Description: Implement AppArmorSetSecurityHostdevLabel() and
AppArmorRestoreSecurityHostdevLabel() for hostdev and pcidev attach.
virt-aa-helper also has to be adjusted because *FileIterate() is used for pci
and usb devices and the corresponding XML for hot attached hostdev and pcidev
is not in the XML passed to virt-aa-helper. The new '-F filename' option is
added to append a rule to the profile as opposed to the existing '-f
filename', which rewrites the libvirt-<uuid>.files file anew. This new '-F'
option will append a rule to an existing libvirt-<uuid>.files if it exists,
otherwise it acts the same as '-f'.
load_profile() and reload_profile() have been adjusted to add an 'append'
argument, which when true will use '-F' instead of '-f' when executing
virt-aa-helper.
All existing calls to load_profile() and reload_profile() have been adjusted
to use the old behavior (ie append==false) except AppArmorSetSavedStateLabel()
where it made sense to use the new behavior.
This patch also adds tests for '-F'.
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/640993
In this patch I am extending the rule instantiator to create the comment
node where supported, which is the case for iptables and ip6tables.
Since commands are written in the format
cmd='iptables ...-m comment --comment \"\" '
certain characters ('`) in the comment need to be escaped to
prevent comments from becoming commands themselves or cause other
forms of (bash) substitutions. I have tested this with various input and in
my tests the input made it straight into the comment. A test case for TCK
will be provided separately that tests this.
Partial reversion of commit 76d87a59, now that bootstrap is smarter.
* .gnulib: Update to latest, for poll and bootstrap fixes.
* bootstrap: Resync from gnulib.
* autogen.sh: Drop redundant tool checks; bootstrap does them
better, by honoring environment variables.
* examples/domain-events/events-c/Makefile.am (INCLUDES)
(event_test_LDADD): Use gnulib library during build.
* bootstrap.conf (gnulib_tool_option_extras): Revert --libtool
addition, now that updated bootstrap does it for us.
Reported by Justin Clift.
When creating a new gust, the function phypBuildLpar() was not
checking for NULL values
src/phyp/phyp_driver.c: check the definition arguments to avoid a segmentation
fault in phypBuildLpar()
This fixes a small logic bug, where passing --without-macvtap
on the configure line, or otherwise indicating a lack of
support for macvtap, causes configure to bail.
The configure script was breaking on MacOS X unless passed:
--without-storage-mpath
This patch leverages Stefan Bergers earlier work for nwfilter,
so non-linux systems don't even attempt to build multipath.
In this patch I am reworking the logic around detecting virtual port support and requiring the libnl dependency.
- It requires --with-macvtap and displays an error in case of --without-macvtap --with-virtualport.
- It tests for availability of certain data in include files and displays an error in case the include file is not at the correct level and --with-virtualport was chosen
- displays 'checking' messages for macvtap and virtualport support and results
- libnl support is required when macvtap is found or requested; if libnl is not there, please supply without-macvtap
Prior to this patch, the ChangeLog generation was hard coded to use
"awk", when it should have been using the AWK variable set by our
build system.
This breaks compilation on a newly installed OS X system, where the
default path has the Mac (non GNU) awk in the default search PATH
before any installed GNU awk (gawk).
This reverses commit 04c3704, which added a define to nwfilter to
allow libvirtd compilation on Mac OS X. Stefan Bergers commit, 2e7294d,
is the proper solution, removing the requirement for nwfilter on non-Linux.
Mac OS X provides an "/Applications" folder, not an "/Application" folder,
so installed VirtualBox wasn't being detected by default.
This 1 character patch fixes this.
The patch below reports a warning in the log if the generated ip(6)tables rules would not be effective due to the proc filesystem entries
/proc/sys/net/bridge/bridge-nf-call-iptables
/proc/sys/net/bridge/bridge-nf-call-ip6tables
containing a '0'. The warning tells the user what to do. I am rate-limiting the warning message to appear only every 10 seconds.
Description: Check for VIR_DOMAIN_CHR_TYPE in serial ports and add 'rw' for
defined serial ports, parallel ports and channels
Bug-Ubuntu: LP: #578527, LP: #609055
pciFindStubDriver currently returns 0 in one of the error cases.
While it's correct...NULL is more readable.
Signed-off-by: Chris Wright <chrisw@redhat.com>
libvirt-guests init script should be started as late as possible during
host startup and stopped as early as possible during host shutdown to
make sure required services are already/still up and running at the time
libvirt-guests runs.
The addrToString methods were not coping with UNIX domain sockets
which have no normal host+port address. Hardcode special handling
for these so that SASL routines can work over UNIX sockets. Also
fix up SSF logic in remote client so that it presumes that a UNIX
socket is secure
* daemon/remote.c: Fix addrToString for UNIX sockets.
