Commit Graph

33860 Commits

Author SHA1 Message Date
Ilias Stamatis
d754a5cc1d test_driver: Implement virDomainGetFSInfo
Always return / and /boot as the mount points imitating the default
Fedora installation. Use the first disk found, otherwise if no disk
device of type VIR_DOMAIN_DISK_DEVICE_DISK is present, return 0 mount
points.

Reviewed-by: Erik Skultety <eskultet@redhat.com>
Signed-off-by: Ilias Stamatis <stamatis.iliass@gmail.com>
2019-07-03 09:57:30 +02:00
Ilias Stamatis
4d61181d1f test_driver: Add a disk device in the default config
Signed-off-by: Ilias Stamatis <stamatis.iliass@gmail.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
2019-07-03 09:57:30 +02:00
Ilias Stamatis
49419f4c85 virDomainGetPerfEvents: Note that typed params flags are also supported
Signed-off-by: Ilias Stamatis <stamatis.iliass@gmail.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
2019-07-03 09:57:30 +02:00
Ilias Stamatis
13a7d75835 qemu: Remove a redundant function call from qemuDomainGetPerfEvents
Calling virDomainObjUpdateModificationImpact directly inside the
function body is redundant, since the same function call is embedded
into virDomainObjGetOneDef.

Signed-off-by: Ilias Stamatis <stamatis.iliass@gmail.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
2019-07-03 09:57:30 +02:00
Michal Privoznik
9f95552d17 qemu: De-duplicate some path definitions
There are some paths (e.g. /dev/vfio/vfio or /dev/mapper/control)
which are defined in qemu_domain.c and then in qemu_cgroup.c
again. This is suboptimal. Let's move paths into qemu_domain.h and
drop duplicate definitions.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
2019-07-03 09:33:45 +02:00
Michal Privoznik
0ff84542a5 test_driver: Don't report VIR_DOMAIN_DISK_ERROR_NONE
In my review of 89320788ac I've simplified assigning disk errors
too much as the code I've changed it to will set
VIR_DOMAIN_DISK_ERROR_NONE. This is in contradiction with our
documentation which specifies that disks with no errors are not
reported.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
2019-07-03 09:06:41 +02:00
Michal Privoznik
3b1a5dde79 test_driver: Don't access @vm after it was set to NULL
If something goes wrong in testDomainGetDiskErrors() then we try
to free any strings that were previously allocated in return
array. Problem is, in my review of original patch (89320788ac)
I've mistakenly did some changes which result in possible NULL
dereference (@vm is set to NULL as the first thing under cleanup
label).

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
2019-07-03 09:06:41 +02:00
Erik Skultety
50dfabbb59 docs: Provide documentation for SEV launch security
Signed-off-by: Erik Skultety <eskultet@redhat.com>
Reviewed-by: Brijesh Singh <brijesh.singh@amd.com>
2019-07-03 09:01:31 +02:00
Michal Privoznik
8695793d72 Revert "qemu: Temporary disable owner remembering"
This reverts commit fc3990c7e6.

Now that all the reported bugs are fixed let's turn the feature
back on.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:04 +02:00
Michal Privoznik
3973d4dff1 qemu: Move image security metadata on snapshot activity
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:04 +02:00
Michal Privoznik
706e68237f qemu_security: Implement qemuSecurityMoveImageMetadata
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:04 +02:00
Michal Privoznik
44a204e674 security_selinux: Implement virSecurityManagerMoveImageMetadata
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:04 +02:00
Michal Privoznik
a379b86cd2 security_dac: Implement virSecurityManagerMoveImageMetadata
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:04 +02:00
Michal Privoznik
d73f3f5836 security_util: Introduce virSecurityMoveRememberedLabel
A simple helper function that would be used from DAC and SELinux
drivers.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:04 +02:00
Michal Privoznik
8b74cecbdf security: Introduce virSecurityManagerMoveImageMetadata
The purpose of this API is to allow caller move XATTRs (or remove
them) from one file to another. This will be needed when moving
top level of disk chain (either by introducing new HEAD or
removing it).

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:04 +02:00
Michal Privoznik
8b1660e530 security: Don't remember owner for shared resources
This effectively reverts d7420430ce and adds new code.

