Commit Graph

14059 Commits

Author SHA1 Message Date
Daniel P. Berrange
57f2e3274d Extend the ACL test case to validate filter rule checks
The 'check-aclrules' test case validates that there are ACL
checks in each method. This extends it so that it can also
validate that methods which return info about lists of objects,
will filter their returned info throw an ACL check.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-03 15:54:54 +01:00
Daniel P. Berrange
71f2434fe7 Add access control filtering of interface objects
Ensure that all APIs which list interface objects filter
them against the access control system.

This makes the APIs for listing names and counting devices
slightly less efficient, since we can't use the direct
netcf APIs for these tasks. Instead we have to ask netcf
for the full list of objects & iterate over the list
filtering them out.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-03 15:54:54 +01:00
Daniel P. Berrange
70b1573fc1 Add access control filtering of nwfilter objects
Ensure that all APIs which list nwfilter objects filter
them against the access control system.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-03 15:54:53 +01:00
Daniel P. Berrange
f02d65041c Add access control filtering of secret objects
Ensure that all APIs which list secret objects filter
them against the access control system.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-03 15:54:53 +01:00
Daniel P. Berrange
323049a089 Add access control filtering of storage objects
Ensure that all APIs which list storage objects filter
them against the access control system.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-03 15:54:53 +01:00
Daniel P. Berrange
b1f3029afd Add access control filtering of node device objects
Ensure that all APIs which list node device objects filter
them against the access control system.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-03 15:54:53 +01:00
Daniel P. Berrange
bbaa4e1cba Add access control filtering of network objects
Ensure that all APIs which list network objects filter
them against the access control system.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-03 15:54:53 +01:00
Daniel P. Berrange
4d39952ebe Change signature of ACL filter functions
Change the ACL filter functions to use a 'bool' return
type instead of a tri-state 'int' return type. The callers
of these functions don't want to distinguish 'auth failed'
from other errors.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-03 15:54:53 +01:00
Daniel P. Berrange
763973607d Add access control filtering of domain objects
Ensure that all APIs which list domain objects filter
them against the access control system.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-03 15:54:53 +01:00
Guido Günther
9d5d4700c2 Put virt-sanlock-cleanup into section 8
as indicated by the filename.
2013-07-03 15:06:36 +02:00
Martin Kletzander
a72582cb91 qemu: Allow seamless migration for domains with multiple graphics
Since commit 23e8b5d8, the code is refactored in a way that supports
domains with multiple graphics elements and commit 37b415200 allows
starting such domains.  However none of those commits take migration
into account.  Even though qemu doesn't support relocation for
anything else than SPICE and for no more than one graphics, there is no
reason to hardcode one graphics into this part of the code as well.
2013-07-03 14:58:01 +02:00
Martin Kletzander
556808ec9d qemu: Don't miss errors when changing graphics passwords
Commit 23e8b5d8e7 forgot to check the
return value for all calls to qemuDomainChangeGraphicsPasswords().
2013-07-03 14:56:13 +02:00
Gao feng
350fd95f40 LXC: blkio: allow to setup weight_device
libivrt lxc can only set generic weight for container,
This patch allows user to setup per device blkio
weigh for container.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
2013-07-03 12:35:54 +01:00
Gao feng
e7b3349f5a LXC: fix memory leak when userns configuration is incorrect
We forgot to free the stack when Kernel doesn't
support user namespace.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
2013-07-03 12:19:50 +01:00
Michal Privoznik
5995fcf04a virNetDevBandwidthUnplug: Don't leak @cmd
When removing a TAP device, the associated bandwidth settings are
removed. Currently, the /sbin/tc is used for that. It is spawned
several times. Moreover, we use the same @cmd variable to
construct the command and its arguments. That means we need to
virCommandFree(cmd); prior to each virCommandNew(TC); which
wasn't done.
2013-07-03 09:43:14 +02:00
Michal Privoznik
bc13222185 virCgroupNewPartition: Don't leak @newpath
The @newpath variable is allocated in virCgroupSetPartitionSuffix(). But
it's newer freed.
2013-07-03 09:42:11 +02:00
Chen Fan
36bac65d8a qemu: Implement 'oncrash' coredump events when guest panicked
Add doDumpCoreToAutoPath to implement
'coredump-destroy' and 'coredump-restart' events of the 'on_crash'
in the XML when domain crashed.
2013-07-02 12:02:31 -06:00
Chen Fan
9aa527dccb qemu: Implement 'oncrash' events when guest panicked
Add monitor callback API domainGuestPanic, that implements
'destroy', 'restart' and 'preserve' events of the 'on_crash'
in the XML when domain crashed.
2013-07-02 12:02:30 -06:00
Chen Fan
e8ccf7ed8a qemu: expose qemuProcessShutdownOrReboot()
Later code will need this outside of qemu_process.c
2013-07-02 12:02:27 -06:00
Chen Fan
bcf0c14491 qemu: refactor processWatchdogEvent
Split the code to make the driver workpool more generalized
2013-07-02 12:02:27 -06:00
Chen Fan
14e7e0ae8d libvirt: Define domain crash event types
This patch introduces domain crashed types and crashed reasons which
will be used while guest panicked.
2013-07-02 12:02:27 -06:00
Eric Blake
336bf8e28b build: don't ship access syms files in tarball
On a mingw VPATH build (such as done by ./autobuild.sh), the tarball
created by 'make dist' was including generated files.  The VPATH
rules were then seeing that the tarball files were up-to-date, and
not regenerating files locally, leading to this failure:

  GEN      libvirt.syms
cat: libvirt_access.syms: No such file or directory
cat: libvirt_access_qemu.syms: No such file or directory
cat: libvirt_access_lxc.syms: No such file or directory
make: *** [libvirt.syms] Error 1

We already have a category for generated sym files, which are
intentionally not part of the tarball; stick the access sym
files in that category.  The rearrange the declarations a bit
to make it harder to repeat the problem, dropping things that
are now redundant (for example, BUILT_FILES already includes
GENERATED_SYM_FILES, so it does not also need to call out
ACCESS_DRIVER_SYM_FILES).

* src/Makefile.am (USED_SYM_FILES): Don't include generated files.
(GENERATED_SYM_FILES): Access syms files are generated.
(libvirt.syms): Include access syms files here.
(ACCESS_DRIVER_SYMFILES): Rename...
(ACCESS_DRIVER_SYM_FILES): ...for consistency.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-07-02 11:49:32 -06:00
Daniel P. Berrange
1165e39ca3 Add some misc debugging to LXC startup
Add some debug logging of LXC wait/continue messages
and uid/gid map update code.
2013-07-02 14:00:13 +01:00
Daniel P. Berrange
293f717028 Ignore failure to mount SELinux filesystem in container
User namespaces will deny the ability to mount the SELinux
filesystem. This is harmless for libvirt's LXC needs, so the
error can be ignored.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-02 14:00:13 +01:00
Eric Blake
1528e8b23a build: work around mingw header pollution
On Fedora 18, when cross-compiling to mingw with the mingw*-dbus
packages installed, compilation fails with:

  CC       libvirt_net_rpc_server_la-virnetserver.lo
In file included from /usr/i686-w64-mingw32/sys-root/mingw/include/dbus-1.0/dbus/dbus-connection.h:32:0,
                 from /usr/i686-w64-mingw32/sys-root/mingw/include/dbus-1.0/dbus/dbus-bus.h:30,
                 from /usr/i686-w64-mingw32/sys-root/mingw/include/dbus-1.0/dbus/dbus.h:31,
                 from ../../src/util/virdbus.h:26,
                 from ../../src/rpc/virnetserver.c:39:
/usr/i686-w64-mingw32/sys-root/mingw/include/dbus-1.0/dbus/dbus-message.h:74:58: error: expected ';', ',' or ')' before 'struct'

I have reported this as a bug against two packages:
- mingw-headers, for polluting the namespace
https://bugzilla.redhat.com/show_bug.cgi?id=980270
- dbus, for not dealing with the pollution
https://bugzilla.redhat.com/show_bug.cgi?id=980278

At least dbus has agreed that a future version of dbus headers will
do s/interface/iface/, regardless of what happens in mingw. But it
is also easy to workaround in libvirt in the meantime, without having
to wait for either mingw or dbus to upgrade.