* src/remote/remote_driver.c: Fix addrToString for UNIX sockets
and fix SSF logic to work for TLS + UNIX sockets in the same
manner
Refactor some daemon code to facilitate the introductioin of static
probes, sanitizing function exit paths in many places
* daemon/libvirtd.c: Pass the dname string into remoteCheckDN
to let caller deal with failure paths. Add separate exit paths
to remoteCheckCertificate for auth failure vs denial. Merge
all exit paths in qemudDispatchServer to one cleanup block
* daemon/remote.c: Add separate exit paths to SASL & PolicyKit
functions for auth failure vs denial
Before this patch, the testsuite was noisy:
TEST: qemuargv2xmltest
........................................ 40
................20:41:28.046: warning : qemuParseCommandLine:6565 : unknown QEMU argument '-unknown', adding to the qemu namespace
20:41:28.046: warning : qemuParseCommandLine:6565 : unknown QEMU argument 'parameter', adding to the qemu namespace
. 57 OK
PASS: qemuargv2xmltest
It's not a real failure (which is why the test was completing
successfully), so much as an intentional warning to the user that use
of the qemu namespace has the potential for undefined effects that
leaked through the default logging behavior. After this patch series,
all tests can access any logged data, and this particular test can
explicitly check for the presence or absence of the warning, such that
the test output becomes:
TEST: qemuargv2xmltest
........................................ 40
................. 57 OK
PASS: qemuargv2xmltest
* tests/testutils.h (virtTestLogContentAndReset): New prototype.
* tests/testutils.c (struct virtTestLogData): New struct.
(virtTestLogOutput, virtTestLogClose, virtTestLogContentAndReset):
New functions.
(virtTestMain): Always capture log data emitted during tests.
* tests/qemuargv2xmltest.c (testCompareXMLToArgvHelper, mymain):
Use flag to mark which tests expect noisy stderr.
(testCompareXMLToArgvFiles): Add parameter to test whether stderr
was appropriately silent.
Tweaked the PolicyKit documentation improvement patch submitted
by Patrick Dignan.
Additionally, removed the reference to PolicyKit.conf, which is
no longer used by PolicyKit, plus added a link to the expanded
PolicyKit example page on the wiki.
I got tired of seeing this.
config.status: executing libtool commands
/bin/rm: cannot remove `libtoolT': No such file or directory
config.status: executing po-directories commands
While I was at it, there were a couple other unused variables.
* configure.ac (RM, MV, TAR): Drop; nothing in libvirt directly uses
this, and assigning RM interferes with libtool.
When nwfilter support was added to UML, I didn't realise the UML driver
needed instrumentation to make updating nwfilters on the fly work. This
patch adds this bit of glue.
Signed-off-by: Soren Hansen <soren@linux2go.dk>
cmdAttachInterface and cmdAttachDisk still used vshRealloc and sprintf
for generating XML, which is hardly maintainable. Let's get rid of this
old code.
* src/Makefile.am (libvirt.def, libvirt_qemu.def): '\}' and '\t'
are not required by POSIX. Use '}' and literal tab instead.
(install-data-local): Avoid sed -i.
* tests/read-bufsiz: Likewise.
Reported by Mitchell Hashimoto.
Added a workable initial page for the libvirt Application
Development Guide, giving the online viewable options +
the available download ones (pdf, epub, srpm).
Added a link to the PDF to the main Downloads page, plus
neatened the html tags throughout the page as they
were a bit of a mess.
Added --enable-compile-warnings=error to the autogen line,
as suggested by Eric Blake.
The current code will go into an infinite loop if the printf generated
string is >= 1000, AND exactly 1 character smaller than the amount of free
space in the buffer. When this happens, we are dropped into the loop body,
but nothing will actually change, because count == (buf->size - buf->use - 1),
and virBufferGrow returns unchanged if count < (buf->size - buf->use)
Fix this by removing the '- 1' bit from 'size'. The *nprintf functions handle
the NULL byte for us anyways, so we shouldn't need to manually accommodate
for it.
Here's a bug where we are actually hitting this issue:
https://bugzilla.redhat.com/show_bug.cgi?id=602772
v2: Eric's improvements: while -> if (), remove extra va_list variable,
make sure we report buffer error if snprintf fails
v3: Add tests/virbuftest which reproduces the infinite loop before this
patch, works correctly after
Apparently the xen block device statistics moved from
"/sys/devices/xen-backend/vbd-%d-%d/statistics/%s"
to
"/sys/bus/xen-backend/devices/vbd-%d-%d/statistics/%s"
* src/xen/block_stats.c: try the extra path in case of failure to
find the statistics in /sys
Unless --driver tap|file option was given to attach-disk, virsh would
generate <disk type='block'> XML which might be fine for Xen but not for
other hypervisors. This patch introduces a new option --sourcetype which
can be used to explicitly set the type of disk source. The option
accepts either "file" or "block" types.
Very occasionally during a parallel make, dispatch.c would
be compiled before the generated remote headers had been
fully written. This would cause it to compile an empty
union, and result in really wierd runtime bugs that are
near impossible to diagnose.
* daemon/Makefile.am: Fix remote build deps
