f86ae403 moved acquiring a job from libxlDomainStart()
to its callers. One spot missed was in libxlDoMigrateReceive().
Acquire a job in libxlDoMigrateReceive() before calling
libxlDomainStart().

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
(cherry picked from commit e80b84a743)
2015-09-21 20:18:03 -04:00
Jim Fehlig
b4fefefc1b libxl: don't attempt to resume domain when suspend fails
Failure of libxl_domain_suspend() does not leave the domain in
a suspended state, so no need to call libxl_domain_resume(),
which btw will fail with "domain not suspended".

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
(cherry picked from commit 15120b8c61)
2015-09-21 20:18:03 -04:00
Jim Fehlig
24d194ad59 libxl: fix ref counting of libxlMigrationDstArgs
This patch fixes some flawed logic around ref counting the
libxlMigrationDstArgs object.

First, when adding sockets to the event loop with
virNetSocketAddIOCallback(), the generic virObjectFreeCallback()
was registered as a free function, with libxlMigrationDstArgs as
its parameter. A reference was also taken on
libxlMigrationDstArgs for each successful call to
virNetSocketAddIOCallback(). The rational behind this logic was
that the libxlMigrationDstArgs object had to out-live the socket
objects. But virNetSocketAddIOCallback() already takes a
reference on socket objects, ensuring their life until removed
from the event loop and unref'ed in virNetSocketEventFree(). We
only need to ensure libxlMigrationDstArgs lives until
libxlDoMigrateReceive() finishes, which can be done by simply
unref'ing libxlMigrationDstArgs at the end of
libxlDoMigrateReceive().

The second flaw was unref'ing the sockets in the failure path of
libxlMigrateReceive() and at the end of libxlDoMigrateReceive().
As mentioned above, the sockets are already unref'ed by
virNetSocketEventFree() when removed from the event loop.
Attempting to unref the socket a second time resulted in a
libvirtd crash since the socket was previously unref'ed and
disposed.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
(cherry picked from commit 44a54eb073)
2015-09-21 20:18:03 -04:00
Michal Privoznik
54032910dc libvirt_lxc: Claim success for --help
So far, if libvirt_lxc binary (usually to be found under
/usr/libexec/) is run with --help, due to a missing line
and our usual functions pattern, an 'uknown' error is returned.
Yeah, the help is printed out, but we should not claim error.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit fb0ef0d511)
2015-09-21 20:18:03 -04:00
Michal Privoznik
acf257deb5 virt-aa-helper: Improve valid_path
So, after some movement in virt-aa-helper, I've noticed the
virt-aa-helper-test failing. I've ran gdb (it took me a while to
realize how to do that) and this showed up immediately:

  Program received signal SIGSEGV, Segmentation fault.
  strlen () at ../sysdeps/x86_64/strlen.S:106
  106     ../sysdeps/x86_64/strlen.S: No such file or directory.
  (gdb) bt
  #0  strlen () at ../sysdeps/x86_64/strlen.S:106
  #1  0x0000555555561a13 in array_starts_with (str=0x5555557ce910 "/tmp/tmp.6nI2Fkv0KL/1.img", arr=0x7fffffffd160, size=-1540438016) at security/virt-aa-helper.c:525
  #2  0x0000555555561d49 in valid_path (path=0x5555557ce910 "/tmp/tmp.6nI2Fkv0KL/1.img", readonly=false) at security/virt-aa-helper.c:617
  #3  0x0000555555562506 in vah_add_path (buf=0x7fffffffd3e0, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", perms=0x555555581585 "rw", recursive=false) at security/virt-aa-helper.c:823
  #4  0x0000555555562693 in vah_add_file (buf=0x7fffffffd3e0, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", perms=0x555555581585 "rw") at security/virt-aa-helper.c:854
  #5  0x0000555555562918 in add_file_path (disk=0x5555557d4440, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", depth=0, opaque=0x7fffffffd3e0) at security/virt-aa-helper.c:931
  #6  0x00007ffff78f18b1 in virDomainDiskDefForeachPath (disk=0x5555557d4440, ignoreOpenFailure=true, iter=0x5555555628a6 <add_file_path>, opaque=0x7fffffffd3e0) at conf/domain_conf.c:23286
  #7  0x0000555555562b5f in get_files (ctl=0x7fffffffd670) at security/virt-aa-helper.c:982
  #8  0x0000555555564100 in vahParseArgv (ctl=0x7fffffffd670, argc=5, argv=0x7fffffffd7e8) at security/virt-aa-helper.c:1277
  #9  0x00005555555643d6 in main (argc=5, argv=0x7fffffffd7e8) at security/virt-aa-helper.c:1332