* src/util/virdbus.h (includes): Undo mingw's pollution so that
dbus doesn't fail.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-07-02 06:25:50 -06:00
Michal Privoznik
bc09c5d335 qemuNodeDeviceDetachFlags: Avoid use of uninitialized variables
After abf75aea24 the compiler screams:

qemu/qemu_driver.c: In function 'qemuNodeDeviceDetachFlags':
qemu/qemu_driver.c:10693:9: error: 'domain' may be used uninitialized in this function [-Werror=maybe-uninitialized]
     pci = virPCIDeviceNew(domain, bus, slot, function);
         ^
qemu/qemu_driver.c:10693:9: error: 'bus' may be used uninitialized in this function [-Werror=maybe-uninitialized]
qemu/qemu_driver.c:10693:9: error: 'slot' may be used uninitialized in this function [-Werror=maybe-uninitialized]
qemu/qemu_driver.c:10693:9: error: 'function' may be used uninitialized in this function [-Werror=maybe-uninitialized]

Since the other functions qemuNodeDeviceReAttach and qemuNodeDeviceReset
looks exactly the same, I've initialized the variables there as well.
However, I am still wondering why those functions don't matter to gcc
while the first one does.
2013-07-02 12:39:14 +02:00
Gao feng
5daa1b0132 LXC: fuse: Change files owner to the root user of container
The owner of the /proc/meminfo in container should
be the root user of container.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
2013-07-02 11:20:05 +01:00
Gao feng
6c7665e150 LXC: controller: change the owner of /dev/pts and ptmx to the root of container
These files are created for container,
the owner should be the root user of container.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
2013-07-02 11:20:05 +01:00
Gao feng
a591ae6068 LXC: controller: change the owner of devices created on host
Since these devices are created for the container.
the owner should be the root user of the container.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
2013-07-02 11:20:05 +01:00
Gao feng
40a8fe6d25 LXC: controller: change the owner of /dev to the root user of container
container will create /dev/pts directory in /dev.
the owner of /dev should be the root user of container.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
2013-07-02 11:20:05 +01:00
Gao feng
ff1a6019e9 LXC: controller: change the owner of tty devices to the root user of container
Since these tty devices will be used by container,
the owner of them should be the root user of container.

This patch also adds a new function virLXCControllerChown,
we can use this general function to change the owner of
files.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
2013-07-02 11:20:04 +01:00
Gao feng
e1d32bb955 LXC: Creating devices for container on host side
user namespace doesn't allow to create devices in
uninit userns. We should create devices on host side.

We first mount tmpfs on dev directroy under state dir
of container. then create devices under this dev dir.

Finally in container, mount the dev directroy created
on host to the /dev/ directroy of container.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
2013-07-02 11:20:04 +01:00
Gao feng
9a085a228c LXC: introduce virLXCControllerSetupUserns and lxcContainerSetID
This patch introduces new helper function
virLXCControllerSetupUserns, in this function,
we set the files uid_map and gid_map of the init
task of container.

lxcContainerSetID is used for creating cred for
tasks running in container. Since after setuid/setgid,
we may be a new user. This patch calls lxcContainerSetUserns
at first to make sure the new created files belong to
right user.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
2013-07-02 11:20:04 +01:00
Gao feng
43d4f46aeb LXC: sort the uidmap/gidmap of domain
Make sure the mapping line contains the root user of container
is the first element of idmap array. So we can get the real
user id on host for the container easily.

This patch also check the map information, User must map
the root user of container to any user of host.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
2013-07-02 11:20:04 +01:00
Gao feng
8b58336eec LXC: enable user namespace only when user set the uidmap
User namespace will be enabled only when the idmap exist
in configuration.

If you want disable user namespace,just remove these
elements from XML.

If kernel doesn't support user namespace and idmap exist
in configuration file, libvirt lxc will start failed and
return "Kernel doesn't support user namespace" message.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
2013-07-02 11:20:04 +01:00
Gao feng
6c30ea2c35 LXC: Introduce New XML element for user namespace
This patch introduces new element <idmap> for
user namespace. for example
<idmap>
    <uid start='0' target='1000' count='10'/>
    <gid start='0' target='1000' count='10'/>
</idmap>

this new element is used for setting proc files
/proc/<pid>/{uid_map,gid_map}.

This patch also supports multiple uid/gid elements
setting in XML configuration.