Here is the problem: Imagine a file X that is to be shared
between two domains as a disk. Let the first domain (vm1) have
seclabel remembering turned on and the other (vm2) has it turned
off. Assume that both domains will run under the same user, but
the original owner of X is different (i.e. trying to access X
without relabelling leads to EPERM).

Let's start vm1 first. This will cause X to be relabelled and to
gain new attributes:

  trusted.libvirt.security.ref_dac="1"
  trusted.libvirt.security.dac="$originalOwner"

When vm2 is started, X will again be relabelled, but since the
new label is the same as X already has (because of vm1) nothing
changes and vm1 and vm2 can access X just fine. Note that no
XATTR is changed (especially the refcounter keeps its value of 1)
because the vm2 domain has the feature turned off.

Now, vm1 is shut off and vm2 continues running. In seclabel
restore process we would get to X and since its refcounter is 1
we would restore the $originalOwner on it. But this is unsafe to
do because vm2 is still using X (remember the assumption that
$originalOwner and vm2's seclabel are distinct?).

The problem is that refcounter stored in XATTRs doesn't reflect
the actual times a resource is in use. Since I don't see any easy
way around it let's just not store original owner on shared
resources. Shared resource in world of domain disks is:

  - whole backing chain but the top layer,
  - read only disk (we don't require CDROM to be explicitly
    marked as shareable),
  - disk marked as shareable.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2019-07-03 08:36:04 +02:00
Michal Privoznik
760fa05436 qemusecuritymock: Allow some paths to be not restored
Some paths will not be restored. Because we can't possibly know
if they are still in use or not. Reflect this in the test so that
we can test more domains. Also see next commit for more detailed
explanation.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:04 +02:00
Michal Privoznik
d87f363a3f security_selinux: Allow caller to suppress owner remembering
Just like previous commit allowed to enable or disable owner
remembering for each individual path, do the same for SELinux
driver. This is going to be needed in the next commit.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:03 +02:00
Michal Privoznik
377b4e0a6b security_dac: Allow caller to suppress owner remembering
One caller in particular (virSecurityDACSetImageLabelInternal)
will want to have the feature turned on only in some cases.
Introduce @remember member to _virSecurityDACChownItem to track
whether caller wants to do owner remembering or not.
The actual remembering is then enabled if both caller wanted it
and the feature is turned on in the config file.

Technically, we could skip over paths that don't have remember
enabled when creating a list of paths to lock. We won't touch
their XATTRs after all. Well, I rather play it safe and keep them
on the locking list for now.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:03 +02:00
Michal Privoznik
cc503c75c7 security: Document @restore member of transaction list
Both DAC and SELinux drivers support transactions. Each item on
the transaction list consists of various variables and @restore
is one of them. Document it so that as the list of variables grow
it's easier to spot which variable does what.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:03 +02:00
Michal Privoznik
5214b2f1a3 security: Don't skip label restore on file systems lacking XATTRs
The way that virSecurityDACRecallLabel is currently written is
that if XATTRs are not supported for given path to the caller
this is not different than if the path is still in use. The value
of 1 is returned which makes secdrivers skip label restore.
This is clearly a bug as we are not restoring labels on say NFS
even though previously we were.

Strictly speaking, changes to virSecurityDACRememberLabel are not
needed, but they are done anyway so that getter and setter behave
in the same fashion.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:03 +02:00
Michal Privoznik
1596199067 virFileRemoveXAttr: Report error on failure
It's better to have the function report errors, because none of
the callers does.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:03 +02:00
Michal Privoznik
9b130c33f9 virFileSetXAttr: Report error on failure
It's better to have the function report errors, because none of
the callers does.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:03 +02:00
Michal Privoznik
0d44d2876a virfile: Make virFileGetXAttr report errors
The way that security drivers use XATTR is kind of verbose. If
error reporting was left for caller then the caller would end up
even more verbose.

There are two places where we do not want to report error if
virFileGetXAttr fails. Therefore virFileGetXAttrQuiet is
introduced as an alternative that doesn't report errors.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:03 +02:00
Michal Privoznik
86e43ded42 virSecuritySELinuxRestoreAllLabel: Print @migrated in the debug message too
Just like it's DAC counterpart is doing,
virSecuritySELinuxRestoreAllLabel() could print @migrated in the
debug message.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:03 +02:00
Michal Privoznik
f45c97eac2 tools: Slightly rework libvirt_recover_xattrs.sh
Firstly, there's no reason to enumerate all XATTRs since they
differ only in the prefix and we can construct them in a loop.