So I've taken look at valid_path() because it is obviously
calling array_starts_with() with malformed @size. And here's the
result: there are two variables to hold the size of three arrays
and their value is recalculated before each call of
array_starts_with(). What if we just use three variables,
initialize them and do not touch them afterwards?

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit 52970dec5b)
2015-09-21 20:18:03 -04:00
Luyao Huang
affa75e640 qemu: Emit correct audit message for memory hot unplug
https://bugzilla.redhat.com/show_bug.cgi?id=1226234#c3

If the qemu monitor fails to remove the memory from the guest for
any reason, the auditlog message will incorrectly use the current
actual memory (via virDomainDefGetMemoryActual) instead of the
value we were attempting to reduce to. The result is the 'new-mem'
and 'old-mem' values for the auditlog message would be identical.

This patch creates a local 'newmem' which accounts for the current
memory size minus the memory which is being removed. NB, for the
success case this results in the same value that would be returned
by virDomainDefGetMemoryActual without the need to do the math. This
follows the existing code which would subtract the size for cur_balloon.

Signed-off-by: Luyao Huang <lhuang@redhat.com>
(cherry picked from commit 8f8031df19)
2015-09-21 20:18:02 -04:00
Luyao Huang
fec2c786e7 qemu: Emit correct audit message for memory hot plug
https://bugzilla.redhat.com/show_bug.cgi?id=1226234#c3

Prior to this patch, after successfully hot plugging memory
the audit log indicated that the update failed, e.g.:

type=VIRT_RESOURCE ... old-mem=1024000 new-mem=1548288 \
exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=pts/2 res=failed

This patch will adjust where virDomainAuditMemory is called to
ensure the proper 'ret' value is used based on success or failure.

Additionally, the audit message should include the size of the
memory we were attempting to change to rather than the current
actual size. On failure to add, the message showed the same value
for old-mem and new-mem.

In order to do this, introduce a 'newmem' local which will compute
the new size based on the oldmem size plus the size of memory we
are about to add. NB: This would be the same as calling the
virDomainDefGetMemoryActual again on success, but avoids the
overhead of recalculating. Plus cur_balloon is already adjusted
by the same value, so this follows that.

Signed-off-by: Luyao Huang <lhuang@redhat.com>
(cherry picked from commit cb1fbda4a1)
2015-09-21 20:18:02 -04:00
Laine Stump
4a03dc50a3 hostdev: skip ACS check when using VFIO for device assignment
The ACS checks are meaningless when using the more modern VFIO driver
for device assignment since VFIO has its own more complete and exact
checks, but I didn't realize that when I added support for VFIO. This
patch eliminates the ACS check when preparing PCI devices for
assignment if VFIO is being used.

This resolves:

  https://bugzilla.redhat.com/show_bug.cgi?id=1256486

(cherry picked from commit 108d591b11)
2015-09-21 20:18:02 -04:00
Martin Kletzander
2c1a8f02bf Start daemon only after filesystems are mounted
When images are on mounted filesystems, there is no guarantee libvirtd
will start before they are mounted.  Since we want to start after both
local and remote filesystems are mounted, we need to add both local-fs
and remote-fs as targets that should precede starting libvirtd service.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
(cherry picked from commit 3418e7815a)
2015-09-21 20:18:02 -04:00
Peter Kieser
d598dced1c virt-aa-helper: add NVRAM store file for read/write
This is a cryptographically signed message in MIME format.

Some UEFI firmwares may want to use a non-volatile memory to store some
variables.
If AppArmor is enabled, and NVRAM store file is set currently
virt-aa-helper does
not add the NVRAM store file to the template. Add this file for
read/write when
this functionality is defined in domain XML.