We don't support the semi configuation, user has to
configure uid and gid both.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
2013-07-02 11:20:04 +01:00
Peter Krempa
cbba3268eb qemu: Improve info message and remove a variable in qemuDomainManagedSave
Mention the domain name that is being saved and remove the unneeded
variable that only stores a constant.
2013-07-02 09:53:19 +02:00
Peter Krempa
23770d7b55 docs: Document hypervisor drivers that support certain timer models
Not every timer model is supported with each hypervisor. Explicitly
mention the driver supporting each timer model.
2013-07-02 09:41:26 +02:00
Ján Tomko
c34107dfd3 qemu: fix return value of qemuDomainBlockPivot on errors
If qemuMonitorBlockJob returned 0, qemuDomainBlockPivot
might return 0 even if an error occured.

https://bugzilla.redhat.com/show_bug.cgi?id=977678
2013-07-02 07:51:51 +02:00
Dario Faggioli
4b9eec50fe libxl: implement per NUMA node free memory reporting
By providing the implementation of nodeGetCellsFreeMemory for
the driver. This is all just a matter of properly formatting, in
a way that libvirt like, what Xen provides via libxl_get_numainfo().

[raistlin@Zhaman ~]$ sudo virsh --connect xen:/// freecell --all
    0:      25004 KiB
    1:     105848 KiB
--------------------
Total:     130852 KiB

Signed-off-by: Dario Faggioli <dario.faggioli@citrix.com>
2013-07-01 17:14:57 -06:00
Eric Blake
d79c9273b0 build: configure must not affect tarball contents
On mingw, configure sets the name of the lxc symfile to
libvirt_lxc.defs rather than libvirt_lxc.syms.  But tarballs
must be arch-independent, regardless of the configure options
used for the tree where we ran 'make dist'.  This led to the
following failure in autobuild.sh:

  CCLD     libvirt-lxc.la
  CCLD     libvirt-qemu.la
/usr/lib64/gcc/i686-w64-mingw32/4.7.2/../../../../i686-w64-mingw32/bin/ld: cannot find libvirt_lxc.def: No such file or directory
collect2: error: ld returned 1 exit status
make[3]: *** [libvirt-lxc.la] Error 1
make[3]: *** Waiting for unfinished jobs....

We were already doing the right thing with libvirt_qemu.syms.

* src/Makefile.am (EXTRA_DIST): Don't ship a built file which
depends on configure for its final name.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-07-01 16:57:57 -06:00
Eric Blake
4e6a78e712 build: avoid build failure without gnutls
Found while trying to cross-compile to mingw:

  CC       libvirt_driver_remote_la-remote_driver.lo
../../src/remote/remote_driver.c: In function 'doRemoteOpen':
../../src/remote/remote_driver.c:487:23: error: variable 'verify' set but not used [-Werror=unused-but-set-variable]

* src/remote/remote_driver.c (doRemoteOpen): Also ignore 'verify'.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-07-01 13:28:28 -06:00
Roman Bogorodskiy
477a619e1b Drop iptablesContext
iptablesContext holds only 4 pairs of iptables
(table, chain) and there's no need to pass
it around.

This is a first step towards separating bridge_driver.c
in platform-specific parts.
2013-07-01 13:47:37 -04:00
Ján Tomko
87bbf83f99 qemu: indentation fix 2013-07-01 17:41:22 +02:00
Michal Novotny
ff96888991 qemu: Implement CPUs check against machine type's cpu-max
Implement check whether (maximum) vCPUs doesn't exceed machine
type's cpu-max settings.

On older versions of QEMU the check is disabled.

Signed-off-by: Michal Novotny <minovotn@redhat.com>
2013-07-01 14:30:42 +02:00
Daniel Veillard
034d322978 Release of libvirt-1.1.0
* configure.ac docs/news.html.in libvirt.spec.in: updated for the release
* po/*.po*: updated localizations and regenerated
2013-07-01 17:22:49 +08:00
Daniel P. Berrange
244e0b8cf1 Crash of libvirtd by unprivileged user in virConnectListAllInterfaces
On Thu, Jun 27, 2013 at 03:56:42PM +0100, Daniel P. Berrange wrote:
> Hi Security Team,
>
> I've discovered a way for an unprivileged user with a readonly connection
> to libvirtd, to crash the daemon.