Secondly, and more importantly, the script was still looking for
just one prefix "trusted.libvirt.security" even on FreeBSD.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:03 +02:00
Michal Privoznik
90540a37be qemusecuritytest: Fix capabilities loading
Having to enumerate all capabilities that we want domain to have
is too verbose and prevents us from adding more tests. Have the
domain always have the latest x86_64 capabilities. This means
that we have to drop two arm tests, but on the other hand, I'm
introducing 50 new cases. I've listed 50 biggest .args files and
added those:

  libvirt.git $ ls -Sr $(find tests/qemuxml2argvdata/ \
  -type f -iname "*.x86_64-latest.args") | tail -n 50

Except for two:
1) disk-backing-chains-noindex - this XML has some disks with
backing chain. And since set is done on the whole backing chain
and restore only on the top layer this would lead to instant test
failure. Don't worry, secdrivers will be fixed shortly too and
the test case will be added.

2) hostdev-mdev-display-spice-egl-headless - for this XML
secdriver tries to find IOMMU group that mdev lives in. Since we
are not mocking sysfs access this test case would fail.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:03 +02:00
Michal Privoznik
3c02d383f9 qemusecuritytest: Use AUTOFREE/AUTOUNREF
This simplifies the code a bit and removes the need for cleanup
label in one case. In the other case the label is kept because
it's going to be used later.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:03 +02:00
Michal Privoznik
1d34d2462e qemusecuritytest: Drop unused variable
The @securityManager variable in testDomain() is unused. Drop it.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:03 +02:00
Michal Privoznik
8ffb5f2738 qemusecuritymock: Introduce and use freePaths()
Problem with current approach is that if
qemuSecuritySetAllLabel() fails, then the @chown_paths and
@xattr_paths hash tables are not freed and preserve values
already stored there into the next test case.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:03 +02:00
Michal Privoznik
80cf6ec6f2 qemusecuritymock: Actually set error on failure
I don't really know what happened when I was writing the original
code, but even if error was to be set the corresponding boolean
was set to false meaning no error.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:03 +02:00
Michal Privoznik
854f0e85e4 qemusecuritymock: Fix bit arithmetic
One of the functions of this mock is that it spoofs chown() and
stat() calls. But it is doing so in a clever way: it stores the
new owner on chown() and reports it on subsequent stat(). This is
done by using a 32bit unsigned integer where one half is used to
store uid the other is for gid. Later, when stat() is called the
integer is fetched and split into halves again. Well, my bit
operation skills are poor and the code I've written does not do
that properly.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:03 +02:00
Michal Privoznik
0a9dcfabf8 qemusecuritymock: Mock virProcessRunInFork
This test is beautiful. It checks if we haven't messed up
refcounting on security labels (well, XATTRs where the original
owner is stored). It does this by setting up tracking of XATTR
setting/removing into a hash table, then calling
qemuSecuritySetAllLabel() followed by immediate
qemuSecurityRestoreAllLabel() at which point, the hash table must
be empty. The test so beautifully written that no matter
what you do it won't fail. The reason is that all seclabel work
is done in a child process. Therefore, the hash table in the
parent is never changed and thus always empty.

There are two reasons for forking (only one of them makes sense
here though):

1) namespaces - when chown()-ing a file we have to fork() and
make the child enter desired namespace,
2) locking - because of exclusive access to XATTRs we lock the
files we chown() and this is done in a fork (see 207860927a for
more info).

While we want to fork in real world, we don't want that in a test
suite. Override virProcessRunInFork() then.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:03 +02:00
Michal Privoznik
d81d089e17 maint: Post-release version bump to 5.6.0
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2019-07-03 08:30:52 +02:00
Daniel Veillard
d828ca12b0 Release of libvirt-5.5.0
* docs/news.xml: updated for the release

Signed-off-by: Daniel Veillard <veillard@redhat.com>
2019-07-02 22:11:22 +02:00
Daniel P. Berrangé
e0c44300c4 Refresh translations from Zanata
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-01 19:02:08 +01:00
John Ferlan
1aa162562c rpc: Fix build error for virNetServerNew ATTRIBUTE_NONNULL values
Commit 5a148ce84 altered the virNetServerNew to remove a parameter
but neglected to update the ATTRIBUTE_NONNULL's which causes a build
failure for when checking is enabled such as when lv_cv_static_analysis
is enabled.