Signed-off-by: Peter Kieser <peter@kieser.ca>
(cherry picked from commit 91fdcefa7f)
2015-09-21 20:18:02 -04:00
Luyao Huang
075f66e304 qemu: Update blkio.weight value after successful set
https://bugzilla.redhat.com/show_bug.cgi?id=1253107

Make a call virCgroupGetBlkioWeight to re-read blkio.weight right
after it is set in order to keep internal data up-to-date.

Signed-off-by: Luyao Huang <lhuang@redhat.com>
(cherry picked from commit bf2788218a)
2015-09-21 20:18:02 -04:00
Vasiliy Tolstov
77fa00888f Eliminate incorrect and unnecessary check for changed IP address
Commit aa2cc7 modified a previously unnecessary but innocuous check
for interface IP address during interface update incorrectly, causing
all attempted updates (e.g. changing link state) to interfaces of
type='ethernet' for QEMU to fail.

This patch fixes the issue by completely removing the check for IP
address, which is pointless since QEMU doesn't support setting
interface IP addresses from the domain interface XML anyway.

Signed-off-by: Vasiliy Tolstov <v.tolstov@selfip.ru>
Signed-off-by: Laine Stump <laine@laine.org>
(cherry picked from commit bbc705d130)
2015-09-21 20:18:02 -04:00
intrigeri
4f4812f8a4 virt-aa-helper: allow access to /usr/share/ovmf/
We forbid access to /usr/share/, but (at least on Debian-based systems)
the Open Virtual Machine Firmware files needed for booting UEFI virtual
machines in QEMU live in /usr/share/ovmf/. Therefore, we need to add
that directory to the list of read only paths.

A similar patch was suggested by Jamie Strandboge <jamie@canonical.com>
on https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1483071.

(cherry picked from commit 2f01cfdf05)
2015-09-21 20:18:01 -04:00
Guido Günther
a8eaab32e1 virt-aa-helper: Simplify restriction logic
First check overrides, then read only files then restricted access
itself.

This allows us to mark files for read only access whose parents were
already restricted for read write.

Based on a proposal by Martin Kletzander

(cherry picked from commit d25a5e087a)
2015-09-21 20:18:01 -04:00
Guido Günther
e50d84614a virt-aa-helper: document --probing and --dry-run
(cherry picked from commit 26c5fa3a9b)
2015-09-21 20:18:01 -04:00
Martin Kletzander
51521556b0 Add generated libvirt_admin.syms into .gitignore
Commit a2c5d16a70 switched to generating
libvirt_admin.syms, but forgot to add the generated file into
.gitignore, hence causing tree pollution post-build.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
(cherry picked from commit 14d84db863)
2015-09-21 20:18:01 -04:00
Guido Günther
83c279a74c libvirt-admin: Generate symbols file
Since we're linking this into libvirtd we need some symbols to be public
but not part of the public API so mark them as
LIBVIRT_ADMIN_PRIVATE_<VERSION> as we do with libvirt.

Making all other symbols local makes sure we don't accidentally leak
unwanted ones.

(cherry picked from commit a2c5d16a70)
2015-09-21 20:18:01 -04:00
Guido Günther
f0cb1b96cf daemon: Use $(NULL) for libvird_admin's flags
This makes it consistent with the other FLAGS in this file and reduced
clutter in the diff when adding new entries.

(cherry picked from commit 6d71d54812)
2015-09-21 20:18:01 -04:00
John Ferlan
3ed4dba49d qemu: Add check for invalid iothread_id in qemuDomainChgIOThread
https://bugzilla.redhat.com/show_bug.cgi?id=1251886

Since iothread_id == 0 is an invalid value for QEMU let's point
that out specifically.  For the IOThreadDel code, the failure would
have ended up being a failure to find the IOThread ID; however, for
the IOThreadAdd code - an IOThread 0 was added and that isn't good.

It seems during many reviews/edits to the code the check for
iothread_id = 0 being invalid was lost - it could have originally
been in the API code, but requested to be moved - I cannot remember.

(cherry picked from commit 32c6b1908b)
2015-09-21 20:18:01 -04:00