Ok, the final patch for this is issue will be the simpler variant that
Eric suggested

The embargo can be considered to be lifted on Monday July 1st, at
0900 UTC

The following is the GIT change that DV or myself will apply to libvirt
GIT master immediately before the 1.1.0 release:

>From 177b4165c531a4b3ba7f6ab6aa41dca9ceb0b8cf Mon Sep 17 00:00:00 2001
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Fri, 28 Jun 2013 10:48:37 +0100
Subject: [PATCH] CVE-2013-2218: Fix crash listing network interfaces with
 filters

The virConnectListAllInterfaces method has a double-free of the
'struct netcf_if' object when any of the filtering flags cause
an interface to be skipped over. For example when running the
command 'virsh iface-list --inactive'

This is a regression introduced in release 1.0.6 by

  commit 7ac2c4fe62
  Author: Guannan Ren <gren@redhat.com>
  Date:   Tue May 21 21:29:38 2013 +0800

    interface: list all interfaces with flags == 0

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-01 15:05:24 +08:00
Laine Stump
2c2525ab6a pci: initialize virtual_functions array pointer to avoid segfault
This fixes https://bugzilla.redhat.com/show_bug.cgi?id=971325

The problem was that if virPCIGetVirtualFunctions was given the name
of a non-existent interface, it would return to its caller without
initializing the pointer to the array of virtual functions to NULL,
and the caller (virNetDevGetVirtualFunctions) would try to VIR_FREE()
the invalid pointer.

The final error message before the crash would be:

 virPCIGetVirtualFunctions:2088 :
  Failed to open dir '/sys/class/net/eth2/device':
  No such file or directory

In this patch I move the initialization in virPCIGetVirtualFunctions()
to the begining of the function, and also do an explicit
initialization in virNetDevGetVirtualFunctions, just in case someone
in the future adds code into that function prior to the call to
virPCIGetVirtualFunctions.
2013-07-01 00:26:33 -04:00
Laine Stump
374c5e4f73 node device driver: update driver name during dumpxml
This fixes:

  https://bugzilla.redhat.com/show_bug.cgi?id=979290
  https://bugzilla.redhat.com/show_bug.cgi?id=979330

The node device driver was written with the assumption that udev would
use a "change" event to notify libvirt of any change to device status
(including the name of the driver it was bound to). It turns out this
is not the case (see Comment 4 of BZ 979290). That means that a
dumpxml for a device would always show whatever driver happened to be
bound at the time libvirt was started (when the node device cache was
built).

There was already code in the driver (for the benefit of the HAL
backend) that updated the driver name from sysfs each time a device's
info was retrieved from the cache. This patch just enables that manual
update for the udev backend as well.
2013-07-01 00:25:21 -04:00
Daniel P. Berrange
49e6a16f82 Document security reporting & handling process
Historically security issues in libvirt have been primarily
triaged & fixed by the Red Hat libvirt members & Red Hat
security team, who then usually notify other vendors via
appropriate channels. There have been a number of times
when vendors have not been properly notified ahead of
announcement. It has also disadvantaged community members
who have to backport fixes to releases for which there are
no current libvirt stable branches.

To address this, we want to make the libvirt security process
entirely community focused / driven. To this end I have setup
a new email address "libvirt-security@redhat.com" for end
users to report bugs which have (possible) security implications.

This email addr is backed by an invitation only, private
archive, mailing list. The intent is for the list membership
to comprise a subset of the libvirt core team, along with any
vendor security team engineers who wish to participate in a
responsible disclosure process for libvirt. Members of the
list will be responsible for analysing the problem to determine
if a security issue exists and then issue fixes for all current
official stable branches & git master.

I am proposing the following libvirt core team people as
members of the security team / list (all cc'd):

   Daniel Berrange (Red Hat)
   Eric Blake (Red Hat)
   Jiri Denemar (Red Hat)
   Daniel Veillard (Red Hat)
   Jim Fehlig (SUSE)
   Doug Goldstein (Gentoo)
   Guido Günther (Debian)

We don't have anyone from Ubuntu on the libvirt core team.
Serge Hallyn is the most frequent submitter of patches from
Ubuntu in recent history, so I'd like to invite him to join.
Alternatively, Serge, feel free to suggest someone else to
represent Ubuntu's interests.

If any other vendors/distros have security people who are
responsible for dealing with libvirt security issues, and
want to join to get early disclosure of issues, they can
suggest people. Existing security team members will vet /
approve such requests to ensure they are genuine.

Anyone on the team / list will be **required** to honour any
embargo period agreed between members for non-public issues
that are reported. The aim will be to have a maximum 2 week
embargo period in the common case, extendable to 1 month if
there is sufficient justification made. If anyone feels they
are unable to follow such an embargo process for whatever
reason, please decline membership of the security list/team.

The patch which follows puts up some docs on the website
about all of this....

Document how to report security bugs and the process that
will be used for addressing them.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-01 11:08:58 +08:00