Signed-off-by: John Ferlan <jferlan@redhat.com>
2019-07-01 11:39:30 -04:00
Andrea Bolognani
599c8a364f tools: Fix permissions for virt-pki-validate.in
While the script ultimately needs to be executable, the
source file really shouldn't be.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
2019-07-01 17:20:32 +02:00
Ján Tomko
bf4a620f17 docs: fix acl permission docs
We have been grouping network-port and nwfilter-binding permissions
under virNetworkPtr and virNWFilterPtr respectively.

Add the two missing classes that were matched because they contain
a substring of others.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
2019-07-01 17:10:20 +02:00
Andrea Bolognani
df1b5cf02e test_driver: Fix permissions for test_driver.c
Introduced in commit 4a6ee53581.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
2019-07-01 17:02:05 +02:00
Andrea Bolognani
06ecf23ef2 docs: Document virDomainQemuAttach() removal
It has been dropped in 215d9393bb, but not all of
the documentation was updated accordingly.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Acked-by: Peter Krempa <pkrempa@redhat.com>
2019-07-01 15:41:27 +02:00
Andrea Bolognani
d40f7b6bac news: Update for 5.5.0 release
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Acked-by: Michal Privoznik <mprivozn@redhat.com>
2019-06-28 21:28:36 +02:00
Pavel Hrdina
62dd4d25a2 util: vircgroupv2: stop enabling missing controllers with systemd
Because of a systemd delegation policy [1] we should not write to any
cgroups files owned by systemd which in case of cgroups v2 includes
'cgroups.subtree_control'.

systemd will enable controllers automatically for us to have them
available for VM cgroups.

[1] <https://github.com/systemd/systemd/blob/master/docs/CGROUP_DELEGATION.md>

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-06-28 15:17:37 +02:00
Pavel Hrdina
d117431143 Revert "util: vircgroup: pass parent cgroup into virCgroupDetectControllersCB"
This reverts commit 7bca1c9bdc.

As it turns out it's not a good idea on systemd hosts.  The root
cgroup can have all controllers enabled but they don't have to be
enabled for sub-cgroups.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-06-28 15:17:26 +02:00
Daniel P. Berrangé
bd17012f0c Revert "error: Add VIR_ERR_DEPRECATED error code"
This reverts commit 226094fbc4.

A deprecation is a warning to something that use of a feature is
being discouraged. By definition it is not an error condition to
continue to use a deprecated feature.

A VIR_ERR_DEPRECATED constant thus makes no conceptual sense. For
features which are entirely absent we already document that the
VIR_ERR_NO_SUPPORT code will be used. There is no need to distinguish
between a feature which never existed and a feature which previously
existed and was since removed.

Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-06-27 14:47:10 +01:00
Daniel P. Berrangé
2fbaa28e12 Revert "news: Mention VIR_ERR_DEPRECATED in improvements"
This reverts commit 3026f6d9d9.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-06-27 14:47:05 +01:00
Daniel P. Berrangé
c0859f3e16 docs: update QEMU driver docs to replace deprecated with deleted
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-06-27 14:43:08 +01:00
Daniel P. Berrangé
464a41bc0d qemu: delete methods which are no longer supported
The public API entry points will report VIR_ERR_NO_SUPPORT to the
caller when a driver does not provide an implementation of a particular
method.

When deleting methods, leaving the driver API entry point explicitly
set to NULL with an version range comment, allows the hvsupport.html
page to document when the AP was removed.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-06-27 14:41:48 +01:00
Peter Krempa
773f923e74 qemu: blockjob: Don't leak 'cfg' from qemuBlockJobEventProcessLegacy
Since c257352797 a reference of 'cfg' would be leaked if the function
does not need to process anything. Fix it by using VIR_AUTOUNREF.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-06-27 13:09:54 +02:00
Jie Wang
cf146eb042 qemu: distinguish pr disk before qemuHotplugRemoveManagedPR
when a disk without PR perform attach or detach operation,
need not call qemuHotplugRemoveManagedPR, otherwise, it will
print err log about PR, let us fix it.

Signed-off-by: Jie Wang <wangjie88@huawei.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-06-26 17:10:52 +02:00